Cert-manager migration playbook rename

As result of renaming the cert-manager migration playbook to update_platform_certificates.yml, some references to it had to be updated as well. Also, reworded some statements related to a bug already fixed (https://bugs.launchpad.net/starlingx/+bug/2047652). Since the bug is fixed, targeting 'localhost' is not a must anymore, although it's still recommended to ensure consistency. Story: 2009811 Task: 49435 Change-Id: Ibcdabe51e5e5c499e628629627c59ab05d434e65 Signed-off-by: Marcelo Loebens <Marcelo.DeCastroLoebens@windriver.com>
2024-01-19 16:01:51 -04:00 · 2024-01-19 16:01:51 -04:00 · 84def1b2a4
commit 84def1b2a4
parent b517a5fdfb
2 changed files with 21 additions and 16 deletions
--- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
+++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
@ -101,19 +101,26 @@ playbook are:
        use in an Intermediate |CA|.

        The duration of the Intermediate CA public certificate and private key
-        pair should be at least 3 years.  See *ca_duration* to modify this
-        semantic check.
+        pair should be at least 3 years.  See *rca_duration/ica_duration* to
+        modify this semantic check.

    ``system_root_ca_cert``
        The public certificate of the Root |CA| that signed
        ``system_local_ca_cert``.

-    ``ca_duration``
-        |CA| duration validation parameter. This will be used against
-        ``system_local_ca_cert`` and ``system_root_ca_cert`` to ensure that
-        they have sufficient duration remaining. It defaults to 3 years, as
-        this is typical for |CA| certificates and this certificate must be
-        renewed manually. Only override if necessary.
+    ``rca_duration``
+        |RCA| duration validation parameter. This will be used against
+        ``system_root_ca_cert`` to ensure that it have sufficient duration
+        remaining. It defaults to 3 years, as this is typical for |CA|
+        certificates and this certificate must be renewed manually. Only
+        override if necessary.
+
+    ``ica_duration``
+        |ICA| duration validation parameter. This will be used against
+        ``system_local_ca_cert`` to ensure that it have sufficient duration
+        remaining. It defaults to 3 years, as this is typical for |CA|
+        certificates and this certificate must be renewed manually. Only
+        override if necessary.

    ``system_platform_certificate.dns_domain``
        The |DNS| domain that will be used to build a full DNS name for the
@ -201,18 +208,16 @@ playbook are:

    .. code-block:: none

-        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml -i migration-inventory.yml --extra-vars "target_list=localhost,subcloud1 mode=update ignore_alarms=yes" --ask-vault-pass
+        ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/update_platform_certificates.yml -i migration-inventory.yml --extra-vars "target_list=localhost,subcloud1 mode=update ignore_alarms=yes" --ask-vault-pass

    .. note::

        - In |prod-dc| systems, the playbook must be run from the System
          Controller, and the ``target_list`` parameter should be used to target
          the desired subclouds.
-        - The ``target_list`` parameter must include localhost within the
+        - The ``target_list`` parameter should include localhost within the
          targeted subcloud, to keep the certificates consistent with the
-          SystemController. In |prod-dc| systems, if localhost is not included
-          in the ``target_list`` parameter, the playbook can fail to install the
-          RCA certificate in the SystemController.
+          SystemController.

    The behavior of the update/migration can be customized using the following
    ``--extra-vars`` parameter options:
@ -227,8 +232,8 @@ playbook are:

    ``target_list``
        * ``localhost``: Will target the localhost (standalone systems or
-          system controller). The ``target_list`` parameter must include at
-          least this value.
+          system controller). The ``target_list`` parameter should include
+          this value to keep consistency with the SystemController.

        * ``subcloud1``, ``subcloud2``: A comma separated list of hosts the
          playbook will target.
--- a/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst
+++ b/doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.rst
@ -24,7 +24,7 @@ SystemController.
 .. note::

  In order to change or renew the ``system-local-ca`` Secret for signing, the
-  ``migrate_platform_certificates_to_certmanager.yml`` playbook MUST BE USED,
+  ``update_platform_certificates.yml`` playbook MUST BE USED,
  see :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`.
  This playbook will update the ``system-local-ca`` Secret and Issuer, re-sign
  all of the Platform Certificates using this issuer, and in a Distributed