starlingx/docs
Code Issues Proposed changes

Merge "Configure REST API Applications and Web Administration Server certificate"

Browse Source
This commit is contained in:
Zuul
2025-09-05 13:55:09 +00:00
committed by Gerrit Code Review
parent 2bb6481c46 d74b3ee06e
commit 4234938b28
2 changed files with 13 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
doc/source/security/kubernetes/configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f.rst
View File

@@ -4,17 +4,18 @@
Configure REST API Applications and Web Administration Server certificate
=========================================================================
|prod| provides support for secure HTTPS external connections used for |prod|
REST API application endpoints (Keystone, Barbican and |prod|) and the |prod|
web administration server.
|prod| provides support for secure HTTPS external connections to the REST API
endpoints for services (see
`https://docs.starlingx.io/api-ref/index.html <https://docs.starlingx.io/api-ref/index.html>`__), the |prod| Web
administration server, and the Kubernetes API server.
During installation, the Platform Issuer (``system-local-ca``) will
automatically issue a certificate used to secure access to the |prod| REST API
and to the Web Server GUI. This allows the system to have HTTPS access enabled
from the bootstrap to the services. This certificate will be stored in a K8s
|TLS| secret in namespace ``deployment``, named
``system-restapi-gui-certificate``. It will be managed by cert-manager, renewed
upon expiration and the required services restarted automatically.
During installation, the Platform Issuer (``system-local-ca``) automatically
issues a certificate to secure access to the REST API endpoints. This allows
the system to have HTTPS access enabled already from the services start up.
This certificate is stored in a Kubernetes |TLS| secret in the namespace
``deployment``, named ``system-restapi-gui-certificate``. The certificate is
renewed automatically by cert-manager upon expiration and the required services
are automatically reconfigured by the platform.
After bootstrap, this certificate's fields can be updated using the procedure
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. The
@@ -22,4 +23,4 @@ certificate will be managed by cert-manager (auto renewed upon expiration).
The certificate will be anchored by ``system-local-ca``'s Root |CA|. For more
information, refer to
:ref:`system-local-ca-issuer-9196c5794834`.
:ref:`system-local-ca-issuer-9196c5794834`.

1
doc/source/shared/abbrevs.txt
View File

@@ -78,6 +78,7 @@
.. |ECDSA| replace:: :abbr:`ECDSA (Elliptic Curve Digital Signature Algorithm)`
.. |ePRTC| replace:: :abbr:`ePRTC (Enhanced Primary Reference Time Clock)`
.. |FEC| replace:: :abbr:`FEC (Forward Error Correction)`
.. |FM| replace:: :abbr:`FM (Fault Manager)`
.. |FPGA| replace:: :abbr:`FPGA (Field Programmable Gate Array)`
.. |FQDN| replace:: :abbr:`FQDN (Fully Qualified Domain Name)`
.. |FQDNs| replace:: :abbr:`FQDNs (Fully Qualified Domain Names)`