HTTPS cert updates
General update to Security/HTTPS and Certificates Management: - reorganization - content updates Implement patchset 1 review comments Implement patchset 2 review comments Closes-Bug: 2028184 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: Iae75785e479c96751fb50a097eba8ed5e6069e94
This commit is contained in:
parent
bc2f3c07ed
commit
f843d3daa4
@ -21,9 +21,7 @@ create a certificate named ``system-registry-local-certificate`` in the
|
|||||||
spec must also be named ``system-registry-local-certificate``.
|
spec must also be named ``system-registry-local-certificate``.
|
||||||
|
|
||||||
See the example procedure below for creating the certificate for the local
|
See the example procedure below for creating the certificate for the local
|
||||||
Docker registry. This example assumes you have configured a
|
Docker registry.
|
||||||
``system-local-ca`` ClusterIssuer as described in
|
|
||||||
:ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`.
|
|
||||||
|
|
||||||
Update the following fields:
|
Update the following fields:
|
||||||
|
|
||||||
@ -83,9 +81,9 @@ Update the following fields:
|
|||||||
|
|
||||||
.. code-block::
|
.. code-block::
|
||||||
|
|
||||||
~(keystone_admin)]$ kubectl get certificate system-registry-local-certificate –n deployment
|
~(keystone_admin)]$ kubectl get certificate system-registry-local-certificate -n deployment
|
||||||
|
|
||||||
If configuration was successful, the certificate’s Ready status will be
|
If configuration was successful, the certificate's Ready status will be
|
||||||
``True``.
|
``True``.
|
||||||
|
|
||||||
#. Update the platform's trusted certificates (i.e. ``ssl_ca``) with the Root
|
#. Update the platform's trusted certificates (i.e. ``ssl_ca``) with the Root
|
||||||
|
@ -20,9 +20,7 @@ in the ``deployment`` namespace. The ``secretName`` attribute of this
|
|||||||
certificate's spec must also be named ``system-restapi-gui-certificate``.
|
certificate's spec must also be named ``system-restapi-gui-certificate``.
|
||||||
|
|
||||||
See the example procedure below for creating the certificate for the StarlingX
|
See the example procedure below for creating the certificate for the StarlingX
|
||||||
REST API and Web Server endpoints. This example assumes you have configured a
|
REST API and Web Server endpoints.
|
||||||
``system-local-ca`` ClusterIssuer as described in
|
|
||||||
:ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`.
|
|
||||||
|
|
||||||
Update the following fields:
|
Update the following fields:
|
||||||
|
|
||||||
|
@ -9,6 +9,17 @@ Create Certificates Locally using cert-manager on the Controller
|
|||||||
You can use :command:`cert-manager` to locally create certificates suitable
|
You can use :command:`cert-manager` to locally create certificates suitable
|
||||||
for use in a lab environment.
|
for use in a lab environment.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
||||||
|
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
||||||
|
strength.
|
||||||
|
|
||||||
|
You can check the key length by running ``openssl x509 -in <the-certificate-file>
|
||||||
|
-noout -text`` and looking for the "Public-Key" in the output. For more
|
||||||
|
information see :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
|
||||||
.. rubric:: |proc|
|
.. rubric:: |proc|
|
||||||
|
|
||||||
#. Create a Root |CA| Certificate and Key.
|
#. Create a Root |CA| Certificate and Key.
|
||||||
|
@ -6,12 +6,18 @@
|
|||||||
HTTPS and Certificates Management Overview
|
HTTPS and Certificates Management Overview
|
||||||
==========================================
|
==========================================
|
||||||
|
|
||||||
Certificates are heavily used for secure HTTPS access and authentication on
|
Certificates are required for secure HTTPS access and authentication on |prod|
|
||||||
|prod| platform. This table lists the major certificates being used in the
|
platform.
|
||||||
system, and indicates which certificates are automatically created/renewed by
|
|
||||||
the system versus which certificates must be manually created/renewed by the
|
This table lists all the platform certificates, and indicates which
|
||||||
system administrator. Details on manual management of certificates can be found
|
certificates are automatically created/renewed by the system versus which
|
||||||
in the following sections.
|
certificates must be manually created/renewed by the system administrator.
|
||||||
|
|
||||||
|
Platform certificates that are associated with optional platform components are
|
||||||
|
only present if the optional platform component is configured (e.g. |OIDC|).\
|
||||||
|
|
||||||
|
Platform certificates that are associated with Distributed Cloud are only
|
||||||
|
present on |DC| SystemController systems or |DC| Subclouds.
|
||||||
|
|
||||||
.. table::
|
.. table::
|
||||||
:widths: auto
|
:widths: auto
|
||||||
@ -19,6 +25,18 @@ in the following sections.
|
|||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Certificate | Auto Created | Renewal Status |
|
| Certificate | Auto Created | Renewal Status |
|
||||||
+===========================================================+=============================================================================+========================================================================================================+
|
+===========================================================+=============================================================================+========================================================================================================+
|
||||||
|
| **Etcd:** |
|
||||||
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
|
| etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years |
|
||||||
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
|
| etcd server certificate | Yes | auto-renewed by cron job |
|
||||||
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
|
| etcd client certificate | Yes | auto-renewed by cron job |
|
||||||
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
|
| kube-apiserver's etcd client certificate | Yes | auto-renewed by cron job |
|
||||||
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
|
| **Kubernetes:** |
|
||||||
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Kubernetes Root CA Certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI. |
|
| Kubernetes Root CA Certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI. |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Cluster Admin client certificate used by kubectl | Yes | auto-renewed by cron job |
|
| Cluster Admin client certificate used by kubectl | Yes | auto-renewed by cron job |
|
||||||
@ -31,58 +49,44 @@ in the following sections.
|
|||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| kube-apiserver's kubelet client certificate | Yes | auto-renewed by cron job |
|
| kube-apiserver's kubelet client certificate | Yes | auto-renewed by cron job |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| kubelet client certificate | Yes | auto-renewed by kubelet feature enabled by default |
|
| kubelet client certificate | Yes | auto-renewed by kubelet. Feature enabled by default |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| front-proxy-client | Yes | front-proxy-client: auto-renewed by cron job |
|
| front-proxy-client | Yes | front-proxy-client: auto-renewed by cron job |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| front-proxy-ca | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years |
|
| front-proxy-ca | Yes | front-proxy-ca: NOT AUTO-RENEWED; Default expiry is set at 10 years |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| |
|
| **system-local-ca** | Yes | NOT AUTO-RENEWED. MUST be renewed via CLI |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years |
|
| **OpenLDAP Server Certificate** | Yes | auto-renewed by system |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| etcd server certificate | Yes | auto-renewed by cron job |
|
| **StarlingX REST API & HORIZON Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| etcd client certificate | Yes | auto-renewed by cron job |
|
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| kube-apiserver's etcd client certificate | Yes | auto-renewed by cron job |
|
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| |
|
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| StarlingX REST API & HORIZON Server Certificate | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
|
|
||||||
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
|
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| |
|
| **Local Registry Server Certificate** | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| Local Registry Server Certificate | Yes (But the auto-created certificate is self-signed and should be changed) | auto-renewed if configured with cert-manager; |
|
|
||||||
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
|
| | | NOT AUTO-RENEWED if configured with :command:`system certificate-install ..`, must be renewed via CLI |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| |
|
| **OIDC:** |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| OpenLDAP Server Certificate | Yes | auto-renewed by system |
|
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| |
|
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| OIDC Client and Dex Server Server Certificate | No | auto-renewed if configured with cert-manager; |
|
| OIDC Client and Dex Server Server Certificate | No | auto-renewed if configured with cert-manager; |
|
||||||
| | | NOT AUTO-RENEWED if configured with an externally generated certificate, CUSTOMER MUST renew via CLI. |
|
| | | NOT AUTO-RENEWED if configured with an externally generated certificate. MUST be renewed via CLI. |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| OIDC Client and Dex Server CA certificate | No | NOT AUTO-RENEWED. CUSTOMER MUST renew via CLIs |
|
| OIDC Client and Dex Server CA certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| OIDC Remote WAD CA Certificate | No | NOT AUTO-RENEWED. CUSTOMER MUST renew via CLIs |
|
| OIDC Remote WAD CA Certificate | No | NOT AUTO-RENEWED. MUST be renewed via CLI. |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| |
|
| **Vault:** |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Vault Server Certificate | Yes | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
|
| Vault Server Certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Vault Root CA certificate | Yes | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
|
| Vault Root CA certificate | Yes | NOT AUTO-RENEWED; MUST be renewed via CLI. |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| |
|
| **Portieris:** |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Portieris Server Certificate | Yes | Auto renewed by cert-manager; BUT CUSTOMER MUST restart Portieris after the certificate is renewed |
|
| Portieris Server Certificate | Yes | Auto renewed by cert-manager; BUT CUSTOMER MUST restart Portieris after the certificate is renewed |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Portieris remote registry and notary server CA Certificate| No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
|
| Portieris remote registry and notary server CA Certificate| No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| |
|
| **DC Admin Endpoints:** |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| Root CA DC Admin Endpoint CA Certificate | Yes | auto-renewed |
|
| Root CA DC Admin Endpoint CA Certificate | Yes | auto-renewed |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
@ -90,9 +94,7 @@ in the following sections.
|
|||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| DC Admin Endpoint Server Certificate | Yes | auto-renewed |
|
| DC Admin Endpoint Server Certificate | Yes | auto-renewed |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
| |
|
| **System trusted CA Certificates** | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform |
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
|
||||||
| System trusted CA Certificates | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform |
|
|
||||||
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
+-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
|
||||||
|
|
||||||
Where:
|
Where:
|
||||||
@ -103,30 +105,13 @@ Where:
|
|||||||
- Renewal Status: whether the certificate is renewed automatically by the system
|
- Renewal Status: whether the certificate is renewed automatically by the system
|
||||||
when expiry date approaches.
|
when expiry date approaches.
|
||||||
|
|
||||||
The following sections provide details on managing these certificates.
|
The specific certificates, and details such as expiration date, that are
|
||||||
|
present on a |prod| system can be displayed with a local script, :command:`sudo
|
||||||
|
show-certs.sh`, see :ref:`utility-script-to-display-certificates`.
|
||||||
|
|
||||||
- :ref:`StarlingX REST API Applications and the Web Administration Server Certificate <starlingx-rest-api-applications-and-the-web-administration-server>`
|
|prod| monitors the installed certificates on the system by raising alarms for
|
||||||
|
expired certificates and certificates that will expire soon, see
|
||||||
|
:ref:`alarm-expiring-soon-and-expired-certificates-baf5b8f73009`.
|
||||||
|
|
||||||
- :ref:`Kubernetes Certificates <kubernetes-certificates-f4196d7cae9c>`
|
The following sections also provide details on creating and/or renewing the
|
||||||
|
|prod| platform certificates.
|
||||||
- :ref:`Local Registry Server Certificates <security-install-update-the-docker-registry-certificate>`
|
|
||||||
|
|
||||||
- :ref:`System Trusted CA Certificates <add-a-trusted-ca>`
|
|
||||||
|
|
||||||
For further information about certificates expiration date or other certificates
|
|
||||||
information, see :ref:`Display Certificates Installed on a System <utility-script-to-display-certificates>`.
|
|
||||||
In addition, |prod| monitors the installed certificates on the system by raising
|
|
||||||
alarms for expire-soon certificates and for expired certificates on the system,
|
|
||||||
see :ref:`Expiring-Soon and Expired Certificate Alarms
|
|
||||||
<alarm-expiring-soon-and-expired-certificates-baf5b8f73009>`.
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
|
||||||
|prod-long| Release |this-ver| provides a new version of ``openssl`` which
|
|
||||||
requires a minimum of 2048-bit keys for RSA for better security / encryption
|
|
||||||
strength.
|
|
||||||
|
|
||||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
|
||||||
and looking for the "Public-Key" in the output. For more information see
|
|
||||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
|
||||||
|
@ -115,10 +115,9 @@ HTTPS Certificate Management
|
|||||||
|
|
||||||
https-access-overview
|
https-access-overview
|
||||||
utility-script-to-display-certificates
|
utility-script-to-display-certificates
|
||||||
starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834
|
|
||||||
kubernetes-certificates-f4196d7cae9c
|
|
||||||
etcd-certificates-c1fc943e4a9c
|
etcd-certificates-c1fc943e4a9c
|
||||||
kubernetes-root-ca-certificate
|
kubernetes-certificates-f4196d7cae9c
|
||||||
|
starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834
|
||||||
configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f
|
configure-rest-api-applications-and-web-administration-server-certificates-after-installation-6816457ab95f
|
||||||
configure-docker-registry-certificate-after-installation-c519edbfe90a
|
configure-docker-registry-certificate-after-installation-c519edbfe90a
|
||||||
oidc-client-dex-server-certificates-dc174462d51a
|
oidc-client-dex-server-certificates-dc174462d51a
|
||||||
@ -127,7 +126,6 @@ HTTPS Certificate Management
|
|||||||
vault-server-certificate-8573125eeea6
|
vault-server-certificate-8573125eeea6
|
||||||
dc-admin-endpoint-certificates-8fe7adf3f932
|
dc-admin-endpoint-certificates-8fe7adf3f932
|
||||||
add-a-trusted-ca
|
add-a-trusted-ca
|
||||||
one-single-root-ca-multiple-server-client-certificates-0692df6ce16d
|
|
||||||
alarm-expiring-soon-and-expired-certificates-baf5b8f73009
|
alarm-expiring-soon-and-expired-certificates-baf5b8f73009
|
||||||
|
|
||||||
************
|
************
|
||||||
|
@ -9,39 +9,12 @@ endpoints.
|
|||||||
|
|
||||||
Kubernetes automatically creates all of its client and server certificates, and
|
Kubernetes automatically creates all of its client and server certificates, and
|
||||||
signs them with a Kubernetes Root |CA|. This includes the server certificate
|
signs them with a Kubernetes Root |CA|. This includes the server certificate
|
||||||
for the external ``kube-apiserver`` API endpoint. By default, the Kubernetes
|
for the external ``kube-apiserver`` API endpoint.
|
||||||
Root |CA| is automatically generated at install time.
|
|
||||||
|
|
||||||
If desired, you can externally generate a Root |CA| certificate and key, and
|
|
||||||
configure it as the Kubernetes Root |CA| during installation. Currently,
|
|
||||||
StarlingX supports only Internal |CA| mode with Kubernetes, which only supports
|
|
||||||
a Root |CA| for the Kubernetes Root |CA|, not an Intermediate |CA|.
|
|
||||||
|
|
||||||
The public certificate of the Kubernetes Root |CA|, whether auto-generated or
|
|
||||||
specified, needs to be configured as a trusted |CA| by external servers
|
|
||||||
connecting to |prod|'s Kubernetes API endpoint (e.g. via a remotely installed
|
|
||||||
``kubectl`` client).
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
Some platform services (sysinv, cert-mon and VIM for example) also use X509
|
|
||||||
certificates to access Kubernetes by HTTPS.
|
|
||||||
|
|
||||||
It is optional that you update the Kubernetes Root |CA| with a custom Root CA
|
|
||||||
certificate and key, generated by yourself, and trusted by your external
|
|
||||||
servers connecting to |prod|’s Kubernetes API endpoint. The |prod|’s Kubernetes
|
|
||||||
Root |CA| certificate and key are configured as part of the bootstrap during
|
|
||||||
installation.
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
You must use a Root |CA| certificate; Intermediate |CA| certificates
|
|
||||||
are not supported by upstream Kubernetes.
|
|
||||||
|
|
||||||
Kubernetes certificates include:
|
Kubernetes certificates include:
|
||||||
|
|
||||||
- Kubernetes Root |CA| Certificate
|
- Kubernetes Root |CA| Certificate
|
||||||
- Cluster admin client certificate used by ``kubectl``
|
- Cluster admin client certificate
|
||||||
- ``kube-controller-manager`` client certificate
|
- ``kube-controller-manager`` client certificate
|
||||||
- ``kube-scheduler`` client certificate
|
- ``kube-scheduler`` client certificate
|
||||||
- ``kube-apiserver`` server certificate
|
- ``kube-apiserver`` server certificate
|
||||||
@ -54,8 +27,29 @@ The Kubernetes Root |CA| certificate signs all the other Kubernetes
|
|||||||
certificates. This is also the |CA| certificate various components use to
|
certificates. This is also the |CA| certificate various components use to
|
||||||
verify server and client certificates signed by the Kubernetes Root |CA|
|
verify server and client certificates signed by the Kubernetes Root |CA|
|
||||||
certificate. For example, applications running in pods use Kubernetes Root |CA|
|
certificate. For example, applications running in pods use Kubernetes Root |CA|
|
||||||
certificate embedded in service account token to verify the ``kube-apiserver``'s
|
certificate embedded in service account token to verify the
|
||||||
server certificate when it makes calls to the kube-apiserver.
|
``kube-apiserver``'s server certificate when it makes calls to the
|
||||||
|
kube-apiserver.
|
||||||
|
|
||||||
|
By default, the Kubernetes Root |CA| is automatically generated at install time.
|
||||||
|
|
||||||
|
If desired, you can externally generate a Root |CA| certificate and key, and
|
||||||
|
configure it as the Kubernetes Root |CA| during installation, see
|
||||||
|
:ref:`kubernetes-root-ca-certificate`.
|
||||||
|
|
||||||
|
.. warning::
|
||||||
|
|
||||||
|
This must be a Root |CA|, not an Intermediate |CA|.
|
||||||
|
|
||||||
|
In a Distributed Cloud system, by default, the Subclouds are deployed with the
|
||||||
|
same Kubernetes Root CA as the SystemController.
|
||||||
|
|
||||||
|
The public certificate of the Kubernetes Root |CA|, whether auto-generated or
|
||||||
|
specified, needs to be configured as a trusted |CA| by external servers
|
||||||
|
connecting to Cloud Platform’s Kubernetes API endpoint (e.g. via a remotely
|
||||||
|
installed kubectl client). The Kubernetes Root |CA| public certificate can be
|
||||||
|
found at ``/etc/kubernetes/pki/ca.crt``.
|
||||||
|
|
||||||
|
|
||||||
Kubernetes Root |CA| certificate and corresponding private key are stored in
|
Kubernetes Root |CA| certificate and corresponding private key are stored in
|
||||||
file system:
|
file system:
|
||||||
@ -64,16 +58,42 @@ file system:
|
|||||||
|
|
||||||
- ``/etc/kubernetes/pki/ca.key``
|
- ``/etc/kubernetes/pki/ca.key``
|
||||||
|
|
||||||
.. note::
|
Updating/Renewing the Kubernetes Root |CA| is a complex process, because it is
|
||||||
|
not only the Root |CA| certificate that needs to be updated, but also all the
|
||||||
|
other Kubernetes certificates signed by it need to be regenerated and updated.
|
||||||
|
See :ref:`manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9` or
|
||||||
|
:ref:`kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d`
|
||||||
|
for information on how to update the Kubernetes Root |CA| certificate.
|
||||||
|
|
||||||
Kubernetes Root |CA| certificate is also embedded in various
|
**Cluster admin client certificate**
|
||||||
configuration files and service account token.
|
|
||||||
|
|
||||||
**Cluster admin client certificate used by kubectl**
|
|
||||||
|
|
||||||
This is the client certificate signed by Kubernetes Root |CA| and embedded in
|
This is the client certificate signed by Kubernetes Root |CA| and embedded in
|
||||||
``/etc/kubernetes/admin.conf``. It is used by kubectl command to identify
|
the ``/etc/kubernetes/admin.conf`` KUBECONFIG file for kubectl. This is used by
|
||||||
itself to the ``kube-apiserver``.
|
internal StarlingX services and users logged in via SSH with sys_protected
|
||||||
|
group permissions, to access kubernetes-admin credentials for kubernetes API or
|
||||||
|
CLI commands.
|
||||||
|
|
||||||
|
This certificate is monitored and auto-renewed by a cronjob, which runs every
|
||||||
|
day at midnight to check if the expiry date is approaching, and renew the
|
||||||
|
certificate if the expiry date is within 15 days.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
If the cronjob certificate renewal fails, a 250.003 alarm will be raised:
|
||||||
|
|
||||||
|
* Kubernetes certificates have been renewed but not all services have been
|
||||||
|
updated.
|
||||||
|
|
||||||
|
For this alarm, controller nodes need to lock/unlock for the services to
|
||||||
|
take the new certificates.
|
||||||
|
|
||||||
|
* Kubernetes certificates renewal failed.
|
||||||
|
|
||||||
|
For this alarm, the Kubernetes certificates need to be renewed manually,
|
||||||
|
during which services need to restart.
|
||||||
|
|
||||||
|
If this alarm is raised, the administrator should follow the recommended
|
||||||
|
action for the specific alarm.
|
||||||
|
|
||||||
**kube-controller-manager client certificate**
|
**kube-controller-manager client certificate**
|
||||||
|
|
||||||
@ -81,12 +101,20 @@ This is the client certificate signed by Kubernetes Root |CA| and embedded in
|
|||||||
``/etc/kubernetes/controller-manager.conf``. It is used by
|
``/etc/kubernetes/controller-manager.conf``. It is used by
|
||||||
``kube-controller-manager`` pod to identify itself to ``kube-apiserver``.
|
``kube-controller-manager`` pod to identify itself to ``kube-apiserver``.
|
||||||
|
|
||||||
|
This certificate is monitored and auto-renewed by a cronjob, which runs every
|
||||||
|
day at midnight to check if the expiry date is approaching, and renew the
|
||||||
|
certificate if the expiry date is within 15 days.
|
||||||
|
|
||||||
**kube-scheduler client certificate**
|
**kube-scheduler client certificate**
|
||||||
|
|
||||||
This is the client certificate signed by Kubernetes Root |CA| and embedded in
|
This is the client certificate signed by Kubernetes Root |CA| and embedded in
|
||||||
``/etc/kubernetes/scheduler.conf``. It is used by ``kube-scheduler`` pod to
|
``/etc/kubernetes/scheduler.conf``. It is used by ``kube-scheduler`` pod to
|
||||||
identify itself to the ``kube-apiserver``.
|
identify itself to the ``kube-apiserver``.
|
||||||
|
|
||||||
|
This certificate is monitored and auto-renewed by a cronjob, which runs every
|
||||||
|
day at midnight to check if the expiry date is approaching, and renew the
|
||||||
|
certificate if the expiry date is within 15 days.
|
||||||
|
|
||||||
**kube-apiserver server certificate**
|
**kube-apiserver server certificate**
|
||||||
|
|
||||||
This is the kube-apiserver's serving certificate. Clients connecting to the
|
This is the kube-apiserver's serving certificate. Clients connecting to the
|
||||||
@ -98,6 +126,10 @@ file system:
|
|||||||
|
|
||||||
- ``/etc/kubernetes/pki/apiserver.key``
|
- ``/etc/kubernetes/pki/apiserver.key``
|
||||||
|
|
||||||
|
This certificate is monitored and auto-renewed by a cronjob, which runs every
|
||||||
|
day at midnight to check if the expiry date is approaching, and renew the
|
||||||
|
certificate if the expiry date is within 15 days.
|
||||||
|
|
||||||
**kube-apiserver's kubelet client certificate**
|
**kube-apiserver's kubelet client certificate**
|
||||||
|
|
||||||
``kube-apiserver``'s client certificate for communications with ``kubelet``.
|
``kube-apiserver``'s client certificate for communications with ``kubelet``.
|
||||||
@ -109,6 +141,10 @@ file system:
|
|||||||
|
|
||||||
- ``/etc/kubernetes/pki/apiserver-kubelet-client.key``
|
- ``/etc/kubernetes/pki/apiserver-kubelet-client.key``
|
||||||
|
|
||||||
|
This certificate is monitored and auto-renewed by a cronjob, which runs every
|
||||||
|
day at midnight to check if the expiry date is approaching, and renew the
|
||||||
|
certificate if the expiry date is within 15 days.
|
||||||
|
|
||||||
**kubelet client certificate**
|
**kubelet client certificate**
|
||||||
|
|
||||||
This is the ``kubelet``’s client certificate (with private key in it).
|
This is the ``kubelet``’s client certificate (with private key in it).
|
||||||
@ -121,7 +157,8 @@ one file:
|
|||||||
|
|
||||||
- ``/var/lib/kubelet/pki/kubelet-client-current.pem``
|
- ``/var/lib/kubelet/pki/kubelet-client-current.pem``
|
||||||
|
|
||||||
This certificate is configured to auto renew.
|
Kubelet is configured to auto-renew this certificate.
|
||||||
|
|
||||||
|
|
||||||
**front-proxy-client certificate**
|
**front-proxy-client certificate**
|
||||||
|
|
||||||
@ -136,7 +173,9 @@ required only if you run ``kube-proxy`` to support an extension API server.
|
|||||||
|
|
||||||
.. toctree::
|
.. toctree::
|
||||||
:maxdepth: 1
|
:maxdepth: 1
|
||||||
|
:hidden:
|
||||||
|
|
||||||
|
kubernetes-root-ca-certificate
|
||||||
update-renew-kubernetes-certificates-52b00bd0bdae
|
update-renew-kubernetes-certificates-52b00bd0bdae
|
||||||
manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9
|
manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9
|
||||||
kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d
|
kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d
|
||||||
|
@ -4,47 +4,49 @@
|
|||||||
|
|
||||||
.. _migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d:
|
.. _migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d:
|
||||||
|
|
||||||
========================================================
|
===========================================================================
|
||||||
Migrate/Update Platform Certificates to use Cert Manager
|
Update system-local-ca or Migrate Platform Certificates to use Cert Manager
|
||||||
========================================================
|
===========================================================================
|
||||||
|
|
||||||
Platform Certificates from the legacy certificate management APIs/CLIs, which
|
The playbook described in this section can be used to either update
|
||||||
will be deprecated in a future release, to the new method of configuring
|
``system-local-ca`` or migrate platform Certificates to use Cert Manager. For
|
||||||
Platform Certificates using Cert-Manager which enables auto-renewals of
|
updating ``system-local-ca``, this playbook will update the ``system-local-ca``
|
||||||
Platform Certificates.
|
Secret and Issuer, re-sign all the Platform certificates using this issuer, and
|
||||||
|
in a Distributed Cloud environment, iterate thru all of the subclouds and do
|
||||||
|
the same updates and re-signing on each Subcloud. In the migration use case,
|
||||||
|
this playbook can be used to switch from using Platform certificates generated
|
||||||
|
from the legacy certificate management APIs/CLIs, which will be deprecated in a
|
||||||
|
future release, to the new method of configuring Platform certificates using
|
||||||
|
Cert-Manager which enables auto-renewals of Platform certificates. And again
|
||||||
|
in a Distributed Cloud environment will iterate thru all of the Subclouds.
|
||||||
|
|
||||||
.. rubric:: |context|
|
.. rubric:: |context|
|
||||||
|
|
||||||
This migration script can be configured to execute on any
|
This playbook can be configured to execute on any :ref:`deployment
|
||||||
:ref:`deployment configuration <deployment-options>` supported by |prod|
|
configuration <deployment-options>` supported by |prod| (|AIO|, standard, and
|
||||||
(|AIO|, standard, and distributed cloud configurations), allowing you to migrate
|
distributed cloud configurations), allowing you to update system-local-ca and
|
||||||
the certificates at scale. The script will replace old certificates and a backup
|
re-sign certificates or migrate certificates at scale.
|
||||||
of the original certificates will be retained for reference. The certificates
|
|
||||||
that will be migrated/updated with this playbook are:
|
|
||||||
|
|
||||||
* REST API & Web Server certificate
|
The certificates (if they exist) that will be updated / migrated with this
|
||||||
* Docker Registry certificate
|
playbook are:
|
||||||
* OIDC-Auth-Apps certificate
|
|
||||||
|
|
||||||
The |CA| against which the server certificates will be validated can be generated
|
* system-local-ca
|
||||||
on-platform (self-signed) or use an external Root |CA| and |ICA|. Using an external
|
* system-openldap-local-certificate
|
||||||
Root |CA| and |ICA| is recommended. Note that this ansible-playbook will use the same
|
* REST API & Web Server certificate ( system-restapi-gui-certificate signed by system-local-ca)
|
||||||
|ICA| cert & key to create the Issuers and/or ClusterIssuers for all
|
* Docker Registry certificate (system-registry-local-certificate signed by system-local-ca)
|
||||||
controllers/subclouds.
|
* OIDC-Auth-Apps certificate (<user-specified> signed by system-local-ca)
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
This playbook can also be used to update certificates, which is useful for
|
|
||||||
situations such as |ICA| approaching expiry.
|
|
||||||
|
|
||||||
.. rubric:: |proc|
|
.. rubric:: |proc|
|
||||||
|
|
||||||
#. Create an inventory file using Ansible-Vault.
|
#. Create an inventory file using Ansible-Vault.
|
||||||
|
|
||||||
You must create an inventory file to specify the playbook parameters. Using
|
You must create an inventory file to specify the playbook parameters. Using
|
||||||
ansible-vault is highly recommended for enhanced security. Ansible vault
|
ansible-vault is highly recommended in order to securely store the contents
|
||||||
will ask for a password in this step, which is used for subsequent
|
of the inventory file which includes the ``system-local-ca`` public
|
||||||
ansible-vault access and ansible-playbook commands.
|
certificate and private key, and the Root |CA| public certificate for
|
||||||
|
``system-local-ca``. Ansible vault will ask for a password in this step,
|
||||||
|
which is used for subsequent ansible-vault access and ansible-playbook
|
||||||
|
commands.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
@ -88,27 +90,23 @@ controllers/subclouds.
|
|||||||
The inventory parameters have the following meanings:
|
The inventory parameters have the following meanings:
|
||||||
|
|
||||||
``system_local_ca_cert`` and ``system_local_ca_key``
|
``system_local_ca_cert`` and ``system_local_ca_key``
|
||||||
You may choose to generate a certificate & key on the platform
|
Both values being the single-line base64 encoding of the corresponding
|
||||||
(self-signed, internal Root |CA|) or use an external Root
|
pem file; i.e. the output of :command:`base64 -w0 <pem-file>`.
|
||||||
|CA| that would make this an Intermediate |CA|.
|
|
||||||
|
|
||||||
.. note::
|
It is highly recommended that you use an Intermediate |CA|
|
||||||
|
``system-local-ca``, where the ``system-local-ca``'s certificate and
|
||||||
Ensure the certificates have RSA key length >= 2048 bits before
|
key are generated and signed by an external trusted Root |CA|. Refer
|
||||||
migrating to |prod-long| Release |this-ver|. The |prod-long| Release
|
to the documentation for the external trusted Root |CA| that you are
|
||||||
|this-ver| provides a new version of ``openssl`` which requires a
|
using, on how to create a public certificate and private key pair, for
|
||||||
minimum of 2048-bit keys for RSA for better security / encryption
|
use in an Intermediate |CA|.
|
||||||
strength.
|
|
||||||
|
The duration of the Intermediate CA public certificate and private key
|
||||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
pair should be at least 3 years. See *ca_duration* to modify this
|
||||||
and looking for the "Public-Key" in the output. For more information see
|
semantic check.
|
||||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
|
||||||
|
|
||||||
``system_root_ca_cert``
|
``system_root_ca_cert``
|
||||||
The Root |CA| that signed ``system_local_ca_cert``. If
|
The public certificate of the Root |CA| that signed
|
||||||
``system_local_ca_cert`` is a self-signed, internal Root |CA|
|
``system_local_ca_cert``.
|
||||||
certificate, duplicate the value of ``system_local_ca_cert`` in this
|
|
||||||
field.
|
|
||||||
|
|
||||||
``ca_duration``
|
``ca_duration``
|
||||||
|CA| duration validation parameter. This will be used against
|
|CA| duration validation parameter. This will be used against
|
||||||
@ -118,19 +116,20 @@ controllers/subclouds.
|
|||||||
renewed manually. Only override if necessary.
|
renewed manually. Only override if necessary.
|
||||||
|
|
||||||
``system_platform_certificate.dns_domain``
|
``system_platform_certificate.dns_domain``
|
||||||
The |DNS| domain that will be used to build the full dns name for the
|
The |DNS| domain that will be used to build a full DNS name for the
|
||||||
|SANs| List of the Platform Certificates. E.g.
|
|SANs| List of the Platform Certificates. E.g.
|
||||||
``starlingx-restapi-gui.<dns_domain>`` would appear in the |SANs| list
|
``starlingx-restapi-gui.<dns_domain>`` would appear in the |SANs| list
|
||||||
of the REST API & Web Server certificate. in the server certificates.
|
of the REST API & Web Server certificate. in the server certificates.
|
||||||
|
|
||||||
``system_platform_certificate.duration``
|
``system_platform_certificate.duration``
|
||||||
The duration of certificate validity to use in all Platform
|
The duration of certificate validity to use in all Platform
|
||||||
Certificates, in hours. The Platform Server Certificates will be
|
Certificates, in hours; defaults to 2160h (or 90 days). The Platform
|
||||||
auto-renewed by Cert-Manager.
|
Server Certificates will be auto-renewed by Cert-Manager.
|
||||||
|
|
||||||
``system_platform_certificate.renewBefore``
|
``system_platform_certificate.renewBefore``
|
||||||
The number of hours before certificate expiry that the Platform
|
The number of hours before certificate expiry that the Platform
|
||||||
Certificate should be auto-renewed by Cert-Manager.
|
Certificate should be auto-renewed by Cert-Manager; defaults to 360h
|
||||||
|
(or 15 days).
|
||||||
|
|
||||||
``system_platform_certificate.subject_*fields``
|
``system_platform_certificate.subject_*fields``
|
||||||
Subject related fields that will be added to all platform certificates:
|
Subject related fields that will be added to all platform certificates:
|
||||||
@ -147,9 +146,7 @@ controllers/subclouds.
|
|||||||
|
|
||||||
- ``system_platform_certificate.subject_CN``: Common Name
|
- ``system_platform_certificate.subject_CN``: Common Name
|
||||||
|
|
||||||
- ``system_platform_certificate.subject_prefix``: An optional field
|
- ``system_platform_certificate.subject_prefix``: An optional field to add a prefix to further identify the certificate, such as |prod| for instance.
|
||||||
to add a prefix to further identify the certificate, such as |prod|
|
|
||||||
for instance
|
|
||||||
|
|
||||||
``ansible_ssh_user``
|
``ansible_ssh_user``
|
||||||
The username to use to connect to the target system using ``ssh``.
|
The username to use to connect to the target system using ``ssh``.
|
||||||
@ -158,7 +155,7 @@ controllers/subclouds.
|
|||||||
The password to use to connect to the target system using ``ssh``.
|
The password to use to connect to the target system using ``ssh``.
|
||||||
|
|
||||||
``ansible_become_pass``
|
``ansible_become_pass``
|
||||||
The target system's sudo password.
|
The ``ansible_ssh_user``'s sudo password.
|
||||||
|
|
||||||
If a separate set of overrides are required for a group of hosts,
|
If a separate set of overrides are required for a group of hosts,
|
||||||
``children`` groups can be added under ``target_group``.
|
``children`` groups can be added under ``target_group``.
|
||||||
@ -204,13 +201,19 @@ controllers/subclouds.
|
|||||||
|
|
||||||
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml -i migration-inventory.yml --extra-vars "target_list=subcloud1 mode=update ignore_alarms=yes" --ask-vault-pass
|
~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/migrate_platform_certificates_to_certmanager.yml -i migration-inventory.yml --extra-vars "target_list=subcloud1 mode=update ignore_alarms=yes" --ask-vault-pass
|
||||||
|
|
||||||
The behavior of the migration can be customized using the following
|
.. note::
|
||||||
|
|
||||||
|
In |prod-dc| systems, the playbook must be executed from the System
|
||||||
|
Controller, and the ``target_list`` parameter should be used to target
|
||||||
|
the desired subclouds.
|
||||||
|
|
||||||
|
The behavior of the update/migration can be customized using the following
|
||||||
``--extra-vars`` parameter options:
|
``--extra-vars`` parameter options:
|
||||||
|
|
||||||
``mode``
|
``mode``
|
||||||
* ``update``: Creates or updates platform certificates. Also supports
|
* ``update``: Creates or updates platform certificates. Also supports
|
||||||
ongoing updates, which is useful for operations such as such as
|
ongoing updates, which is useful for operations such as replacing the
|
||||||
replacing the |ICA| or changing other parameters.
|
|ICA| or changing other parameters.
|
||||||
|
|
||||||
* ``check``: Gathers certificates from all subclouds and prints them on
|
* ``check``: Gathers certificates from all subclouds and prints them on
|
||||||
the system controller
|
the system controller
|
||||||
@ -226,11 +229,8 @@ controllers/subclouds.
|
|||||||
retrieve a list of online subclouds to target.
|
retrieve a list of online subclouds to target.
|
||||||
|
|
||||||
``ignore_alarms``
|
``ignore_alarms``
|
||||||
``yes``/``no``: When not specified defaults to no.
|
``yes``/``no``: When not specified defaults to no. Using
|
||||||
|
``ignore_alarms=yes`` should be avoided as much as possible. Only use
|
||||||
|
it after a careful analysis of the alarm in question and for specific
|
||||||
|
hosts.
|
||||||
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
The ``ignore_alarms`` extra-var should be avoided as much as possible.
|
|
||||||
Only use it after a careful analysis of the alarm in question and for
|
|
||||||
specific hosts.
|
|
||||||
|
@ -183,7 +183,8 @@ CLIs and Clients for an admin user with cluster-admin clusterrole.
|
|||||||
to the remote workstation, and extract its content.
|
to the remote workstation, and extract its content.
|
||||||
|
|
||||||
|
|
||||||
- The tarball is available from the |prod| area on the |prod| CENGEN build servers.
|
- The tarball is available from the |prod| area on the |prod| CENGE N
|
||||||
|
build servers.
|
||||||
|
|
||||||
- You can extract the tarball's contents anywhere on your client system.
|
- You can extract the tarball's contents anywhere on your client system.
|
||||||
|
|
||||||
@ -209,17 +210,18 @@ CLIs and Clients for an admin user with cluster-admin clusterrole.
|
|||||||
|
|
||||||
.. note::
|
.. note::
|
||||||
|
|
||||||
For a Distributed Cloud system, navigate to **Project** \> **Central Cloud Regions** \> **RegionOne** \>
|
For a Distributed Cloud system, navigate to **Project** \> **Central
|
||||||
and download the **Openstack RC file**.
|
Cloud Regions** \> **RegionOne** \> and download the **Openstack RC
|
||||||
|
file**.
|
||||||
|
|
||||||
#. If HTTPS has been enabled for the |prod| RESTAPI Endpoints on your
|
#. If HTTPS has been enabled for the |prod| RESTAPI Endpoints on your
|
||||||
|prod| system, add the following line to the bottom of admin-openrc.sh:
|
|prod| system, add the following line to the bottom of ``admin-openrc.sh``:
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
OS_CACERT=<path_to_ca_>
|
OS_CACERT=<path_to_ca_>
|
||||||
|
|
||||||
where ``<path_to_ca>`` is the full filename of the PEM file for the CA
|
where ``<path_to_ca>`` is the full filename of the |PEM| file for the |CA|
|
||||||
Certificate that signed the |prod| REST APIs Endpoint Certificate.
|
Certificate that signed the |prod| REST APIs Endpoint Certificate.
|
||||||
Copy the file ``admin-openrc.sh`` to the remote workstation. This example
|
Copy the file ``admin-openrc.sh`` to the remote workstation. This example
|
||||||
assumes it is copied to the location of the extracted tarball.
|
assumes it is copied to the location of the extracted tarball.
|
||||||
|
@ -1,174 +1,193 @@
|
|||||||
.. _starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834:
|
.. _starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834:
|
||||||
|
|
||||||
========================
|
======================
|
||||||
Create a local CA Issuer
|
System Local CA Issuer
|
||||||
========================
|
======================
|
||||||
|
|
||||||
|
|
||||||
|org| recommends that a single local |CA| Issuer be created on the platform to
|
At installation time, a ``system-local-ca`` ClusterIssuer is created. The
|
||||||
create, sign, and anchor all of your platform certificates. This |CA| can be
|
intent is that the ``system-local-ca`` can be the single root of trust for
|
||||||
either a stand-alone local Root |CA| or a local Intermediate |CA| (whose
|
Platform Certificates, such that external clients, using Platform APIs, need
|
||||||
certificate is signed by an external Root |CA|). This simplifies your overall
|
only add the single ``system-local-ca`` public certificate to their list of
|
||||||
platform certificate configuration, and means that external clients interfacing
|
trusted |CAs| for the purpose of validating Platform server certificates.
|
||||||
with the platform's HTTPS endpoints, need only be given a single Root |CA|
|
|
||||||
certificate to add to their trusted |CAs|.
|
At installation time, the ``cert-manager/system-local-ca`` TLS Secret, which is
|
||||||
|
used for CA Signing by the ``system-local-ca`` ClusterIssuer, is initially set
|
||||||
|
to the Kubernetes Root CA. At installation time, the Kubernetes Root |CA| is
|
||||||
|
either auto-generated or explicitly set thru bootstrap playbook overrides (see
|
||||||
|
:ref:`kubernetes-root-ca-certificate`).
|
||||||
|
|
||||||
|
In a Distributed Cloud System, by default, the Subclouds are deployed with the
|
||||||
|
same Kubernetes Root |CA| and the same ``system-local-ca`` as the
|
||||||
|
SystemController.
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
In order to change or renew the ``system-local-ca`` Secret for signing, the
|
||||||
|
``migrate_platform_certificates_to_certmanager.yml`` playbook MUST BE USED,
|
||||||
|
see :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`.
|
||||||
|
This playbook will update the ``system-local-ca`` Secret and Issuer, re-sign
|
||||||
|
all of the Platform Certificates using this issuer, and in a Distributed
|
||||||
|
Cloud environment iterate through all of the Subclouds and do the same
|
||||||
|
updates and re-signing on each Subcloud.
|
||||||
|
|
||||||
|
|
||||||
Create the ClusterIssuer
|
.. Create the ClusterIssuer
|
||||||
========================
|
.. ========================
|
||||||
|
..
|
||||||
Create a local Root CA
|
.. Create a local Root CA
|
||||||
----------------------
|
.. ----------------------
|
||||||
|
..
|
||||||
The following sample procedure illustrates how to create a unique standalone
|
.. The following sample procedure illustrates how to create a unique standalone
|
||||||
local Root |CA| (``system-local-ca``) that can be used to create, sign, and
|
.. local Root |CA| (``system-local-ca``) that can be used to create, sign, and
|
||||||
anchor all of your platform certificates.
|
.. anchor all of your platform certificates.
|
||||||
|
..
|
||||||
Update the ``subject`` fields to identify your particular system.
|
.. Update the ``subject`` fields to identify your particular system.
|
||||||
|
..
|
||||||
It is recommended that a 3-5 year duration be used for operational simplicity
|
.. It is recommended that a 3-5 year duration be used for operational simplicity
|
||||||
since, although the certificate will automatically renew locally, when it does
|
.. since, although the certificate will automatically renew locally, when it does
|
||||||
renew, you will need to re-distribute the |CA|'s new public certificate to all
|
.. renew, you will need to re-distribute the |CA|'s new public certificate to all
|
||||||
external clients using the platform's HTTPS endpoints.
|
.. external clients using the platform's HTTPS endpoints.
|
||||||
|
..
|
||||||
The created ``system-local-ca`` Root |CA| is cluster-wide, so it can be used to
|
.. The created ``system-local-ca`` Root |CA| is cluster-wide, so it can be used to
|
||||||
create all platform certificates and can also be used for hosted applications'
|
.. create all platform certificates and can also be used for hosted applications'
|
||||||
certificates.
|
.. certificates.
|
||||||
|
..
|
||||||
.. rubric:: |proc|
|
.. .. rubric:: |proc|
|
||||||
|
..
|
||||||
#. Create a cluster issuer yaml configuration file.
|
.. #. Create a cluster issuer yaml configuration file.
|
||||||
|
..
|
||||||
.. code-block:: none
|
.. .. code-block:: none
|
||||||
|
..
|
||||||
~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
|
.. ~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
|
||||||
---
|
.. ---
|
||||||
apiVersion: cert-manager.io/v1
|
.. apiVersion: cert-manager.io/v1
|
||||||
kind: ClusterIssuer
|
.. kind: ClusterIssuer
|
||||||
metadata:
|
.. metadata:
|
||||||
name: system-selfsigning
|
.. name: system-selfsigning
|
||||||
spec:
|
.. spec:
|
||||||
selfSigned: {}
|
.. selfSigned: {}
|
||||||
---
|
.. ---
|
||||||
apiVersion: cert-manager.io/v1
|
.. apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
.. kind: Certificate
|
||||||
metadata:
|
.. metadata:
|
||||||
name: system-local-ca
|
.. name: system-local-ca
|
||||||
namespace: cert-manager
|
.. namespace: cert-manager
|
||||||
spec:
|
.. spec:
|
||||||
subject:
|
.. subject:
|
||||||
organizationalUnits:
|
.. organizationalUnits:
|
||||||
- StarlingX-system-local-ca
|
.. - StarlingX-system-local-ca
|
||||||
secretName: system-local-ca
|
.. secretName: system-local-ca
|
||||||
commonName: system-local-ca
|
.. commonName: system-local-ca
|
||||||
isCA: true
|
.. isCA: true
|
||||||
duration: 43800h # 5 year
|
.. duration: 43800h # 5 year
|
||||||
renewBefore: 720h # 30 days
|
.. renewBefore: 720h # 30 days
|
||||||
issuerRef:
|
.. issuerRef:
|
||||||
name: system-selfsigning
|
.. name: system-selfsigning
|
||||||
kind: ClusterIssuer
|
.. kind: ClusterIssuer
|
||||||
---
|
.. ---
|
||||||
apiVersion: cert-manager.io/v1
|
.. apiVersion: cert-manager.io/v1
|
||||||
kind: ClusterIssuer
|
.. kind: ClusterIssuer
|
||||||
metadata:
|
.. metadata:
|
||||||
name: system-local-ca
|
.. name: system-local-ca
|
||||||
spec:
|
.. spec:
|
||||||
ca:
|
.. ca:
|
||||||
secretName: system-local-ca
|
.. secretName: system-local-ca
|
||||||
EOF
|
.. EOF
|
||||||
|
..
|
||||||
For more information on supported parameters, see
|
.. For more information on supported parameters, see
|
||||||
`https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1
|
.. `https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1
|
||||||
<https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1>`__.
|
.. <https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1>`__.
|
||||||
|
..
|
||||||
|
..
|
||||||
#. Apply the configuration.
|
.. #. Apply the configuration.
|
||||||
|
..
|
||||||
.. code-block:: none
|
.. .. code-block:: none
|
||||||
|
..
|
||||||
~(keystone_admin)]$ kubectl apply –f cluster-issuer.yaml
|
.. ~(keystone_admin)]$ kubectl apply –f cluster-issuer.yaml
|
||||||
|
..
|
||||||
#. Verify the configuration.
|
.. #. Verify the configuration.
|
||||||
|
..
|
||||||
.. code-block::
|
.. .. code-block::
|
||||||
|
..
|
||||||
~(keystone_admin)]$ kubectl get clusterissuer
|
.. ~(keystone_admin)]$ kubectl get clusterissuer
|
||||||
|
..
|
||||||
#. Write the public certificate of this |CA| to a ``.pem`` file that can be
|
.. #. Write the public certificate of this |CA| to a ``.pem`` file that can be
|
||||||
distributed to external clients using the platform's HTTPS endpoints.
|
.. distributed to external clients using the platform's HTTPS endpoints.
|
||||||
|
..
|
||||||
.. code-block::
|
.. .. code-block::
|
||||||
|
..
|
||||||
~(keystone_admin)]$ kubectl get secret <secretname> -n <namespacename> -o=jsonpath='{.data.tls\.crt}' | base64 --decode > <pemfilename>
|
.. ~(keystone_admin)]$ kubectl get secret <secretname> -n <namespacename> -o=jsonpath='{.data.tls\.crt}' | base64 --decode > <pemfilename>
|
||||||
|
..
|
||||||
Create a local Intermediate CA
|
.. Create a local Intermediate CA
|
||||||
------------------------------
|
.. ------------------------------
|
||||||
|
..
|
||||||
Alternatively, if you are using an external RootCA, the following procedure is
|
.. Alternatively, if you are using an external RootCA, the following procedure is
|
||||||
an example of how to create a local Intermediate |CA| (whose certificate is
|
.. an example of how to create a local Intermediate |CA| (whose certificate is
|
||||||
signed by an external Intermediate or Root |CA|) that can be used to
|
.. signed by an external Intermediate or Root |CA|) that can be used to
|
||||||
create, sign, and anchor all of your platform certificates. Refer to the
|
.. create, sign, and anchor all of your platform certificates. Refer to the
|
||||||
documentation for your external Intermediate or Root |CA| for information on
|
.. documentation for your external Intermediate or Root |CA| for information on
|
||||||
how to create a public certificate and private key for an intermediate |CA|.
|
.. how to create a public certificate and private key for an intermediate |CA|.
|
||||||
It is recommended that a 3-5 year duration be used for operational simplicity
|
.. It is recommended that a 3-5 year duration be used for operational simplicity
|
||||||
since this certificate will need to be manually renewed with the externally
|
.. since this certificate will need to be manually renewed with the externally
|
||||||
generated certificate and key, and then referenced via the ClusterIssuer's
|
.. generated certificate and key, and then referenced via the ClusterIssuer's
|
||||||
``spec.ca.secretName``. The |TLS| secret must be created in the Cluster
|
.. ``spec.ca.secretName``. The |TLS| secret must be created in the Cluster
|
||||||
Resource Namespace, which defaults to ``cert-manager`` on the platform.
|
.. Resource Namespace, which defaults to ``cert-manager`` on the platform.
|
||||||
|
..
|
||||||
The ``system-local-ca`` Root |CA| is cluster-wide, so it can be used to create
|
.. The ``system-local-ca`` Root |CA| is cluster-wide, so it can be used to create
|
||||||
all platform certificates and can also be used for hosted applications'
|
.. all platform certificates and can also be used for hosted applications'
|
||||||
certificates.
|
.. certificates.
|
||||||
|
..
|
||||||
#. Copy the |PEM| encoded certificate and key from the externally generated
|
.. #. Copy the |PEM| encoded certificate and key from the externally generated
|
||||||
|CA| to the controller host.
|
.. CA to the controller host.
|
||||||
|
..
|
||||||
.. note::
|
.. .. note::
|
||||||
|
..
|
||||||
Ensure the certificates have RSA key length >= 2048 bits. The
|
.. Ensure the certificates have RSA key length >= 2048 bits. The
|
||||||
|prod-long| Release |this-ver| provides a new version of ``openssl``
|
.. prod-long Release this-ver provides a new version of ``openssl``
|
||||||
which requires a minimum of 2048-bit keys for RSA for better
|
.. which requires a minimum of 2048-bit keys for RSA for better
|
||||||
security / encryption strength.
|
.. security / encryption strength.
|
||||||
|
..
|
||||||
You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
.. You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
|
||||||
and looking for the "Public-Key" in the output. For more information see
|
.. and looking for the "Public-Key" in the output. For more information see
|
||||||
:ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
.. :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.
|
||||||
|
..
|
||||||
#. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
|
.. #. Create a |TLS| secret in ``cert-manager`` namespace with the certificate/Key
|
||||||
files:
|
.. files:
|
||||||
|
..
|
||||||
.. code-block:: none
|
.. .. code-block:: none
|
||||||
|
..
|
||||||
~(keystone_admin)]$ kubectl -n cert-manager create secret tls system-local-ca --cert=./cert.pem --key=./key.pem
|
.. ~(keystone_admin)]$ kubectl -n cert-manager create secret tls system-local-ca --cert=./cert.pem --key=./key.pem
|
||||||
|
..
|
||||||
#. Create ClusterIssuer and the |CA| certificate.
|
.. #. Create ClusterIssuer and the |CA| certificate.
|
||||||
|
..
|
||||||
.. code-block:: none
|
.. .. code-block:: none
|
||||||
|
..
|
||||||
~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
|
.. ~(keystone_admin)]$ cat <<EOF > cluster-issuer.yaml
|
||||||
---
|
.. ---
|
||||||
apiVersion: cert-manager.io/v1
|
.. apiVersion: cert-manager.io/v1
|
||||||
kind: ClusterIssuer
|
.. kind: ClusterIssuer
|
||||||
metadata:
|
.. metadata:
|
||||||
name: system-local-ca
|
.. name: system-local-ca
|
||||||
spec:
|
.. spec:
|
||||||
ca:
|
.. ca:
|
||||||
secretName: system-local-ca
|
.. secretName: system-local-ca
|
||||||
EOF
|
.. EOF
|
||||||
|
..
|
||||||
#. Apply the configuration.
|
.. #. Apply the configuration.
|
||||||
|
..
|
||||||
.. code-block:: none
|
.. .. code-block:: none
|
||||||
|
..
|
||||||
~(keystone_admin)]$ kubectl apply –f cluster-issuer.yaml
|
.. ~(keystone_admin)]$ kubectl apply –f cluster-issuer.yaml
|
||||||
|
..
|
||||||
#. Verify the configuration.
|
.. #. Verify the configuration.
|
||||||
|
..
|
||||||
.. code-block::
|
.. .. code-block::
|
||||||
|
..
|
||||||
~(keystone_admin)]$ kubectl get clusterissuer
|
.. ~(keystone_admin)]$ kubectl get clusterissuer
|
||||||
|
..
|
||||||
If the configuration is successful, the clusterissuer for
|
.. If the configuration is successful, the clusterissuer for
|
||||||
``system-local-ca`` will have Ready status of ``True``.
|
.. ``system-local-ca`` will have Ready status of ``True``.
|
||||||
|
..
|
||||||
The clusterissuer is now ready to issue certificates on the platform.
|
.. The clusterissuer is now ready to issue certificates on the platform.
|
||||||
|
..
|
@ -6,8 +6,10 @@
|
|||||||
Display Certificates Installed on a System
|
Display Certificates Installed on a System
|
||||||
------------------------------------------
|
------------------------------------------
|
||||||
|
|
||||||
The utility script **show-certs.sh** can be used to display an overview of the
|
The script **show-certs.sh** can be used to display a list of the specific
|
||||||
various certificates that exist in the system along with their expiry date.
|
certificates present on a |prod| system with details such as expiry
|
||||||
|
date, residual time, subject, issuer and renewal behaviour (manual or
|
||||||
|
automatic).
|
||||||
|
|
||||||
The :command:`show-certs.sh` command has the following options:
|
The :command:`show-certs.sh` command has the following options:
|
||||||
|
|
||||||
@ -21,13 +23,18 @@ renewal, and certificates expiring within 90 days.
|
|||||||
|
|
||||||
options:
|
options:
|
||||||
|
|
||||||
-k displays certificates found in any Kubernetes SECRETS;
|
``-k`` displays certificates found in any Kubernetes SECRETS; this may include
|
||||||
this may include platform certificates and end-users' certificates
|
platform certificates and end-users' certificates.
|
||||||
|
|
||||||
-e <number-of-days> changes to highlight (in red) certificates within
|
``-e`` <number-of-days>. Changes to highlight (in red) certificates within
|
||||||
<number-of-days> of expiry
|
<number-of-days> of expiry.
|
||||||
|
|
||||||
-h displays help
|
``-h`` displays help
|
||||||
|
|
||||||
|
.. note::
|
||||||
|
|
||||||
|
This command can only be run locally on the active controller, in an SSH
|
||||||
|
shell.
|
||||||
|
|
||||||
For example:
|
For example:
|
||||||
|
|
||||||
@ -46,9 +53,24 @@ For example:
|
|||||||
Residual Time : 341d
|
Residual Time : 341d
|
||||||
-----------------------------------------------------
|
-----------------------------------------------------
|
||||||
|
|
||||||
For scalability in a Distributed cloud system, the Subcloud ICA certificates
|
local-openldap / deployment / system-openldap-local-certificate CERTIFICATE:
|
||||||
are redirected to a file. The script displays the path to the file with a note
|
------------------------------------------
|
||||||
at the end of the displayed output.
|
Renewal : Automatic [Managed by Cert-Manager]
|
||||||
|
Namespace : deployment
|
||||||
|
Secret : system-openldap-local-certificate
|
||||||
|
Subject : CN = system-openldap
|
||||||
|
Issuer : CN = starlingx
|
||||||
|
Issue Date : Jul 6 16:15:30 2023 GMT
|
||||||
|
Expiry Date : Oct 4 16:15:30 2023 GMT
|
||||||
|
Residual Time : 89d
|
||||||
|
|
||||||
|
… etc
|
||||||
|
|
||||||
|
|
||||||
|
For scalability reasons, in a Distributed cloud system, the Subcloud ICA
|
||||||
|
certificates that are present on a SystemController are redirected to a file.
|
||||||
|
The script displays the path to the file with a note at the end of the
|
||||||
|
displayed output.
|
||||||
|
|
||||||
.. code-block:: none
|
.. code-block:: none
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user