4d8775ca61
Removed rst substitution from tables and inline markups. Updated table and reestructured sections in the overview. Fixed issues, reworded paragraphs, changed titles. Deleted unnecessary sections, added a new item to section and fixed editorial issues. Fixed editorial and formatting issues. Fixed more editorial and formatting issues. Fixed formatting and editorial issues. Added command line. Fixed command line. Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com> Change-Id: I69874db16c76d5aceac706f2b8033771780500ca
17 KiB
17 KiB
HTTPS and Certificates Management Overview
Certificates are heavily used for secure HTTPS access and authentication on platform. This table lists the major certificates being used in the system, and indicates which certificates are automatically created/renewed by the system versus which certificates must be manually created/renewed by the system administrator. Details on manual management of certificates can be found in the following sections.
| Certificate | Auto Created | Renewal Status |
|---|---|---|
| Kubernetes Root CA Certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years |
| Cluster Admin client certificate used by kubectl | Yes | auto-renewed by cron job |
| kube-controller-manager client certificate | Yes | auto-renewed by cron job |
| kube-scheduler client certificate | Yes | auto-renewed by cron job |
| kube-apiserver server certificate | Yes | auto-renewed by cron job |
| kube-apiserver's kubelet client certificate | Yes | auto-renewed by cron job |
| kubelet client certificate | Yes | auto-renewed by kubelet feature enabled by default |
| etcd Root CA certificate | Yes | NOT AUTO-RENEWED; Default expiry is set at 10 years |
| etcd server certificate | Yes | auto-renewed by cron job |
| etcd client certificate | Yes | auto-renewed by cron job |
| kube-apiserver's etcd client certificate | Yes | auto-renewed by cron job |
| StarlingX REST API & HORIZON Server Certificate | Yes (But the auto-created certificate is self-signed and should be changed) | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
| Local Registry Server Certificate | Yes (But the auto-created certificate is self-signed and should be changed) | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
| OIDC Client and Dex Server Server Certificate | No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
| OIDC Client and Dex Server CA certificate | No | NOT AUTO-RENEWED. CUSTOMER MUST renew via CLIs |
| OIDC Remote WAD CA Certificate | No | NOT AUTO-RENEWED. CUSTOMER MUST renew via CLIs |
| Vault Server Certificate | Yes | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
| Vault Root CA certificate | Yes | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
| Portieris Server Certificate | Yes | Auto renewed by cert-manager; BUT COSTOMER MUST restart Portieris after the certificate is renewed |
| Portieris remote registry and notary server CA Certificate | No | NOT AUTO-RENEWED; CUSTOMER MUST renew via CLIs |
| Root CA DC Admin Endpoint CA Certificate | Yes | auto-renewed |
| Intermediate CA DC Admin Endpoint CA Certificate | Yes | auto-renewed |
| DC Admin Endpoint Server Certificate | Yes | auto-renewed |
| System trusted CA Certificates | No | NOT AUTO-RENEWED as these are certificates that are not necessarily owned by Cloud Platform |
Where:
- Auto created: the certificate is generated during system deployment or triggered by certain operations.
- Renewal Status: whether the certificate is renewed automatically by the system when expiry date approaches.
The following sections provide details on managing these certificates.
StarlingX REST API Applications and the Web Administration Server Certificate <starlingx-rest-api-applications-and-the-web-administration-server>Kubernetes Certificates <kubernetes-certificates-f4196d7cae9c>Local Registry Server Certificates <security-install-update-the-docker-registry-certificate>System Trusted CA Certificates <add-a-trusted-ca>