starlingx/docs
Code Issues Proposed changes
Files
d6fb867888d94ea2f3b010007ab9cec88d68dea5
docs/doc/source/security/kubernetes/add-a-trusted-ca.rst
Keane Lim 3c5fa979a4 Security guide update 
Re-organized topic hierarchy

Tiny edit to restart review workflow.

Squashed with Resolved index.rst conflict commit

Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5
Signed-off-by: Keane Lim <keane.lim@windriver.com>
Signed-off-by: MCamp859 <maryx.camp@intel.com>
2021-03-12 15:10:40 -05:00

116 lines
3.9 KiB
ReStructuredText
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

.. qfk1564403051860
.. _add-a-trusted-ca:
================
Add a Trusted CA
================
Generally a trusted |CA| certificate needs to be added if |prod| clients on
the hosts will be connecting to server\(s\) secured with SSL and whose
certificate is signed by an unknown |CA|.
.. contents::
:local:
:depth: 1
For example, a trusted |CA| certificate is required if your helm charts or
yaml manifest files refer to images stored in a docker registry whose
certificate has been signed by an unknown Certificate Authority.
Trusted |CA| certificates can be added as part of the Ansible Bootstrap
Playbook or by using the StarlingX/system REST API or CLI after installation.
.. _add-a-trusted-ca-section-N1002C-N1001C-N10001:
--------------------------
Ansible Bootstrap Playbook
--------------------------
A trusted |CA| certificate may need to be specified as an override parameter
for the Ansible Bootstrap Playbook. Specifically, if the docker registries,
specified by the bootstrap overrides file, use a certificate signed by an
unknown |CA|. If this is the case then the ssl\_ca\_cert parameter needs to
be specified in the ansible overrides file, /home/sysadmin/localhost.yml, as
part of bootstrap in the installation procedure.
For example:
.. code-block:: none
apiserver_cert_sans: <trusted-ca-bundle-pem-file>
The *ssl\_ca\_cert* value is the absolute path of the file containing the
|CA| certificate\(s\) to trust. The certificate\(s\) must be in |PEM| format
and the file may contain one or more |CA| certificates.
.. _add-a-trusted-ca-section-N10047-N1001C-N10001:
-----------------------------------------------------
StarlingX/System CLI Trusted CA Certificate Install
-----------------------------------------------------
After installation, adding a trusted |CA| to the |prod| system may be required.
This is the case if images stored in a docker registry, whose certificate has
been signed by an unknown Certificate Authority, are referred to by helm
charts and/or yaml manifest files.
The certificate must be in |PEM| file format.
From the command line, run the :command:`certificate-install` command.
.. code-block:: none
~(keystone_admin)$ system certificate-install -m ssl_ca <trusted-ca-bundle-pem-file>
For example:
.. code-block:: none
~(keystone_admin)$ system certificate-install -m ssl_ca external-registry-ca-crt.pem
WARNING: For security reasons, the original certificate,
containing the private key, will be removed,
once the private key is processed.
+-------------+--------------------------------------+
| Property | Value |
+-------------+--------------------------------------+
| uuid | c986249f-b304-4ab4-b88e-14f92e75269d |
| certtype | ssl_ca |
| signature | ssl_ca_14617336624230451058 |
| start_date | 2019-05-22 18:24:41+00:00 |
| expiry_date | 2020-05-21 18:24:41+00:00 |
+-------------+--------------------------------------+
.. note::
Multiple trusted |CA| certificates can be added with single install
command by including multiple |CA| certificates in the |PEM| file.
.. _add-a-trusted-ca-section-phr-jw4-3mb:
-------------------------------------------------------
StarlingX/System CLI Trusted CA Certificate Uninstall
-------------------------------------------------------
To remove a Trusted |CA| Certificate, first list the trusted |CAs| by
running the following command:
.. code-block:: none
~(keystone_admin)$ system certificate-list
where, all entries with certtype = ssl\_ca are trusted |CA| certificates.
Then remove a Trusted |CA| Certificate from the list of trusted |CAs| by
running the following command:
.. code-block:: none
~(keystone_admin)$ system certificate-uninstall -m ssl_ca <UUID>
where, <UUID> is the UUID of the ssl\_ca certtype to be removed.
View Git Blame Copy Permalink