Kubernetes Certificates

Story: 2011399
Task: 52686

Change-Id: I266a480ada8d9a1e0f552973adfb023f001d7d04
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>

doc/source/security/kubernetes/kubernetes-certificates-f4196d7cae9c.rst

@@ -5,11 +5,13 @@ Kubernetes Certificates
 =======================
 
 For Kubernetes, HTTPS is always enabled for both internal and external
-endpoints.
+endpoints. Kubernetes automatically creates all of its client and server
+certificates used internally and signs them with a Kubernetes Root |CA|.
 
-Kubernetes automatically creates all of its client and server certificates, and
-signs them with a Kubernetes Root |CA|. This includes the server certificate
-for the external ``kube-apiserver`` API endpoint.
+.. note::
+
+    External access to the ``kube-apiserver`` API endpoint goes through a HAproxy
+    frontend, which uses the |prod| Rest API/GUI certificate.
 
 Kubernetes certificates include:
 
@@ -31,25 +33,36 @@ certificate embedded in service account token to verify the
 ``kube-apiserver``'s server certificate when it makes calls to the
 kube-apiserver.
 
-By default, the Kubernetes Root |CA| is automatically generated at install time.
+By default, the Kubernetes Root |CA| is automatically generated at installation time.
 
-If desired, you can externally generate a Root |CA| certificate and key, and
-configure it as the Kubernetes Root |CA| during installation, see
-:ref:`kubernetes-root-ca-certificate`. 
+If required, you can externally generate a Root |CA| certificate and key, and
+configure it as the Kubernetes Root |CA| during installation. See
+:ref:`kubernetes-root-ca-certificate`. This certificate is only used for
+internal access. External access goes through HAproxy, which uses the |prod| REST
+API/GUI certificate, issued by the Platform Issuer (system-local-ca). For more
+information about how to customize the Platform Issuer, see `https://docs.starlingx.io/deploy_install_guides/release/ansible_bootstrap_configs.html <https://docs.starlingx.io/deploy_install_guides/release/ansible_bootstrap_configs.html>`__.
 
 .. warning::
 
-   This must be a Root |CA|, not an Intermediate |CA|.
+    The Kubernetes |CA| must be a Root |CA| and not an intermediate |CA|. The
+    issuer for external connections, Platform Issuer (system-local-ca) supports
+    intermediate |CAs| including multi-layered ones.
 
-In a Distributed Cloud system, by default, the Subclouds are deployed with the
-same Kubernetes Root CA as the SystemController.
+In a |prod-dc| system, by default, the subclouds are deployed with the same
+Kubernetes Root |CA| and Platform Issuer (system-local-ca) as the System
+Controller. The Root |CA| public certificate from the Platform Issuer
+(system-local-ca) whether auto-generated or specified, needs to be configured
+as a trusted |CA| by the external clients connecting to Cloud Platform’s
+Kubernetes API endpoint (example, via a remotely installed kubectl client).
+This certificate is stored in a K8s |TLS| secret and can be retrieved using the
+following command:
 
-The public certificate of the Kubernetes Root |CA|, whether auto-generated or
-specified, needs to be configured as a trusted |CA| by external servers
-connecting to Cloud Platform’s Kubernetes API endpoint (e.g. via a remotely
-installed kubectl client).  The Kubernetes Root |CA| public certificate can be
-found at ``/etc/kubernetes/pki/ca.crt``.
+.. code-block:: none
 
+    kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode
+
+For internal clients, the public certificate of Kubernetes Root |CA| should be
+configured as trusted. It can be found at ``/etc/kubernetes/pki/ca.crt``.
 
 Kubernetes Root |CA| certificate and corresponding private key are stored in
 file system: