System Local CA Issuer

At installation time, a system-local-ca ClusterIssuer is created. The intent is that the system-local-ca can be the single root of trust for Platform Certificates, such that external clients, using Platform APIs, need only add the single system-local-ca public certificate to their list of trusted CAs for the purpose of validating Platform server certificates.

At installation time, the cert-manager/system-local-ca TLS Secret, which is used for CA Signing by the system-local-ca ClusterIssuer, is initially set to the Kubernetes Root CA. At installation time, the Kubernetes Root CA is either auto-generated or explicitly set thru bootstrap playbook overrides (see Install Custom Kubernetes Root CA Certificate).

In a Distributed Cloud System, by default, the Subclouds are deployed with the same Kubernetes Root CA and the same system-local-ca as the SystemController.

Note

In order to change or renew the system-local-ca Secret for signing, the update_platform_certificates.yml playbook MUST BE USED, see Update system-local-ca or Migrate Platform Certificates to use Cert Manager. This playbook will update the system-local-ca Secret and Issuer, re-sign all of the Platform Certificates using this issuer, and in a Distributed Cloud environment iterate through all of the Subclouds and do the same updates and re-signing on each Subcloud.