Configure REST API Applications and Web Administration Server certificate¶
About this task
StarlingX provides support for secure HTTPS external connections used for StarlingX REST API application endpoints (Keystone, Barbican and StarlingX) and the StarlingX web administration server. By default, HTTPS access to StarlingX REST and Web Server endpoints is disabled. They are accessible via HTTP only. To enable secure HTTPS access, an x509 certificate and key must be configured.
You can update the certificate used for HTTPS access at any time.
To configure or update the HTTPS certificate for the StarlingX REST API and Web
Server endpoints, create a certificate named
deployment namespace. The
secretName attribute of this
certificate’s spec must also be named
See the example procedure below for creating the certificate for the StarlingX REST API and Web Server endpoints.
Update the following fields:
renewBeforedates for the expiry and renewal times you desire. The system will automatically renew and re-install the certificate.
The Certificate usage of Cert-manager Documentation (https://cert-manager.io/docs/usage/certificate/) states that one should “Take care when setting the
renewBeforefield to be very close to the duration as this can lead to a renewal loop, where the Certificate is always in the renewal period.”
In the light of the statement above, you must not set
renewBeforeto a value very close to the “duration” value, such as a renewBefore of 29 days and a duration of 30 days. Instead, you could set values such as renewBefore=15 days and duration=30 days to avoid renewal loops.
subjectfields to identify your particular system.
ipAddresseswith the OAM Floating IP Address for this system.
dnsNameswith any FQDN names configured for this system in an external DNS server.
If you plan to use the container-based remote CLIs, due to a limitation in
the Python2 SSL certificate validation, the certificate used for the
system-restapi-gui-certificate certificate must either have:
CN=IPADDRESS and SANs=IPADDRESS
CN=FQDN and SANs=FQDN
where IPADDRESS and FQDN are for the OAM Floating IP Address.
Create the REST API certificate yaml configuration file.
~(keystone_admin)]$ cat <<EOF > restapi-certificate.yaml --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: system-restapi-gui-certificate namespace: deployment spec: secretName: system-restapi-gui-certificate issuerRef: name: system-local-ca kind: ClusterIssuer duration: 2160h # 90 days renewBefore: 360h # 15 days commonName: < oam floating IP Address or FQDN > subject: organizations: - ABC-Company organizationalUnits: - StarlingX-system-restapi-gui ipAddresses: - < oam floating IP address > dnsNames: - < oam floating FQDN > EOF
Apply the configuration.
~(keystone_admin)]$ kubectl apply -f restapi-certificate.yaml
Verify the configuration.
~(keystone_admin)]$ kubectl get certificate system-restapi-gui-certificate -n deployment
If configuration was successful, the certificate’s Ready status will be
The REST and Web Server certificate installation is now complete, and Cert-Manager will handle the lifecycle management of the certificate.