Merge "Configuring REST API GUI certificate"
This commit is contained in:
Zuul
Gerrit Code Review
commit
abe23c9bdc
@ -4,110 +4,22 @@
|
|||||||
Configure REST API Applications and Web Administration Server certificate
|
Configure REST API Applications and Web Administration Server certificate
|
||||||
=========================================================================
|
=========================================================================
|
||||||
|
|
||||||
.. rubric:: |context|
|
|prod| provides support for secure HTTPS external connections used for |prod|
|
||||||
|
REST API application endpoints (Keystone, Barbican and |prod|) and the |prod|
|
||||||
|
web administration server.
|
||||||
|
|
||||||
|prod| provides support for secure HTTPS external connections used for
|
During installation, the Platform Issuer (``system-local-ca``) will
|
||||||
StarlingX REST API application endpoints (Keystone, Barbican and StarlingX) and
|
automatically issue a certificate used to secure access to the |prod| REST API
|
||||||
the |prod| web administration server. By default, HTTPS access to StarlingX
|
and to the Web Server GUI. This allows the system to have HTTPS access enabled
|
||||||
REST and Web Server endpoints is disabled. They are accessible via HTTP only.
|
from the bootstrap to the services. This certificate will be stored in a K8s
|
||||||
To enable secure HTTPS access, an x509 certificate and key must be configured.
|
|TLS| secret in namespace ``deployment``, named
|
||||||
|
``system-restapi-gui-certificate``. It will be managed by cert-manager, renewed
|
||||||
|
upon expiration and the required services restarted automatically.
|
||||||
|
|
||||||
You can update the certificate used for HTTPS access at any time.
|
After bootstrap, this certificate's fields can be updated using the procedure
|
||||||
|
:ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`. The
|
||||||
To configure or update the HTTPS certificate for the StarlingX REST API and Web
|
certificate will be managed by cert-manager (auto renewed upon expiration).
|
||||||
Server endpoints, create a certificate named ``system-restapi-gui-certificate``
|
|
||||||
in the ``deployment`` namespace. The ``secretName`` attribute of this
|
|
||||||
certificate's spec must also be named ``system-restapi-gui-certificate``.
|
|
||||||
|
|
||||||
See the example procedure below for creating the certificate for the StarlingX
|
|
||||||
REST API and Web Server endpoints.
|
|
||||||
|
|
||||||
Update the following fields:
|
|
||||||
|
|
||||||
* The ``duration`` and ``renewBefore`` dates for the expiry and renewal times
|
|
||||||
you desire. The system will automatically renew and re-install the
|
|
||||||
certificate.
|
|
||||||
|
|
||||||
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
|
|
||||||
|
|
||||||
* The ``subject`` fields to identify your particular system.
|
|
||||||
|
|
||||||
* The ``ipAddresses`` with the |OAM| Floating IP Address for this system.
|
|
||||||
|
|
||||||
* The ``dnsNames`` with any |FQDN| names configured for this system in an
|
|
||||||
external DNS server.
|
|
||||||
|
|
||||||
.. note::
|
|
||||||
|
|
||||||
If you plan to use the container-based remote CLIs, due to a limitation in
|
|
||||||
the Python2 SSL certificate validation, the certificate used for the
|
|
||||||
``system-restapi-gui-certificate`` certificate must either have:
|
|
||||||
|
|
||||||
- CN=IPADDRESS and SANs=IPADDRESS
|
|
||||||
|
|
||||||
or
|
|
||||||
|
|
||||||
- CN=FQDN and SANs=FQDN
|
|
||||||
|
|
||||||
where IPADDRESS and FQDN are for the |OAM| Floating IP Address.
|
|
||||||
|
|
||||||
.. rubric:: |proc|
|
|
||||||
|
|
||||||
#. Create the REST API certificate yaml configuration file.
|
|
||||||
|
|
||||||
.. code-block::
|
|
||||||
|
|
||||||
~(keystone_admin)]$ cat <<EOF > restapi-certificate.yaml
|
|
||||||
---
|
|
||||||
apiVersion: cert-manager.io/v1
|
|
||||||
kind: Certificate
|
|
||||||
metadata:
|
|
||||||
name: system-restapi-gui-certificate
|
|
||||||
namespace: deployment
|
|
||||||
spec:
|
|
||||||
secretName: system-restapi-gui-certificate
|
|
||||||
issuerRef:
|
|
||||||
name: system-local-ca
|
|
||||||
kind: ClusterIssuer
|
|
||||||
duration: 2160h # 90 days
|
|
||||||
renewBefore: 360h # 15 days
|
|
||||||
commonName: < oam floating IP Address or FQDN >
|
|
||||||
subject:
|
|
||||||
organizations:
|
|
||||||
- ABC-Company
|
|
||||||
organizationalUnits:
|
|
||||||
- StarlingX-system-restapi-gui
|
|
||||||
ipAddresses:
|
|
||||||
- < oam floating IP address >
|
|
||||||
dnsNames:
|
|
||||||
- < oam floating FQDN >
|
|
||||||
EOF
|
|
||||||
|
|
||||||
|
|
||||||
#. Apply the configuration.
|
|
||||||
|
|
||||||
.. code-block::
|
|
||||||
|
|
||||||
~(keystone_admin)]$ kubectl apply -f restapi-certificate.yaml
|
|
||||||
|
|
||||||
|
|
||||||
#. Verify the configuration.
|
|
||||||
|
|
||||||
.. code-block::
|
|
||||||
|
|
||||||
~(keystone_admin)]$ kubectl get certificate system-restapi-gui-certificate -n deployment
|
|
||||||
|
|
||||||
If configuration was successful, the certificate's Ready status will be
|
|
||||||
``True``.
|
|
||||||
|
|
||||||
.. rubric:: |result|
|
|
||||||
|
|
||||||
The REST and Web Server certificate installation is now complete, and
|
|
||||||
Cert-Manager will handle the lifecycle management of the certificate.
|
|
||||||
|
|
||||||
---------------------------------------------------------------------------
|
|
||||||
Limitations for using IPv6 addresses related to management and OAM networks
|
|
||||||
---------------------------------------------------------------------------
|
|
||||||
|
|
||||||
.. include:: /shared/_includes/cert-mgmt-ipv6-address-limitation-1a4504370674.rest
|
|
||||||
|
|
||||||
|
The certificate will be anchored by ``system-local-ca``'s Root |CA|. For more
|
||||||
|
information, refer to
|
||||||
|
:ref:`system-local-ca-issuer-9196c5794834`.
|
||||||
Loading…
x
Reference in New Issue
Block a user