Merge pull request #529 from marun/tls-asset-additions

Add summary tables to tls asset docs
openshift · Jan 26, 2021 · d951824 · d951824
2 parents 98c037d + 62e955f
commit d951824
Showing 1 changed file with 32 additions and 5 deletions.
diff --git a/docs/etcd-tls-assets.md b/docs/etcd-tls-assets.md
@@ -22,6 +22,33 @@ See also the [user-facing
 documentation](https://docs.openshift.com/container-platform/4.5/security/certificate-types-descriptions.html#etcd-certificates_ocp-certificates)
 for these certificates.
 
+## etcd CA summary
+
+All etcd CAs and their CA bundles are stored in the `openshift-config`
+namespace.
+
+| CA (secret)        | CA bundle (configmap)            | CA bundle also appearing in                  |
+| ------------------ | -------------------------------- | -------------------------------------------- |
+| etcd-signer        | etcd-ca-bundle                   | openshift-etcd                               |
+|                    |                                  | openshift-etcd-operator                      |
+|                    |                                  | openshift-etcd/etcd-peer-client-ca           |
+|                    | etcd-serving-ca                  | openshift-etcd                               |
+| etcd-metric-signer | etcd-metric-serving-ca           | openshift-etcd/etcd-metrics-proxy-client-ca  |
+|                    |                                  | openshift-etcd/etcd-metrics-proxy-serving-ca |
+
+## etcd cert summary
+
+All etcd certificates are stored in secrets.
+
+| CA                 | Certificate                               | Purpose                          | Certifiate also appearing in                |
+| ------------------ | ----------------------------------------- | -------------------------------- | ------------------------------------------- |
+| etcd-signer        | openshift-config/etcd-client              | authn kube api to etcd           | openshift-etcd                              |
+|                    |                                           |                                  | openshift-etcd-operator                     |
+|                    | openshift-etcd/etcd-peer-$node            | etcd peer communication          | collected in etcd-all-peer                  |
+|                    | openshift-etcd/etcd-serving-$node         | etcd member serving              | collected in etcd-all-serving               |
+| etcd-metric-signer | openshift-config/etcd-metric-client       | authn prometheus to etcd metrics | openshift-monitoring/kube-etcd-client-certs |
+|                    | openshift-etcd/etcd-serving-metrics-$node | etcd member metrics serving      | collected in etcd-all-serving-metrics       |
+
 ## etcd-signer and etcd-metric-signer CA certs
 
 The cluster hosts two certificate authorities (CA) for etcd -
@@ -58,7 +85,7 @@ X509v3 Subject Key Identifier:
     7E:88:6E:AB:ED:36:42:88:6D:99:BD:3F:C6:53:EB:7C:7B:FB:B6:14
 
 $ oc get -n openshift-config configmap/etcd-serving-ca -o template='{{index .data "ca-bundle.crt"}}'  | openssl x509 -noout -ext subjectKeyIdentifier
-X509v3 Subject Key Identifier 
+X509v3 Subject Key Identifier
     7E:88:6E:AB:ED:36:42:88:6D:99:BD:3F:C6:53:EB:7C:7B:FB:B6:14
 ```
 
@@ -488,7 +515,7 @@ use this list to iterate over all control plane nodes.
 
 This controller watches a [set of config maps and
 secrets](https://github.com/openshift/cluster-etcd-operator/blob/0ecd5d2b72df7648769b8625a35de5e792cf707d/pkg/operator/starter.go#L260-L277)
-for changes. Any change to those resouces constitue a new numbered
+for changes. Any change to those resources constitute a new numbered
 "revision".
 
 When a new revision is detected, copies of all these resources are
@@ -499,7 +526,7 @@ treated as an error.
 The new revision is then recorded in the
 `status.latestAvailableRevision` field and a `revision-$suffix`
 configmap is created to record the status (`In Progress`, `Succeeded`,
-`Failed`) of the installation of this revision.
+`Failed`, `Abandoned`) of the installation of this revision.
 
 ### Installer controller
 
@@ -526,14 +553,14 @@ kubelet to launch this new revision of the pod.
 A separate controller - the backing resource controller - is
 responsible for ensuring the existence of an `installer-sa` service
 account with the `cluster-admin` role. This is the service account
-under which the installer (and prunder) pods runs.
+under which the installer (and pruner) pods runs.
 
 The revisioned resources destined for
 `/etc/kubernetes/static-pod-resources/etcd-pod-$revision` for etcd
 are:
 
 * Config maps
-    - `etc-pod` - the first element in the list has a special meaning
+    - `etcd-pod` - the first element in the list has a special meaning
       it is the static pod itself, and is to be installed in
       `/etc/kubernetes/manifests`.
     - `config` - an `EtcdConfig` file