Merge pull request #35923 from tmalove/add-etcd-as-ctrl-plane-component-osdocs2343

kalexand-rh · web-flow · commit 5b03441bdeee · 2021-09-17T08:59:25.000-04:00
[OSDOCS-2343]: Add etcd as an option for ctrl plane component
diff --git a/modules/tls-profiles-kubernetes-configuring.adoc b/modules/tls-profiles-kubernetes-configuring.adoc
@@ -13,6 +13,7 @@ To configure a TLS security profile for the control plane, edit the `APIServer`
 * OpenShift API server
 * OpenShift OAuth API server
 * OpenShift OAuth server
+* etcd
 
 If a TLS security profile is not configured, the default TLS security profile is `Intermediate`.
 
@@ -117,3 +118,36 @@ Spec:
     Type:               Custom
  ...
 ----
+.Verification
+
+* Verify that the TLS security profile is set in the `etcd` CR:
++
+[source,terminal]
+----
+$ oc describe etcd cluster
+----
++
+.Example output
+[source,terminal]
+----
+Name:         cluster
+Namespace:
+ ...
+API Version:  operator.openshift.io/v1
+Kind:         Etcd
+ ...
+Spec:
+  Log Level:         Normal
+  Management State:  Managed
+  Observed Config:
+    Serving Info:
+      Cipher Suites:
+        TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+        TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
+        TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+        TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
+        TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
+        TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256
+      Min TLS Version:           VersionTLS12
+ ...
+----
diff --git a/security/tls-security-profiles.adoc b/security/tls-security-profiles.adoc
@@ -12,9 +12,9 @@ Cluster administrators can choose which TLS security profile to use for each of
 * the Ingress Controller
 * the control plane
 +
-This includes the Kubernetes API server, Kubernetes controller manager, Kubernetes scheduler, OpenShift API server, OpenShift OAuth API server, and OpenShift OAuth server.
+This includes the Kubernetes API server, Kubernetes controller manager, Kubernetes scheduler, OpenShift API server, OpenShift OAuth API server, OpenShift OAuth server, and etcd.
 +
-// NOTE: etcd and OpenShift controller manager are not included
+// NOTE: OpenShift controller manager are not included
 
 * the kubelet, when it acts as an HTTP server for the Kubernetes API server
 

Original file line number	Diff line number	Diff line change
`@@ -12,9 +12,9 @@ Cluster administrators can choose which TLS security profile to use for each of`
`12`	`12`	`* the Ingress Controller`
`13`	`13`	`* the control plane`
`14`	`14`	`+`
`15`		`-This includes the Kubernetes API server, Kubernetes controller manager, Kubernetes scheduler, OpenShift API server, OpenShift OAuth API server, and OpenShift OAuth server.`
	`15`	`+This includes the Kubernetes API server, Kubernetes controller manager, Kubernetes scheduler, OpenShift API server, OpenShift OAuth API server, OpenShift OAuth server, and etcd.`
`16`	`16`	`+`
`17`		`-// NOTE: etcd and OpenShift controller manager are not included`
	`17`	`+// NOTE: OpenShift controller manager are not included`
`18`	`18`
`19`	`19`	`* the kubelet, when it acts as an HTTP server for the Kubernetes API server`
`20`	`20`