starlingx/docs
Code Issues Proposed changes

Front-proxy-client and front-proxy-ca certificates are not documented (r8,dsR8)

Browse Source 
Add front-proxy-client and front-proxy-ca certificates to the list.

Closes-bug: 2019959

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: Ie940da7352e80322c9d462c7cc219ceec879597d
This commit is contained in:
Elisamara Aoki Goncalves
2023-05-16 16:28:58 -03:00
committed by Elisamara Aoki Gonçalves
parent 7681444cc3
commit df8558e7e1
2 changed files with 18 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
doc/source/security/kubernetes/https-access-overview.rst
View File

@@ -33,6 +33,10 @@ in the following sections.
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| kubelet client certificate | Yes | auto-renewed by kubelet feature enabled by default | | kubelet client certificate | Yes | auto-renewed by kubelet feature enabled by default |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| front-proxy-client | Yes | front-proxy-client: auto-renewed by cron job |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| front-proxy-ca | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| | | |
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+ +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
| etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years | | etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years |

17
doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst
View File

@@ -13,9 +13,9 @@ for the external ``kube-apiserver`` API endpoint. By default, the Kubernetes
Root |CA| is automatically generated at install time. Root |CA| is automatically generated at install time.
If desired, you can externally generate a Root |CA| certificate and key, and If desired, you can externally generate a Root |CA| certificate and key, and
configure it as the Kubernetes Root |CA| during installation. Upstream configure it as the Kubernetes Root |CA| during installation. Currently,
Kubernetes (v1.18) only supports a Root |CA| for the Kubernetes Root |CA|; NOT StarlingX supports only Internal |CA| mode with Kubernetes, which only supports
an Intermediate |CA|. a Root |CA| for the Kubernetes Root |CA|, not an Intermediate |CA|.
The public certificate of the Kubernetes Root |CA|, whether auto-generated or The public certificate of the Kubernetes Root |CA|, whether auto-generated or
specified, needs to be configured as a trusted |CA| by external servers specified, needs to be configured as a trusted |CA| by external servers
@@ -123,6 +123,17 @@ one file:
This certificate is configured to auto renew. This certificate is configured to auto renew.
**front-proxy-client certificate**
Client certificates signed by ``front-proxy`` Root |CA| certificate. It is used
by ``apiserver/aggregator`` to connect to aggregated apiserver(extension
APIserver).
**front-proxy-ca certificate**
The ``front-proxy`` Root |CA| certificate. front-proxy certificates are
required only if you run ``kube-proxy`` to support an extension API server.
.. toctree:: .. toctree::
:maxdepth: 1 :maxdepth: 1