 3e03a0bc82
			
		
	
	3e03a0bc82
	
	
	
		
			
			Initial draft procedures. Resolve merge conflicts. Incorporate patchset 1 review comments. Incorporate patchset 2 review comments. Incorporate patchset 3 review comments. Incorporate patchset 4 review comments. Open questions for J. Sun to be addressed. Incorporate patchset 5 review comments. Made sample url used in overrides generic. Incorporate patchset 8 review comments. Added note about issuer_root_ca recommended by J. Sun. Incorporate patchset 10 review comments. Fix formatting issue in output. Incorporate patchset 12 review comments. Story: 2007361 Task: 42625 Signed-off-by: Ron Stone <ronald.stone@windriver.com> Change-Id: I5a73f902902acc02baccb92995f696a4b19fb773
		
			
				
	
	
	
		
			3.5 KiB
		
	
	
	
	
	
	
	
			
		
		
	
	Configure REST API Applications and Web Administration Server certificate
provides support for secure HTTPS external connections used for StarlingX REST API application endpoints (Keystone, Barbican and StarlingX) and the web administration server. By default, HTTPS access to StarlingX REST and Web Server endpoints is disabled. They are accessible via HTTP only. To enable secure HTTPS access, an x509 certificate and key must be configured.
You can update the certificate used for HTTPS access at any time.
To configure or update the HTTPS certificate for the StarlingX REST
API and Web Server endpoints, create a certificate named
system-restapi-gui-certificate in the
deployment namespace. The secretName attribute
of this certificate's spec must also be named
system-restapi-gui-certificate.
See the example procedure below for creating the certificate for the
StarlingX REST API and Web Server endpoints. This example assumes you
have configured a system-local-ca ClusterIssuer as
described in starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834.
Update the following fields:
- The durationandrenewBeforedates for the expiry and renewal times you desire. The system will automatically renew and re-install the certificate.
- The subjectfields to identify your particular system.
- The ipAddresseswith the Floating IP Address for this system.
- The dnsNameswith any names configured for this system in an external DNS server.
Note
If you plan to use the container-based remote CLIs, due to a limitation in the Python2 SSL certificate validation, the certificate used for the 'system-restapi-gui-certificate' certificate must either have:
- CN=IPADDRESS and SANs=IPADDRESS
or
- CN=FQDN and SANs=FQDN
where IPADDRESS and FQDN are for the Floating IP Address.
- Create the REST API certificate yaml configuration file. - ~(keystone_admin)]$ cat <<EOF > restapi-certificate.yaml --- apiVersion: cert-manager.io/v1alpha2 kind: Certificate metadata: name: system-restapi-gui-certificate namespace: deployment spec: secretName: system-restapi-gui-certificate issuerRef: name: system-local-ca kind: ClusterIssuer duration: 2160h # 90 days renewBefore: 360h # 15 days commonName: < oam floating IP Address or FQDN > subject: organizations: - ABC-Company organizationalUnits: - StarlingX-system-restapi-gui ipAddresses: - < oam floating IP address > dnsNames: - < oam floating FQDN > EOF
- Apply the configuration. - ~(keystone_admin)]$ kubectl apply -f restapi-certificate.yaml
- Verify the configuration. - ~(keystone_admin)]$ kubectl get certificate system-restapi-gui-certificate –n deployment- If configuration was successful, the certificate’s Ready status will be - True.
The REST and Web Server certificate installation is now complete, and Cert-Manager will handle the lifecycle management of the certificate.