From 6fe7ee5aa7296e55448cb446c7da68d9cf0fc0a4 Mon Sep 17 00:00:00 2001 From: Ngairangbam Mili Date: Thu, 21 Aug 2025 08:54:37 +0000 Subject: [PATCH] Install Custom Kubernetes Root CA Certificate Story: 2011399 Task: 52686 Change-Id: I6eea2ae16a20b59c448cab98cc2e4c1309265d82 Signed-off-by: Ngairangbam Mili --- .../kubernetes/kubernetes-root-ca-certificate.rst | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst index 2079ff680..5e6d396c8 100644 --- a/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst +++ b/doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst @@ -6,6 +6,15 @@ Install Custom Kubernetes Root CA Certificate ============================================= +.. note:: + + The overrides ``k8s_root_ca_cert``, ``k8s_root_ca_key`` and, + ``apiserver_cert_sans`` are planned to be be discontinued in future releases. + External connections to kube-apiserver go through a proxy which uses the + REST API/GUI certificate, issued by the Platform Issuer (system-local-ca). + For instructions on how to configure the Platform Issuer, see `https://docs.starlingx.io/deploy_install_guides/release/ansible_bootstrap_configs.html#platform-issuer-system-local-ca `__. + + By default, the K8S Root |CA| certificate and key are auto-generated and result in the other Kubernetes certificates being signed by an internal not well-known |CA|; for example, for the Kubernetes API server certificate. @@ -53,12 +62,12 @@ must be in |PEM| format and the value must be provided as part of a pair with . .. note:: - + Ensure the certificates have RSA key length >= 2048 bits. The |prod-long| Release |this-ver| provides a new version of ``openssl`` which requires a minimum of 2048-bit keys for RSA for better security / encryption strength. - + You can check the key length by running ``openssl x509 -in -noout -text`` and looking for the "Public-Key" in the output. For more information see :ref:`Create Certificates Locally using openssl `.