diff --git a/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json b/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json index 65859588cddf..fd01c15e6712 100644 --- a/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json +++ b/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.json @@ -7,8 +7,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, "OnDiskLocation": null @@ -515,8 +515,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -734,8 +734,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -3756,8 +3756,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, "OnDiskLocation": null @@ -3838,8 +3838,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, "OnDiskLocation": null diff --git a/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md b/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md index 3e7fbe04370b..6bb502e2d815 100644 --- a/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md +++ b/tls/autoregenerate-after-expiry/autoregenerate-after-expiry.md @@ -3,9 +3,6 @@ ## Table of Contents - [How to meet the requirement](#How-to-meet-the-requirement) - [Items Do NOT Meet the Requirement (243)](#Items-Do-NOT-Meet-the-Requirement-243) - - [Unknown Owner (5)](#Unknown-Owner-5) - - [Certificates (2)](#Certificates-2) - - [Certificate Authority Bundles (3)](#Certificate-Authority-Bundles-3) - [Bare Metal Hardware Provisioning / cluster-baremetal-operator (1)](#Bare-Metal-Hardware-Provisioning-/-cluster-baremetal-operator-1) - [Certificates (1)](#Certificates-1) - [Cloud Compute / Cloud Controller Manager (1)](#Cloud-Compute-/-Cloud-Controller-Manager-1) @@ -25,6 +22,9 @@ - [Networking / cluster-network-operator (41)](#Networking-/-cluster-network-operator-41) - [Certificates (8)](#Certificates-8) - [Certificate Authority Bundles (33)](#Certificate-Authority-Bundles-33) + - [Networking / router (4)](#Networking-/-router-4) + - [Certificates (2)](#Certificates-2) + - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2) - [Node / Kubelet (2)](#Node-/-Kubelet-2) - [Certificates (2)](#Certificates-2) - [Operator Framework / operator-lifecycle-manager (2)](#Operator-Framework-/-operator-lifecycle-manager-2) @@ -39,9 +39,9 @@ - [etcd (34)](#etcd-34) - [Certificates (25)](#Certificates-25) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) - - [kube-apiserver (14)](#kube-apiserver-14) + - [kube-apiserver (15)](#kube-apiserver-15) - [Certificates (3)](#Certificates-3) - - [Certificate Authority Bundles (11)](#Certificate-Authority-Bundles-11) + - [Certificate Authority Bundles (12)](#Certificate-Authority-Bundles-12) - [kube-controller-manager (12)](#kube-controller-manager-12) - [Certificates (3)](#Certificates-3) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) @@ -78,44 +78,6 @@ This assertion means that you have If you have not done this, you should not merge the annotation. ## Items Do NOT Meet the Requirement (243) -### Unknown Owner (5) -#### Certificates (2) -1. ns/openshift-ingress secret/router-certs-default - - **Description:** - - -2. ns/openshift-ingress-operator secret/router-ca - - **Description:** - - - - -#### Certificate Authority Bundles (3) -1. ns/kube-system configmap/extension-apiserver-authentication - - **Description:** - - - Other locations: - - * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt - * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt - - -2. ns/openshift-config-managed configmap/default-ingress-cert - - **Description:** - - -3. ns/openshift-console configmap/default-ingress-cert - - **Description:** - - - - ### Bare Metal Hardware Provisioning / cluster-baremetal-operator (1) #### Certificates (1) 1. ns/openshift-machine-api secret/metal3-ironic-tls @@ -504,6 +466,33 @@ If you have not done this, you should not merge the annotation. +### Networking / router (4) +#### Certificates (2) +1. ns/openshift-ingress secret/router-certs-default + + **Description:** Serving certificate for the default ingress controller, managed by the ingress operator. + + +2. ns/openshift-ingress-operator secret/router-ca + + **Description:** CA certificate used by the ingress operator to sign default serving certificates for ingress controllers. + + + + +#### Certificate Authority Bundles (2) +1. ns/openshift-config-managed configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + +2. ns/openshift-console configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + + + ### Node / Kubelet (2) #### Certificates (2) 1. file /var/lib/kubelet/pki/kubelet-client-\.pem @@ -864,7 +853,7 @@ If you have not done this, you should not merge the annotation. -### kube-apiserver (14) +### kube-apiserver (15) #### Certificates (3) 1. ns/openshift-kube-apiserver secret/node-kubeconfigs @@ -891,13 +880,24 @@ If you have not done this, you should not merge the annotation. -#### Certificate Authority Bundles (11) -1. ns/openshift-config configmap/admin-kubeconfig-client-ca +#### Certificate Authority Bundles (12) +1. ns/kube-system configmap/extension-apiserver-authentication + + **Description:** CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver. + + + Other locations: + + * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt + * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt + + +2. ns/openshift-config configmap/admin-kubeconfig-client-ca **Description:** CA for kube-apiserver to recognize the system:master created by the installer. -2. ns/openshift-config-managed configmap/kube-apiserver-client-ca +3. ns/openshift-config-managed configmap/kube-apiserver-client-ca **Description:** @@ -909,7 +909,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -3. ns/openshift-config-managed configmap/kube-apiserver-server-ca +4. ns/openshift-config-managed configmap/kube-apiserver-server-ca **Description:** @@ -923,12 +923,12 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -4. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig +5. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig **Description:** -5. ns/openshift-controller-manager configmap/client-ca +6. ns/openshift-controller-manager configmap/client-ca **Description:** @@ -940,7 +940,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -6. ns/openshift-kube-apiserver configmap/client-ca +7. ns/openshift-kube-apiserver configmap/client-ca **Description:** @@ -952,7 +952,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -7. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca +8. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca **Description:** @@ -966,7 +966,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -8. ns/openshift-kube-controller-manager configmap/client-ca +9. ns/openshift-kube-controller-manager configmap/client-ca **Description:** @@ -978,7 +978,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -9. ns/openshift-route-controller-manager configmap/client-ca +10. ns/openshift-route-controller-manager configmap/client-ca **Description:** @@ -990,7 +990,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -10. file /etc/kubernetes/kubeconfig +11. file /etc/kubernetes/kubeconfig **Description:** @@ -1003,7 +1003,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -11. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt +12. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt **Description:** diff --git a/tls/descriptions/descriptions.json b/tls/descriptions/descriptions.json index 65859588cddf..fd01c15e6712 100644 --- a/tls/descriptions/descriptions.json +++ b/tls/descriptions/descriptions.json @@ -7,8 +7,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, "OnDiskLocation": null @@ -515,8 +515,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -734,8 +734,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -3756,8 +3756,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, "OnDiskLocation": null @@ -3838,8 +3838,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, "OnDiskLocation": null diff --git a/tls/descriptions/descriptions.md b/tls/descriptions/descriptions.md index 034ced7d0243..96d825e38f04 100644 --- a/tls/descriptions/descriptions.md +++ b/tls/descriptions/descriptions.md @@ -3,9 +3,6 @@ ## Table of Contents - [How to meet the requirement](#How-to-meet-the-requirement) - [Items Do NOT Meet the Requirement (100)](#Items-Do-NOT-Meet-the-Requirement-100) - - [Unknown Owner (5)](#Unknown-Owner-5) - - [Certificates (2)](#Certificates-2) - - [Certificate Authority Bundles (3)](#Certificate-Authority-Bundles-3) - [Bare Metal Hardware Provisioning / cluster-baremetal-operator (1)](#Bare-Metal-Hardware-Provisioning-/-cluster-baremetal-operator-1) - [Certificates (1)](#Certificates-1) - [Cloud Compute / Cloud Controller Manager (1)](#Cloud-Compute-/-Cloud-Controller-Manager-1) @@ -24,6 +21,9 @@ - [Networking / cluster-network-operator (40)](#Networking-/-cluster-network-operator-40) - [Certificates (8)](#Certificates-8) - [Certificate Authority Bundles (32)](#Certificate-Authority-Bundles-32) + - [Networking / router (4)](#Networking-/-router-4) + - [Certificates (2)](#Certificates-2) + - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2) - [Node / Kubelet (2)](#Node-/-Kubelet-2) - [Certificates (2)](#Certificates-2) - [Operator Framework / operator-lifecycle-manager (2)](#Operator-Framework-/-operator-lifecycle-manager-2) @@ -35,9 +35,9 @@ - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2) - [cluster-network-operator (1)](#cluster-network-operator-1) - [Certificate Authority Bundles (1)](#Certificate-Authority-Bundles-1) - - [kube-apiserver (14)](#kube-apiserver-14) + - [kube-apiserver (15)](#kube-apiserver-15) - [Certificates (4)](#Certificates-4) - - [Certificate Authority Bundles (10)](#Certificate-Authority-Bundles-10) + - [Certificate Authority Bundles (11)](#Certificate-Authority-Bundles-11) - [kube-controller-manager (8)](#kube-controller-manager-8) - [Certificates (3)](#Certificates-3) - [Certificate Authority Bundles (5)](#Certificate-Authority-Bundles-5) @@ -76,44 +76,6 @@ These descriptions must be in the style of API documentation and must include To create a description, set the `openshift.io/description` annotation to the markdown formatted string describing your TLS artifact. ## Items Do NOT Meet the Requirement (100) -### Unknown Owner (5) -#### Certificates (2) -1. ns/openshift-ingress secret/router-certs-default - - **Description:** - - -2. ns/openshift-ingress-operator secret/router-ca - - **Description:** - - - - -#### Certificate Authority Bundles (3) -1. ns/kube-system configmap/extension-apiserver-authentication - - **Description:** - - - Other locations: - - * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt - * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt - - -2. ns/openshift-config-managed configmap/default-ingress-cert - - **Description:** - - -3. ns/openshift-console configmap/default-ingress-cert - - **Description:** - - - - ### Bare Metal Hardware Provisioning / cluster-baremetal-operator (1) #### Certificates (1) 1. ns/openshift-machine-api secret/metal3-ironic-tls @@ -479,6 +441,33 @@ To create a description, set the `openshift.io/description` annotation to the ma +### Networking / router (4) +#### Certificates (2) +1. ns/openshift-ingress secret/router-certs-default + + **Description:** Serving certificate for the default ingress controller, managed by the ingress operator. + + +2. ns/openshift-ingress-operator secret/router-ca + + **Description:** CA certificate used by the ingress operator to sign default serving certificates for ingress controllers. + + + + +#### Certificate Authority Bundles (2) +1. ns/openshift-config-managed configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + +2. ns/openshift-console configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + + + ### Node / Kubelet (2) #### Certificates (2) 1. file /var/lib/kubelet/pki/kubelet-client-\.pem @@ -572,7 +561,7 @@ To create a description, set the `openshift.io/description` annotation to the ma -### kube-apiserver (14) +### kube-apiserver (15) #### Certificates (4) 1. ns/openshift-kube-apiserver secret/control-plane-node-admin-client-cert-key @@ -609,8 +598,19 @@ To create a description, set the `openshift.io/description` annotation to the ma -#### Certificate Authority Bundles (10) -1. ns/openshift-config-managed configmap/kube-apiserver-client-ca +#### Certificate Authority Bundles (11) +1. ns/kube-system configmap/extension-apiserver-authentication + + **Description:** CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver. + + + Other locations: + + * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt + * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt + + +2. ns/openshift-config-managed configmap/kube-apiserver-client-ca **Description:** @@ -622,7 +622,7 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -2. ns/openshift-config-managed configmap/kube-apiserver-server-ca +3. ns/openshift-config-managed configmap/kube-apiserver-server-ca **Description:** @@ -636,12 +636,12 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -3. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig +4. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig **Description:** -4. ns/openshift-controller-manager configmap/client-ca +5. ns/openshift-controller-manager configmap/client-ca **Description:** @@ -653,7 +653,7 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -5. ns/openshift-kube-apiserver configmap/client-ca +6. ns/openshift-kube-apiserver configmap/client-ca **Description:** @@ -665,7 +665,7 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -6. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca +7. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca **Description:** @@ -679,7 +679,7 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -7. ns/openshift-kube-controller-manager configmap/client-ca +8. ns/openshift-kube-controller-manager configmap/client-ca **Description:** @@ -691,7 +691,7 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -8. ns/openshift-route-controller-manager configmap/client-ca +9. ns/openshift-route-controller-manager configmap/client-ca **Description:** @@ -703,7 +703,7 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -9. file /etc/kubernetes/kubeconfig +10. file /etc/kubernetes/kubeconfig **Description:** @@ -716,7 +716,7 @@ To create a description, set the `openshift.io/description` annotation to the ma * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -10. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt +11. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt **Description:** diff --git a/tls/ownership/ownership.json b/tls/ownership/ownership.json index 65859588cddf..fd01c15e6712 100644 --- a/tls/ownership/ownership.json +++ b/tls/ownership/ownership.json @@ -7,8 +7,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, "OnDiskLocation": null @@ -515,8 +515,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -734,8 +734,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -3756,8 +3756,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, "OnDiskLocation": null @@ -3838,8 +3838,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, "OnDiskLocation": null diff --git a/tls/ownership/ownership.md b/tls/ownership/ownership.md index e4969e44ad9b..1136ec93c0f2 100644 --- a/tls/ownership/ownership.md +++ b/tls/ownership/ownership.md @@ -1,9 +1,6 @@ # Certificate Ownership ## Table of Contents - - [Missing Owners (5)](#Missing-Owners-5) - - [Certificates (2)](#Certificates-2) - - [Certificate Authority Bundles (3)](#Certificate-Authority-Bundles-3) - [Bare Metal Hardware Provisioning / cluster-baremetal-operator (1)](#Bare-Metal-Hardware-Provisioning-/-cluster-baremetal-operator-1) - [Certificates (1)](#Certificates-1) - [Cloud Compute / Cloud Controller Manager (1)](#Cloud-Compute-/-Cloud-Controller-Manager-1) @@ -23,6 +20,9 @@ - [Networking / cluster-network-operator (41)](#Networking-/-cluster-network-operator-41) - [Certificates (8)](#Certificates-8) - [Certificate Authority Bundles (33)](#Certificate-Authority-Bundles-33) + - [Networking / router (4)](#Networking-/-router-4) + - [Certificates (2)](#Certificates-2) + - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2) - [Node / Kubelet (2)](#Node-/-Kubelet-2) - [Certificates (2)](#Certificates-2) - [Operator Framework / operator-lifecycle-manager (2)](#Operator-Framework-/-operator-lifecycle-manager-2) @@ -37,9 +37,9 @@ - [etcd (34)](#etcd-34) - [Certificates (25)](#Certificates-25) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) - - [kube-apiserver (46)](#kube-apiserver-46) + - [kube-apiserver (47)](#kube-apiserver-47) - [Certificates (25)](#Certificates-25) - - [Certificate Authority Bundles (21)](#Certificate-Authority-Bundles-21) + - [Certificate Authority Bundles (22)](#Certificate-Authority-Bundles-22) - [kube-controller-manager (12)](#kube-controller-manager-12) - [Certificates (3)](#Certificates-3) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) @@ -52,44 +52,6 @@ - [Certificate Authority Bundles (3)](#Certificate-Authority-Bundles-3) -## Missing Owners (5) -### Certificates (2) -1. ns/openshift-ingress secret/router-certs-default - - **Description:** - - -2. ns/openshift-ingress-operator secret/router-ca - - **Description:** - - - - -### Certificate Authority Bundles (3) -1. ns/kube-system configmap/extension-apiserver-authentication - - **Description:** - - - Other locations: - - * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt - * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt - - -2. ns/openshift-config-managed configmap/default-ingress-cert - - **Description:** - - -3. ns/openshift-console configmap/default-ingress-cert - - **Description:** - - - - ## Bare Metal Hardware Provisioning / cluster-baremetal-operator (1) ### Certificates (1) 1. ns/openshift-machine-api secret/metal3-ironic-tls @@ -478,6 +440,33 @@ +## Networking / router (4) +### Certificates (2) +1. ns/openshift-ingress secret/router-certs-default + + **Description:** Serving certificate for the default ingress controller, managed by the ingress operator. + + +2. ns/openshift-ingress-operator secret/router-ca + + **Description:** CA certificate used by the ingress operator to sign default serving certificates for ingress controllers. + + + + +### Certificate Authority Bundles (2) +1. ns/openshift-config-managed configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + +2. ns/openshift-console configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + + + ## Node / Kubelet (2) ### Certificates (2) 1. file /var/lib/kubelet/pki/kubelet-client-\.pem @@ -838,7 +827,7 @@ -## kube-apiserver (46) +## kube-apiserver (47) ### Certificates (25) 1. ns/openshift-config-managed secret/kube-controller-manager-client-cert-key @@ -1043,13 +1032,24 @@ -### Certificate Authority Bundles (21) -1. ns/openshift-config configmap/admin-kubeconfig-client-ca +### Certificate Authority Bundles (22) +1. ns/kube-system configmap/extension-apiserver-authentication + + **Description:** CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver. + + + Other locations: + + * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt + * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt + + +2. ns/openshift-config configmap/admin-kubeconfig-client-ca **Description:** CA for kube-apiserver to recognize the system:master created by the installer. -2. ns/openshift-config-managed configmap/kube-apiserver-aggregator-client-ca +3. ns/openshift-config-managed configmap/kube-apiserver-aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -1060,7 +1060,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -3. ns/openshift-config-managed configmap/kube-apiserver-client-ca +4. ns/openshift-config-managed configmap/kube-apiserver-client-ca **Description:** @@ -1072,7 +1072,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -4. ns/openshift-config-managed configmap/kube-apiserver-server-ca +5. ns/openshift-config-managed configmap/kube-apiserver-server-ca **Description:** @@ -1086,12 +1086,12 @@ * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -5. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig +6. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig **Description:** -6. ns/openshift-controller-manager configmap/client-ca +7. ns/openshift-controller-manager configmap/client-ca **Description:** @@ -1103,7 +1103,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -7. ns/openshift-kube-apiserver configmap/aggregator-client-ca +8. ns/openshift-kube-apiserver configmap/aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -1114,7 +1114,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -8. ns/openshift-kube-apiserver configmap/client-ca +9. ns/openshift-kube-apiserver configmap/client-ca **Description:** @@ -1126,7 +1126,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -9. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca +10. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca **Description:** @@ -1140,42 +1140,42 @@ * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -10. ns/openshift-kube-apiserver-operator configmap/kube-apiserver-to-kubelet-client-ca +11. ns/openshift-kube-apiserver-operator configmap/kube-apiserver-to-kubelet-client-ca **Description:** CA for the kubelet to recognize the kube-apiserver client certificate. -11. ns/openshift-kube-apiserver-operator configmap/kube-control-plane-signer-ca +12. ns/openshift-kube-apiserver-operator configmap/kube-control-plane-signer-ca **Description:** CA for kube-apiserver to recognize the kube-controller-manager and kube-scheduler client certificates. -12. ns/openshift-kube-apiserver-operator configmap/loadbalancer-serving-ca +13. ns/openshift-kube-apiserver-operator configmap/loadbalancer-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the internal or external load balancers. -13. ns/openshift-kube-apiserver-operator configmap/localhost-recovery-serving-ca +14. ns/openshift-kube-apiserver-operator configmap/localhost-recovery-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the localhost recovery SNI ServerName. -14. ns/openshift-kube-apiserver-operator configmap/localhost-serving-ca +15. ns/openshift-kube-apiserver-operator configmap/localhost-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via localhost. -15. ns/openshift-kube-apiserver-operator configmap/node-system-admin-ca +16. ns/openshift-kube-apiserver-operator configmap/node-system-admin-ca **Description:** CA for kube-apiserver to recognize local system:masters rendered to each master. -16. ns/openshift-kube-apiserver-operator configmap/service-network-serving-ca +17. ns/openshift-kube-apiserver-operator configmap/service-network-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the service network (kuberentes.default.svc). -17. ns/openshift-kube-controller-manager configmap/aggregator-client-ca +18. ns/openshift-kube-controller-manager configmap/aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -1186,7 +1186,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -18. ns/openshift-kube-controller-manager configmap/client-ca +19. ns/openshift-kube-controller-manager configmap/client-ca **Description:** @@ -1198,7 +1198,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -19. ns/openshift-route-controller-manager configmap/client-ca +20. ns/openshift-route-controller-manager configmap/client-ca **Description:** @@ -1210,7 +1210,7 @@ * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -20. file /etc/kubernetes/kubeconfig +21. file /etc/kubernetes/kubeconfig **Description:** @@ -1223,7 +1223,7 @@ * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -21. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt +22. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt **Description:** diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json index b5b7dabaf40c..38f9a92aac59 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-default.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -235,8 +235,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -513,8 +513,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2617,8 +2617,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2627,8 +2627,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json index ac8157b9b85e..42c5dd501f2c 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-aws-ovn-techpreviewnoupgrade.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -235,8 +235,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -513,8 +513,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2677,8 +2677,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2687,8 +2687,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json index 13d5456aa333..2fcc0b0fc281 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-default.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -251,8 +251,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -529,8 +529,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2653,8 +2653,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2663,8 +2663,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json index cd7ff8dbcf5b..827692d9feeb 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-azure-ovn-techpreviewnoupgrade.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -251,8 +251,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -529,8 +529,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2713,8 +2713,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2723,8 +2723,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json index dcee2c10e3f4..15e202dd274a 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-default.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -235,8 +235,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -513,8 +513,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2617,8 +2617,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2627,8 +2627,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json index 8a67fca2d216..7aa337c1441b 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-gcp-ovn-techpreviewnoupgrade.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -235,8 +235,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -513,8 +513,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2677,8 +2677,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2687,8 +2687,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json index b52ed98d6e15..cc4852f03a1c 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-default.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -203,8 +203,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -497,8 +497,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2557,8 +2557,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2567,8 +2567,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json index 8ed173291a95..715d72ed3a79 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-metal-ovn-techpreviewnoupgrade.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -203,8 +203,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -497,8 +497,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2621,8 +2621,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2631,8 +2631,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json index 235b73bd671c..f85286c4dd81 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-openstack-ovn-default.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -235,8 +235,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -513,8 +513,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2629,8 +2629,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2639,8 +2639,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json index 45bd8b15d366..2ff5fd7d7bba 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-default.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -251,8 +251,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -529,8 +529,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2673,8 +2673,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2683,8 +2683,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json b/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json index 78f9dafe3312..efd8d5bfe235 100644 --- a/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json +++ b/tls/raw-data/raw-tls-artifacts-ha-amd64-vsphere-ovn-techpreviewnoupgrade.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -251,8 +251,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -529,8 +529,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2733,8 +2733,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2743,8 +2743,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json b/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json index 37bff92a3263..10b02e7de0e3 100644 --- a/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json +++ b/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-default.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -235,8 +235,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -513,8 +513,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2473,8 +2473,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2483,8 +2483,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json b/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json index 11de1025041f..fc89a62f6a84 100644 --- a/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json +++ b/tls/raw-data/raw-tls-artifacts-single-amd64-aws-ovn-techpreviewnoupgrade.json @@ -9,8 +9,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, { @@ -235,8 +235,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -513,8 +513,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, { @@ -2533,8 +2533,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, { @@ -2543,8 +2543,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, { diff --git a/tls/refresh-period/refresh-period.json b/tls/refresh-period/refresh-period.json index 65859588cddf..fd01c15e6712 100644 --- a/tls/refresh-period/refresh-period.json +++ b/tls/refresh-period/refresh-period.json @@ -7,8 +7,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, "OnDiskLocation": null @@ -515,8 +515,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -734,8 +734,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -3756,8 +3756,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, "OnDiskLocation": null @@ -3838,8 +3838,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, "OnDiskLocation": null diff --git a/tls/refresh-period/refresh-period.md b/tls/refresh-period/refresh-period.md index 94a258f4696f..23d7f73fe670 100644 --- a/tls/refresh-period/refresh-period.md +++ b/tls/refresh-period/refresh-period.md @@ -3,9 +3,6 @@ ## Table of Contents - [How to meet the requirement](#How-to-meet-the-requirement) - [Items Do NOT Meet the Requirement (234)](#Items-Do-NOT-Meet-the-Requirement-234) - - [Unknown Owner (5)](#Unknown-Owner-5) - - [Certificates (2)](#Certificates-2) - - [Certificate Authority Bundles (3)](#Certificate-Authority-Bundles-3) - [Bare Metal Hardware Provisioning / cluster-baremetal-operator (1)](#Bare-Metal-Hardware-Provisioning-/-cluster-baremetal-operator-1) - [Certificates (1)](#Certificates-1) - [Cloud Compute / Cloud Controller Manager (1)](#Cloud-Compute-/-Cloud-Controller-Manager-1) @@ -25,6 +22,9 @@ - [Networking / cluster-network-operator (41)](#Networking-/-cluster-network-operator-41) - [Certificates (8)](#Certificates-8) - [Certificate Authority Bundles (33)](#Certificate-Authority-Bundles-33) + - [Networking / router (4)](#Networking-/-router-4) + - [Certificates (2)](#Certificates-2) + - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2) - [Node / Kubelet (2)](#Node-/-Kubelet-2) - [Certificates (2)](#Certificates-2) - [Operator Framework / operator-lifecycle-manager (2)](#Operator-Framework-/-operator-lifecycle-manager-2) @@ -38,9 +38,9 @@ - [Certificate Authority Bundles (1)](#Certificate-Authority-Bundles-1) - [etcd (9)](#etcd-9) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) - - [kube-apiserver (30)](#kube-apiserver-30) + - [kube-apiserver (31)](#kube-apiserver-31) - [Certificates (9)](#Certificates-9) - - [Certificate Authority Bundles (21)](#Certificate-Authority-Bundles-21) + - [Certificate Authority Bundles (22)](#Certificate-Authority-Bundles-22) - [kube-controller-manager (12)](#kube-controller-manager-12) - [Certificates (3)](#Certificates-3) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) @@ -77,44 +77,6 @@ This assertion means that you have If you have not done this, you should not merge the annotation. ## Items Do NOT Meet the Requirement (234) -### Unknown Owner (5) -#### Certificates (2) -1. ns/openshift-ingress secret/router-certs-default - - **Description:** - - -2. ns/openshift-ingress-operator secret/router-ca - - **Description:** - - - - -#### Certificate Authority Bundles (3) -1. ns/kube-system configmap/extension-apiserver-authentication - - **Description:** - - - Other locations: - - * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt - * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt - - -2. ns/openshift-config-managed configmap/default-ingress-cert - - **Description:** - - -3. ns/openshift-console configmap/default-ingress-cert - - **Description:** - - - - ### Bare Metal Hardware Provisioning / cluster-baremetal-operator (1) #### Certificates (1) 1. ns/openshift-machine-api secret/metal3-ironic-tls @@ -503,6 +465,33 @@ If you have not done this, you should not merge the annotation. +### Networking / router (4) +#### Certificates (2) +1. ns/openshift-ingress secret/router-certs-default + + **Description:** Serving certificate for the default ingress controller, managed by the ingress operator. + + +2. ns/openshift-ingress-operator secret/router-ca + + **Description:** CA certificate used by the ingress operator to sign default serving certificates for ingress controllers. + + + + +#### Certificate Authority Bundles (2) +1. ns/openshift-config-managed configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + +2. ns/openshift-console configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + + + ### Node / Kubelet (2) #### Certificates (2) 1. file /var/lib/kubelet/pki/kubelet-client-\.pem @@ -690,7 +679,7 @@ If you have not done this, you should not merge the annotation. -### kube-apiserver (30) +### kube-apiserver (31) #### Certificates (9) 1. ns/openshift-kube-apiserver secret/node-kubeconfigs @@ -747,13 +736,24 @@ If you have not done this, you should not merge the annotation. -#### Certificate Authority Bundles (21) -1. ns/openshift-config configmap/admin-kubeconfig-client-ca +#### Certificate Authority Bundles (22) +1. ns/kube-system configmap/extension-apiserver-authentication + + **Description:** CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver. + + + Other locations: + + * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt + * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt + + +2. ns/openshift-config configmap/admin-kubeconfig-client-ca **Description:** CA for kube-apiserver to recognize the system:master created by the installer. -2. ns/openshift-config-managed configmap/kube-apiserver-aggregator-client-ca +3. ns/openshift-config-managed configmap/kube-apiserver-aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -764,7 +764,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -3. ns/openshift-config-managed configmap/kube-apiserver-client-ca +4. ns/openshift-config-managed configmap/kube-apiserver-client-ca **Description:** @@ -776,7 +776,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -4. ns/openshift-config-managed configmap/kube-apiserver-server-ca +5. ns/openshift-config-managed configmap/kube-apiserver-server-ca **Description:** @@ -790,12 +790,12 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -5. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig +6. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig **Description:** -6. ns/openshift-controller-manager configmap/client-ca +7. ns/openshift-controller-manager configmap/client-ca **Description:** @@ -807,7 +807,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -7. ns/openshift-kube-apiserver configmap/aggregator-client-ca +8. ns/openshift-kube-apiserver configmap/aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -818,7 +818,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -8. ns/openshift-kube-apiserver configmap/client-ca +9. ns/openshift-kube-apiserver configmap/client-ca **Description:** @@ -830,7 +830,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -9. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca +10. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca **Description:** @@ -844,42 +844,42 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -10. ns/openshift-kube-apiserver-operator configmap/kube-apiserver-to-kubelet-client-ca +11. ns/openshift-kube-apiserver-operator configmap/kube-apiserver-to-kubelet-client-ca **Description:** CA for the kubelet to recognize the kube-apiserver client certificate. -11. ns/openshift-kube-apiserver-operator configmap/kube-control-plane-signer-ca +12. ns/openshift-kube-apiserver-operator configmap/kube-control-plane-signer-ca **Description:** CA for kube-apiserver to recognize the kube-controller-manager and kube-scheduler client certificates. -12. ns/openshift-kube-apiserver-operator configmap/loadbalancer-serving-ca +13. ns/openshift-kube-apiserver-operator configmap/loadbalancer-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the internal or external load balancers. -13. ns/openshift-kube-apiserver-operator configmap/localhost-recovery-serving-ca +14. ns/openshift-kube-apiserver-operator configmap/localhost-recovery-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the localhost recovery SNI ServerName. -14. ns/openshift-kube-apiserver-operator configmap/localhost-serving-ca +15. ns/openshift-kube-apiserver-operator configmap/localhost-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via localhost. -15. ns/openshift-kube-apiserver-operator configmap/node-system-admin-ca +16. ns/openshift-kube-apiserver-operator configmap/node-system-admin-ca **Description:** CA for kube-apiserver to recognize local system:masters rendered to each master. -16. ns/openshift-kube-apiserver-operator configmap/service-network-serving-ca +17. ns/openshift-kube-apiserver-operator configmap/service-network-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the service network (kuberentes.default.svc). -17. ns/openshift-kube-controller-manager configmap/aggregator-client-ca +18. ns/openshift-kube-controller-manager configmap/aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -890,7 +890,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -18. ns/openshift-kube-controller-manager configmap/client-ca +19. ns/openshift-kube-controller-manager configmap/client-ca **Description:** @@ -902,7 +902,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -19. ns/openshift-route-controller-manager configmap/client-ca +20. ns/openshift-route-controller-manager configmap/client-ca **Description:** @@ -914,7 +914,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -20. file /etc/kubernetes/kubeconfig +21. file /etc/kubernetes/kubeconfig **Description:** @@ -927,7 +927,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -21. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt +22. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt **Description:** diff --git a/tls/testcase/testcase.json b/tls/testcase/testcase.json index 65859588cddf..fd01c15e6712 100644 --- a/tls/testcase/testcase.json +++ b/tls/testcase/testcase.json @@ -7,8 +7,8 @@ "Name": "extension-apiserver-authentication" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "kube-apiserver", + "description": "CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver." } }, "OnDiskLocation": null @@ -515,8 +515,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -734,8 +734,8 @@ "Name": "default-ingress-cert" }, "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA bundle containing the certificate for the default ingress controller, published by the ingress operator." } }, "OnDiskLocation": null @@ -3756,8 +3756,8 @@ "Name": "router-certs-default" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "Serving certificate for the default ingress controller, managed by the ingress operator." } }, "OnDiskLocation": null @@ -3838,8 +3838,8 @@ "Name": "router-ca" }, "certKeyInfo": { - "owningJiraComponent": "", - "description": "" + "owningJiraComponent": "Networking / router", + "description": "CA certificate used by the ingress operator to sign default serving certificates for ingress controllers." } }, "OnDiskLocation": null diff --git a/tls/testcase/testcase.md b/tls/testcase/testcase.md index 31caeac29a65..d032d2d97579 100644 --- a/tls/testcase/testcase.md +++ b/tls/testcase/testcase.md @@ -3,9 +3,6 @@ ## Table of Contents - [How to meet the requirement](#How-to-meet-the-requirement) - [Items Do NOT Meet the Requirement (275)](#Items-Do-NOT-Meet-the-Requirement-275) - - [Unknown Owner (5)](#Unknown-Owner-5) - - [Certificates (2)](#Certificates-2) - - [Certificate Authority Bundles (3)](#Certificate-Authority-Bundles-3) - [Bare Metal Hardware Provisioning / cluster-baremetal-operator (1)](#Bare-Metal-Hardware-Provisioning-/-cluster-baremetal-operator-1) - [Certificates (1)](#Certificates-1) - [Cloud Compute / Cloud Controller Manager (1)](#Cloud-Compute-/-Cloud-Controller-Manager-1) @@ -25,6 +22,9 @@ - [Networking / cluster-network-operator (41)](#Networking-/-cluster-network-operator-41) - [Certificates (8)](#Certificates-8) - [Certificate Authority Bundles (33)](#Certificate-Authority-Bundles-33) + - [Networking / router (4)](#Networking-/-router-4) + - [Certificates (2)](#Certificates-2) + - [Certificate Authority Bundles (2)](#Certificate-Authority-Bundles-2) - [Node / Kubelet (2)](#Node-/-Kubelet-2) - [Certificates (2)](#Certificates-2) - [Operator Framework / operator-lifecycle-manager (2)](#Operator-Framework-/-operator-lifecycle-manager-2) @@ -39,9 +39,9 @@ - [etcd (34)](#etcd-34) - [Certificates (25)](#Certificates-25) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) - - [kube-apiserver (46)](#kube-apiserver-46) + - [kube-apiserver (47)](#kube-apiserver-47) - [Certificates (25)](#Certificates-25) - - [Certificate Authority Bundles (21)](#Certificate-Authority-Bundles-21) + - [Certificate Authority Bundles (22)](#Certificate-Authority-Bundles-22) - [kube-controller-manager (12)](#kube-controller-manager-12) - [Certificates (3)](#Certificates-3) - [Certificate Authority Bundles (9)](#Certificate-Authority-Bundles-9) @@ -73,44 +73,6 @@ This assertion means that you have If you have not done this, you should not merge the annotation. ## Items Do NOT Meet the Requirement (275) -### Unknown Owner (5) -#### Certificates (2) -1. ns/openshift-ingress secret/router-certs-default - - **Description:** - - -2. ns/openshift-ingress-operator secret/router-ca - - **Description:** - - - - -#### Certificate Authority Bundles (3) -1. ns/kube-system configmap/extension-apiserver-authentication - - **Description:** - - - Other locations: - - * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt - * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt - - -2. ns/openshift-config-managed configmap/default-ingress-cert - - **Description:** - - -3. ns/openshift-console configmap/default-ingress-cert - - **Description:** - - - - ### Bare Metal Hardware Provisioning / cluster-baremetal-operator (1) #### Certificates (1) 1. ns/openshift-machine-api secret/metal3-ironic-tls @@ -499,6 +461,33 @@ If you have not done this, you should not merge the annotation. +### Networking / router (4) +#### Certificates (2) +1. ns/openshift-ingress secret/router-certs-default + + **Description:** Serving certificate for the default ingress controller, managed by the ingress operator. + + +2. ns/openshift-ingress-operator secret/router-ca + + **Description:** CA certificate used by the ingress operator to sign default serving certificates for ingress controllers. + + + + +#### Certificate Authority Bundles (2) +1. ns/openshift-config-managed configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + +2. ns/openshift-console configmap/default-ingress-cert + + **Description:** CA bundle containing the certificate for the default ingress controller, published by the ingress operator. + + + + ### Node / Kubelet (2) #### Certificates (2) 1. file /var/lib/kubelet/pki/kubelet-client-\.pem @@ -859,7 +848,7 @@ If you have not done this, you should not merge the annotation. -### kube-apiserver (46) +### kube-apiserver (47) #### Certificates (25) 1. ns/openshift-config-managed secret/kube-controller-manager-client-cert-key @@ -1064,13 +1053,24 @@ If you have not done this, you should not merge the annotation. -#### Certificate Authority Bundles (21) -1. ns/openshift-config configmap/admin-kubeconfig-client-ca +#### Certificate Authority Bundles (22) +1. ns/kube-system configmap/extension-apiserver-authentication + + **Description:** CA bundle used to verify client certificates for aggregated API servers, managed by kube-apiserver. + + + Other locations: + + * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/aggregator-client-ca/ca-bundle.crt + * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt + + +2. ns/openshift-config configmap/admin-kubeconfig-client-ca **Description:** CA for kube-apiserver to recognize the system:master created by the installer. -2. ns/openshift-config-managed configmap/kube-apiserver-aggregator-client-ca +3. ns/openshift-config-managed configmap/kube-apiserver-aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -1081,7 +1081,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -3. ns/openshift-config-managed configmap/kube-apiserver-client-ca +4. ns/openshift-config-managed configmap/kube-apiserver-client-ca **Description:** @@ -1093,7 +1093,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -4. ns/openshift-config-managed configmap/kube-apiserver-server-ca +5. ns/openshift-config-managed configmap/kube-apiserver-server-ca **Description:** @@ -1107,12 +1107,12 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -5. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig +6. ns/openshift-config-managed configmap/kubelet-bootstrap-kubeconfig **Description:** -6. ns/openshift-controller-manager configmap/client-ca +7. ns/openshift-controller-manager configmap/client-ca **Description:** @@ -1124,7 +1124,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -7. ns/openshift-kube-apiserver configmap/aggregator-client-ca +8. ns/openshift-kube-apiserver configmap/aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -1135,7 +1135,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -8. ns/openshift-kube-apiserver configmap/client-ca +9. ns/openshift-kube-apiserver configmap/client-ca **Description:** @@ -1147,7 +1147,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -9. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca +10. ns/openshift-kube-apiserver configmap/kube-apiserver-server-ca **Description:** @@ -1161,42 +1161,42 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -10. ns/openshift-kube-apiserver-operator configmap/kube-apiserver-to-kubelet-client-ca +11. ns/openshift-kube-apiserver-operator configmap/kube-apiserver-to-kubelet-client-ca **Description:** CA for the kubelet to recognize the kube-apiserver client certificate. -11. ns/openshift-kube-apiserver-operator configmap/kube-control-plane-signer-ca +12. ns/openshift-kube-apiserver-operator configmap/kube-control-plane-signer-ca **Description:** CA for kube-apiserver to recognize the kube-controller-manager and kube-scheduler client certificates. -12. ns/openshift-kube-apiserver-operator configmap/loadbalancer-serving-ca +13. ns/openshift-kube-apiserver-operator configmap/loadbalancer-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the internal or external load balancers. -13. ns/openshift-kube-apiserver-operator configmap/localhost-recovery-serving-ca +14. ns/openshift-kube-apiserver-operator configmap/localhost-recovery-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the localhost recovery SNI ServerName. -14. ns/openshift-kube-apiserver-operator configmap/localhost-serving-ca +15. ns/openshift-kube-apiserver-operator configmap/localhost-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via localhost. -15. ns/openshift-kube-apiserver-operator configmap/node-system-admin-ca +16. ns/openshift-kube-apiserver-operator configmap/node-system-admin-ca **Description:** CA for kube-apiserver to recognize local system:masters rendered to each master. -16. ns/openshift-kube-apiserver-operator configmap/service-network-serving-ca +17. ns/openshift-kube-apiserver-operator configmap/service-network-serving-ca **Description:** CA for recognizing the kube-apiserver when connecting via the service network (kuberentes.default.svc). -17. ns/openshift-kube-controller-manager configmap/aggregator-client-ca +18. ns/openshift-kube-controller-manager configmap/aggregator-client-ca **Description:** CA for aggregated apiservers to recognize kube-apiserver as front-proxy. @@ -1207,7 +1207,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/aggregator-client-ca/ca-bundle.crt -18. ns/openshift-kube-controller-manager configmap/client-ca +19. ns/openshift-kube-controller-manager configmap/client-ca **Description:** @@ -1219,7 +1219,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -19. ns/openshift-route-controller-manager configmap/client-ca +20. ns/openshift-route-controller-manager configmap/client-ca **Description:** @@ -1231,7 +1231,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-controller-manager-certs/configmaps/client-ca/ca-bundle.crt -20. file /etc/kubernetes/kubeconfig +21. file /etc/kubernetes/kubeconfig **Description:** @@ -1244,7 +1244,7 @@ If you have not done this, you should not merge the annotation. * file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/secrets/node-kubeconfigs/localhost.kubeconfig -21. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt +22. file /etc/kubernetes/static-pod-resources/kube-apiserver-certs/configmaps/trusted-ca-bundle/ca-bundle.crt **Description:** diff --git a/tls/violations/ownership/ownership-violations.json b/tls/violations/ownership/ownership-violations.json index a6a761dc3f15..d7e7028dc157 100644 --- a/tls/violations/ownership/ownership-violations.json +++ b/tls/violations/ownership/ownership-violations.json @@ -1,71 +1,4 @@ { - "certificateAuthorityBundles": [ - { - "InClusterLocation": { - "configMapLocation": { - "Namespace": "kube-system", - "Name": "extension-apiserver-authentication" - }, - "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" - } - }, - "OnDiskLocation": null - }, - { - "InClusterLocation": { - "configMapLocation": { - "Namespace": "openshift-config-managed", - "Name": "default-ingress-cert" - }, - "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" - } - }, - "OnDiskLocation": null - }, - { - "InClusterLocation": { - "configMapLocation": { - "Namespace": "openshift-console", - "Name": "default-ingress-cert" - }, - "certificateAuthorityBundleInfo": { - "owningJiraComponent": "", - "description": "" - } - }, - "OnDiskLocation": null - } - ], - "certKeyPairs": [ - { - "InClusterLocation": { - "secretLocation": { - "Namespace": "openshift-ingress", - "Name": "router-certs-default" - }, - "certKeyInfo": { - "owningJiraComponent": "", - "description": "" - } - }, - "OnDiskLocation": null - }, - { - "InClusterLocation": { - "secretLocation": { - "Namespace": "openshift-ingress-operator", - "Name": "router-ca" - }, - "certKeyInfo": { - "owningJiraComponent": "", - "description": "" - } - }, - "OnDiskLocation": null - } - ] + "certificateAuthorityBundles": null, + "certKeyPairs": null } \ No newline at end of file