3c5fa979a4
Re-organized topic hierarchy Tiny edit to restart review workflow. Squashed with Resolved index.rst conflict commit Change-Id: I13472792cb19d1e9975ac76c6954d38054d606c5 Signed-off-by: Keane Lim <keane.lim@windriver.com> Signed-off-by: MCamp859 <maryx.camp@intel.com>
126 lines
4.3 KiB
ReStructuredText
126 lines
4.3 KiB
ReStructuredText
|
|
.. ddq1552672412979
|
|
.. _https-access-overview:
|
|
|
|
=====================
|
|
HTTPS Access Overview
|
|
=====================
|
|
|
|
You can enable secure HTTPS access and manage HTTPS certificates for all
|
|
external |prod| service endpoints.
|
|
|
|
These include:
|
|
|
|
|
|
..
|
|
_https-access-overview-ul-eyn-5ln-gjb:
|
|
|
|
..
|
|
- |prod| REST API applications and the |prod| web administration
|
|
server
|
|
|
|
..
|
|
- Kubernetes API
|
|
|
|
..
|
|
- Local Docker registry
|
|
|
|
.. contents::
|
|
:local:
|
|
:depth: 1
|
|
|
|
.. note::
|
|
Only self-signed or Root |CA|-signed certificates are supported for the
|
|
above |prod| service endpoints. See `https://en.wikipedia.org/wiki/X.509
|
|
<https://en.wikipedia.org/wiki/X.509>`__ for an overview of root,
|
|
intermediate, and end-entity certificates.
|
|
|
|
You can also add a trusted |CA| for the |prod| system.
|
|
|
|
.. note::
|
|
The default HTTPS X.509 certificates that are used by |prod-long| for
|
|
authentication are not signed by a known authority. For increased
|
|
security, obtain, install, and use certificates that have been signed by
|
|
a Root certificate authority. Refer to the documentation for the external
|
|
Root |CA| that you are using, on how to create public certificate and
|
|
private key pairs, signed by a Root |CA|, for HTTPS.
|
|
|
|
|
|
.. _https-access-overview-section-N10048-N10024-N10001:
|
|
|
|
-------------------------------------------------------
|
|
REST API Applications and the web administration server
|
|
-------------------------------------------------------
|
|
|
|
By default, |prod| provides HTTP access to REST API application endpoints
|
|
\(Keystone, Barbican and |prod|\) and the web administration server. For
|
|
improved security, you can enable HTTPS access. When HTTPS access is
|
|
enabled, HTTP access is disabled.
|
|
|
|
When HTTPS is enabled for the first time on a |prod| system, a self-signed
|
|
certificate and key are automatically generated and installed for
|
|
REST and Web Server endpoints. In order to connect, remote clients must be
|
|
configured to accept the self-signed certificate without verifying it. This
|
|
is called insecure mode.
|
|
|
|
For secure-mode connections, a Root |CA|-signed certificate and key are
|
|
required. The use of a Root |CA|-signed certificate is strongly recommended.
|
|
Refer to the documentation for the external Root |CA| that you are using, on
|
|
how to create public certificate and private key pairs, signed by a Root |CA|,
|
|
for HTTPS.
|
|
|
|
You can update the certificate and key used by |prod| for the
|
|
REST and Web Server endpoints at any time after installation.
|
|
|
|
For additional security, |prod| optionally supports storing the private key
|
|
of the StarlingX REST and Web Server certificate in a |prod| |TPM| hardware
|
|
device. |TPM| 2.0-compliant hardware must be available on the controller
|
|
hosts.
|
|
|
|
|
|
.. _https-access-overview-section-N1004F-N10024-N10001:
|
|
|
|
----------
|
|
Kubernetes
|
|
----------
|
|
|
|
For the Kubernetes API Server, HTTPS is always enabled. Similarly, by
|
|
default, a self-signed certificate and key is generated and installed for
|
|
the Kubernetes Root |CA| certificate and key. This Kubernetes Root |CA| is
|
|
used to create and sign various certificates used within Kubernetes,
|
|
including the certificate used by the kube-apiserver API endpoint.
|
|
|
|
It is recommended that you update the Kubernetes Root |CA| and with a
|
|
custom Root |CA| certificate and key, generated by yourself, and trusted by
|
|
external servers connecting to |prod|'s Kubernetes API endpoint. |prod|'s
|
|
Kubernetes Root |CA| is configured as part of the bootstrap during
|
|
installation.
|
|
|
|
|
|
.. _https-access-overview-section-N10094-N10024-N10001:
|
|
|
|
---------------------
|
|
Local Docker Registry
|
|
---------------------
|
|
|
|
For the Local Docker Registry, HTTPS is always enabled. Similarly, by
|
|
default, a self-signed certificate and key is generated and installed for
|
|
this endpoint. However, it is recommended that you update the certificate
|
|
used after installation with a Root |CA|-signed certificate and key. Refer to
|
|
the documentation for the external Root |CA| that you are using, on how to
|
|
create public certificate and private key pairs, signed by a Root |CA|, for
|
|
HTTPS.
|
|
|
|
|
|
.. _https-access-overview-section-N10086-N10024-N10001:
|
|
|
|
-----------
|
|
Trusted CAs
|
|
-----------
|
|
|
|
|prod| also supports the ability to update the trusted |CA| certificate
|
|
bundle on all nodes in the system. This is required, for example, when
|
|
container images are being pulled from an external docker registry with a
|
|
certificate signed by a non-well-known |CA|.
|
|
|