starlingx/docs
Code Issues Proposed changes
d95c80d36f
docs/doc/source/security/kubernetes/add-a-trusted-ca.rst
Rafael Jardim d95c80d36f Update Security 
Fixed merge conflict (RS)

Signed-off-by: Rafael Jardim <rafaeljordao.jardim@windriver.com>
Change-Id: I30b882a14196525f440db1108a56bbf862dfaf55
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2021-04-01 16:02:36 -04:00

3.9 KiB
Raw Blame History

Add a Trusted CA

Generally a trusted certificate needs to be added if clients on the hosts will be connecting to server(s) secured with SSL and whose certificate is signed by an unknown .

For example, a trusted certificate is required if your helm charts or yaml manifest files refer to images stored in a docker registry whose certificate has been signed by an unknown Certificate Authority.

Trusted certificates can be added as part of the Ansible Bootstrap Playbook or by using the StarlingX/system REST API or CLI after installation.

Ansible Bootstrap Playbook

A trusted certificate may need to be specified as an override parameter for the Ansible Bootstrap Playbook. Specifically, if the docker registries, specified by the bootstrap overrides file, use a certificate signed by an unknown . If this is the case then the ssl_ca_cert parameter needs to be specified in the ansible overrides file, /home/sysadmin/localhost.yml, as part of bootstrap in the installation procedure.

For example:

ssl_ca_cert: /path/to/ssl_ca_cert_file

The ssl_ca_cert value is the absolute path of the file containing the certificate(s) to trust. The certificate(s) must be in format and the file may contain one or more certificates.

StarlingX/System CLI Trusted CA Certificate Install

After installation, adding a trusted to the system may be required. This is the case if images stored in a docker registry, whose certificate has been signed by an unknown Certificate Authority, are referred to by helm charts and/or yaml manifest files.

The certificate must be in file format. From the command line, run the certificate-install command.

~(keystone_admin)]$ system certificate-install -m ssl_ca <trusted-ca-bundle-pem-file>

For example:

~(keystone_admin)]$ system certificate-install -m ssl_ca external-registry-ca-crt.pem
WARNING: For security reasons, the original certificate,
containing the private key, will be removed,
once the private key is processed.
+-------------+--------------------------------------+
| Property    | Value                                |
+-------------+--------------------------------------+
| uuid        | c986249f-b304-4ab4-b88e-14f92e75269d |
| certtype    | ssl_ca                               |
| signature   | ssl_ca_14617336624230451058          |
| start_date  | 2019-05-22 18:24:41+00:00            |
| expiry_date | 2020-05-21 18:24:41+00:00            |
+-------------+--------------------------------------+

Note

Multiple trusted certificates can be added with single install command by including multiple certificates in the file.

StarlingX/System CLI Trusted CA Certificate Uninstall

To remove a Trusted Certificate, first list the trusted by running the following command:

~(keystone_admin)]$ system certificate-list

where, all entries with certtype = ssl_ca are trusted certificates.

Then remove a Trusted Certificate from the list of trusted by running the following command:

~(keystone_admin)]$ system certificate-uninstall -m ssl_ca <UUID>

where, <UUID> is the UUID of the ssl_ca certtype to be removed.