From 56e7d641741fce666384064896c5eac1f4288b15 Mon Sep 17 00:00:00 2001 From: Andrea Hoffer Date: Thu, 25 Jun 2020 13:06:12 -0400 Subject: [PATCH] Moving files to security section --- _topic_map.yml | 46 ++++++++++--------- installing/install_config/customizations.adoc | 2 +- installing/installing-fips.adoc | 4 +- modules/about-etcd-encryption.adoc | 2 +- modules/admission-webhooks-about.adoc | 2 +- ...allowing-javascript-access-api-server.adoc | 2 +- modules/bootstrap-certificates.adoc | 2 +- ...icates-add-service-serving-apiservice.adoc | 2 +- ...ficates-add-service-serving-configmap.adoc | 2 +- ...-certificates-add-service-serving-crd.adoc | 2 +- ...-add-service-serving-mutating-webhook.adoc | 2 +- ...dd-service-serving-validating-webhook.adoc | 2 +- ...mize-certificates-add-service-serving.adoc | 2 +- ...ustomize-certificates-api-add-default.adoc | 2 +- .../customize-certificates-api-add-named.adoc | 2 +- ...e-certificates-replace-default-router.adoc | 2 +- ...e-certificates-rotate-service-serving.adoc | 2 +- ...ificates-understanding-default-router.adoc | 2 +- ...ficates-understanding-service-serving.adoc | 2 +- modules/disabling-etcd-encryption.adoc | 2 +- modules/enabling-etcd-encryption.adoc | 2 +- modules/etcd-certificates.adoc | 2 +- modules/olm-certificates.adoc | 2 +- modules/proxy-certificates.adoc | 2 +- modules/service-ca-certificates.adoc | 2 +- ...-provided-certificates-for-api-server.adoc | 2 +- ...ided-certificates-for-default-ingress.adoc | 2 +- ...allowing-javascript-access-api-server.adoc | 0 .../certificate-types-descriptions.adoc | 10 ++-- .../certificates/api-server.adoc | 0 ...replacing-default-ingress-certificate.adoc | 0 .../service-serving-certificate.adoc | 0 .../encrypting-etcd.adoc | 0 security/images | 1 + security/modules | 1 + welcome/index.adoc | 2 +- 36 files changed, 60 insertions(+), 54 deletions(-) rename {authentication => security}/allowing-javascript-access-api-server.adoc (100%) rename {authentication => security}/certificate-types-descriptions.adoc (92%) rename {authentication => security}/certificates/api-server.adoc (100%) rename {authentication => security}/certificates/replacing-default-ingress-certificate.adoc (100%) rename {authentication => security}/certificates/service-serving-certificate.adoc (100%) rename {authentication => security}/encrypting-etcd.adoc (100%) create mode 120000 security/images create mode 120000 security/modules diff --git a/_topic_map.yml b/_topic_map.yml index 836c889b7d..33e35d6072 100644 --- a/_topic_map.yml +++ b/_topic_map.yml @@ -331,9 +331,32 @@ Topics: - Name: Disabling the web console File: disabling-web-console Distros: openshift-enterprise,openshift-webscale,openshift-origin - --- -Name: Authentication +Name: Security +Dir: security +Distros: openshift-enterprise,openshift-webscale,openshift-origin +Topics: +- Name: Configuring certificates + Dir: certificates + Distros: openshift-enterprise,openshift-webscale,openshift-origin + Topics: + - Name: Replacing the default ingress certificate + File: replacing-default-ingress-certificate + - Name: Adding API server certificates + File: api-server + - Name: Securing service traffic using service serving certificates + File: service-serving-certificate +- Name: Certificate types and descriptions + File: certificate-types-descriptions + Distros: openshift-enterprise,openshift-webscale,openshift-origin +- Name: Allowing JavaScript-based access to the API server from additional hosts + File: allowing-javascript-access-api-server + Distros: openshift-enterprise,openshift-webscale,openshift-origin +- Name: Encrypting etcd data + File: encrypting-etcd + Distros: openshift-enterprise,openshift-webscale,openshift-origin +--- +Name: Authentication and authorization Dir: authentication Distros: openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated Topics: @@ -343,9 +366,6 @@ Topics: - Name: Understanding identity provider configuration File: dedicated-understanding-authentication Distros: openshift-dedicated -- Name: Certificate types and descriptions - File: certificate-types-descriptions - Distros: openshift-enterprise,openshift-webscale,openshift-origin - Name: Configuring the internal OAuth server File: configuring-internal-oauth Distros: openshift-enterprise,openshift-webscale,openshift-origin @@ -378,16 +398,6 @@ Topics: File: configuring-google-identity-provider - Name: Configuring an OpenID Connect identity provider File: configuring-oidc-identity-provider -- Name: Configuring certificates - Dir: certificates - Distros: openshift-enterprise,openshift-webscale,openshift-origin - Topics: - - Name: Replacing the default ingress certificate - File: replacing-default-ingress-certificate - - Name: Adding API server certificates - File: api-server - - Name: Securing service traffic using service serving certificates - File: service-serving-certificate - Name: Using RBAC to define and apply permissions File: using-rbac - Name: Removing the kubeadmin user @@ -417,12 +427,6 @@ Topics: - Name: Syncing LDAP groups File: ldap-syncing Distros: openshift-enterprise,openshift-webscale,openshift-origin,openshift-dedicated -- Name: Allowing JavaScript-based access to the API server from additional hosts - File: allowing-javascript-access-api-server - Distros: openshift-enterprise,openshift-webscale,openshift-origin -- Name: Encrypting etcd data - File: encrypting-etcd - Distros: openshift-enterprise,openshift-webscale,openshift-origin --- Name: Networking Dir: networking diff --git a/installing/install_config/customizations.adoc b/installing/install_config/customizations.adoc index 6fe3ab7c34..a71fd3f1c3 100644 --- a/installing/install_config/customizations.adoc +++ b/installing/install_config/customizations.adoc @@ -33,7 +33,7 @@ to @api-approvers (github) or #forum-api-review (slack). |Description |apiserver.config.openshift.io -|Provides api-server configuration such as xref:../../authentication/certificates/api-server.adoc#api-server-certificates[certificates and certificate authorities]. +|Provides api-server configuration such as xref:../../security/certificates/api-server.adoc#api-server-certificates[certificates and certificate authorities]. |authentication.config.openshift.io |Controls the xref:../../authentication/understanding-identity-provider.adoc#understanding-identity-provider[identity provider]and authentication configuration for the cluster. diff --git a/installing/installing-fips.adoc b/installing/installing-fips.adoc index d3f9b1865a..9633c058de 100644 --- a/installing/installing-fips.adoc +++ b/installing/installing-fips.adoc @@ -47,7 +47,7 @@ Although the {product-title} cluster itself uses FIPS validated / Implementation [id="installation-about-fips-components-etcd_{context}"] === etcd -To ensure that the secrets that are stored in etcd use FIPS validated / Implementation Under Test encryption, encrypt the etcd datastore by using a FIPS-approved cryptographic algorithm. After you install the cluster, you can xref:../authentication/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the `aes cbc` algorithm. +To ensure that the secrets that are stored in etcd use FIPS validated / Implementation Under Test encryption, encrypt the etcd datastore by using a FIPS-approved cryptographic algorithm. After you install the cluster, you can xref:../security/encrypting-etcd.adoc#encrypting-etcd[encrypt the etcd data] by using the `aes cbc` algorithm. [id="installation-about-fips-components-storage_{context}"] === Storage @@ -73,6 +73,6 @@ To install a cluster in FIPS mode, follow the instructions to install a customiz * xref:../installing/installing_openstack/installing-openstack-installer-custom.adoc#installing-openstack-installer-custom[{rh-openstack-first}] * xref:../installing/installing_vsphere/installing-vsphere.adoc#installing-vsphere[VMware vSphere] -To apply `AES CBC` encryption to your etcd data store, follow the xref:../authentication/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster. +To apply `AES CBC` encryption to your etcd data store, follow the xref:../security/encrypting-etcd.adoc#encrypting-etcd[Encrypting etcd data] process after you install your cluster. If you add RHEL nodes to your cluster, ensure that you enable FIPS mode on the machines before their initial boot. See xref:../machine_management/adding-rhel-compute.adoc#adding-rhel-compute[Adding RHEL compute machines to an {product-title} cluster] and link:https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/chap-federal_standards_and_regulations#sec-Enabling-FIPS-Mode[Enabling FIPS Mode] in the RHEL 7 documentation. diff --git a/modules/about-etcd-encryption.adoc b/modules/about-etcd-encryption.adoc index 264b5384cf..362f602fa7 100644 --- a/modules/about-etcd-encryption.adoc +++ b/modules/about-etcd-encryption.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/encrypting-etcd.adoc +// * security/encrypting-etcd.adoc [id="about-etcd_{context}"] = About etcd encryption diff --git a/modules/admission-webhooks-about.adoc b/modules/admission-webhooks-about.adoc index aef35b60a1..3ae9dfff7f 100644 --- a/modules/admission-webhooks-about.adoc +++ b/modules/admission-webhooks-about.adoc @@ -25,7 +25,7 @@ When an API request comes in, mutating or validating admission plug-ins use the * If an error is encountered when calling a webhook, the request is either denied or the webhook is ignored depending on the error policy set. If the error policy is set to `Ignore`, the request is unconditionally accepted in the event of a failure. If the policy is set to `Fail`, failed requests are denied. Using `Ignore` can result in unpredictable behavior for all clients. -//Future xrefs - Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a certificate authority (CA) certificate and use the certificate to sign the server certificate that is used by your webhook server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as xref:../authentication/certificates/service-serving-certificate.adoc#service-serving-certificate[service serving certificate secrets]. +//Future xrefs - Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a certificate authority (CA) certificate and use the certificate to sign the server certificate that is used by your webhook server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as xref:../security/certificates/service-serving-certificate.adoc#service-serving-certificate[service serving certificate secrets]. Communication between the webhook admission plug-in and the webhook server must use TLS. Generate a CA certificate and use the certificate to sign the server certificate that is used by your webhook admission server. The PEM-encoded CA certificate is supplied to the webhook admission plug-in using a mechanism, such as service serving certificate secrets. The following diagram illustrates the sequential admission chain process within which multiple webhook servers are called. diff --git a/modules/auth-allowing-javascript-access-api-server.adoc b/modules/auth-allowing-javascript-access-api-server.adoc index 62c39780a3..f2f899fb5c 100644 --- a/modules/auth-allowing-javascript-access-api-server.adoc +++ b/modules/auth-allowing-javascript-access-api-server.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/configuring-corsallowedorigins.adoc +// * security/allowing-javascript-access-api-server.adoc [id="auth-allowing-javascript-access-api-server_{context}"] = Allowing JavaScript-based access to the API server from additional hosts diff --git a/modules/bootstrap-certificates.adoc b/modules/bootstrap-certificates.adoc index c281abfaf6..3a8a8ea262 100644 --- a/modules/bootstrap-certificates.adoc +++ b/modules/bootstrap-certificates.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificate-types-descriptions.adoc +// * security/certificate-types-descriptions.adoc [id="bootstrap-certificates_{context}"] = Bootstrap certificates diff --git a/modules/customize-certificates-add-service-serving-apiservice.adoc b/modules/customize-certificates-add-service-serving-apiservice.adoc index a19d00d239..6ee87ee751 100644 --- a/modules/customize-certificates-add-service-serving-apiservice.adoc +++ b/modules/customize-certificates-add-service-serving-apiservice.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="add-service-certificate-apiservice_{context}"] = Add the service CA bundle to an APIService diff --git a/modules/customize-certificates-add-service-serving-configmap.adoc b/modules/customize-certificates-add-service-serving-configmap.adoc index f47560aca4..cf87b689e7 100644 --- a/modules/customize-certificates-add-service-serving-configmap.adoc +++ b/modules/customize-certificates-add-service-serving-configmap.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="add-service-certificate-configmap_{context}"] = Add the service CA bundle to a ConfigMap diff --git a/modules/customize-certificates-add-service-serving-crd.adoc b/modules/customize-certificates-add-service-serving-crd.adoc index 658d0fae42..b73c2271c8 100644 --- a/modules/customize-certificates-add-service-serving-crd.adoc +++ b/modules/customize-certificates-add-service-serving-crd.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="add-service-certificate-crd_{context}"] = Add the service CA bundle to a Custom Resource Definition diff --git a/modules/customize-certificates-add-service-serving-mutating-webhook.adoc b/modules/customize-certificates-add-service-serving-mutating-webhook.adoc index 417cd3452a..4449856cd0 100644 --- a/modules/customize-certificates-add-service-serving-mutating-webhook.adoc +++ b/modules/customize-certificates-add-service-serving-mutating-webhook.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="add-service-certificate-mutating-webhook_{context}"] = Add the service CA bundle to a MutatingWebhookConfiguration diff --git a/modules/customize-certificates-add-service-serving-validating-webhook.adoc b/modules/customize-certificates-add-service-serving-validating-webhook.adoc index d59132e05f..1414e68611 100644 --- a/modules/customize-certificates-add-service-serving-validating-webhook.adoc +++ b/modules/customize-certificates-add-service-serving-validating-webhook.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="add-service-certificate-validating-webhook_{context}"] = Add the service CA bundle to a ValidatingWebhookConfiguration diff --git a/modules/customize-certificates-add-service-serving.adoc b/modules/customize-certificates-add-service-serving.adoc index 2612323416..f01b2a538f 100644 --- a/modules/customize-certificates-add-service-serving.adoc +++ b/modules/customize-certificates-add-service-serving.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="add-service-certificate_{context}"] = Add a service certificate diff --git a/modules/customize-certificates-api-add-default.adoc b/modules/customize-certificates-api-add-default.adoc index 1e8c50d486..a70aeb1170 100644 --- a/modules/customize-certificates-api-add-default.adoc +++ b/modules/customize-certificates-api-add-default.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/api-server.adoc +// * security/certificates/api-server.adoc [id="add-default-api-server_{context}"] = Add an API server default certificate diff --git a/modules/customize-certificates-api-add-named.adoc b/modules/customize-certificates-api-add-named.adoc index 2877d7dc6f..477ea7b860 100644 --- a/modules/customize-certificates-api-add-named.adoc +++ b/modules/customize-certificates-api-add-named.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/api-server.adoc +// * security/certificates/api-server.adoc [id="add-named-api-server_{context}"] = Add an API server named certificate diff --git a/modules/customize-certificates-replace-default-router.adoc b/modules/customize-certificates-replace-default-router.adoc index 40ca13a060..4cb5ba33cc 100644 --- a/modules/customize-certificates-replace-default-router.adoc +++ b/modules/customize-certificates-replace-default-router.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/replacing-default-ingress-certificate.adoc +// * security/certificates/replacing-default-ingress-certificate.adoc [id="replacing-default-ingress_{context}"] = Replacing the default ingress certificate diff --git a/modules/customize-certificates-rotate-service-serving.adoc b/modules/customize-certificates-rotate-service-serving.adoc index 8536346247..74f7e1af19 100644 --- a/modules/customize-certificates-rotate-service-serving.adoc +++ b/modules/customize-certificates-rotate-service-serving.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="rotate-service-serving_{context}"] = Manually rotate the generated service certificate diff --git a/modules/customize-certificates-understanding-default-router.adoc b/modules/customize-certificates-understanding-default-router.adoc index d2d6044405..8a9ad75d24 100644 --- a/modules/customize-certificates-understanding-default-router.adoc +++ b/modules/customize-certificates-understanding-default-router.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// authentication/certificates/replacing-default-ingress-certificate.adoc +// security/certificates/replacing-default-ingress-certificate.adoc [id="understanding-default-ingress_{context}"] = Understanding the default ingress certificate diff --git a/modules/customize-certificates-understanding-service-serving.adoc b/modules/customize-certificates-understanding-service-serving.adoc index b1f2af2242..3679b53c54 100644 --- a/modules/customize-certificates-understanding-service-serving.adoc +++ b/modules/customize-certificates-understanding-service-serving.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificates/service-serving-certificate.adoc +// * security/certificates/service-serving-certificate.adoc [id="understanding-service-serving_{context}"] = Understanding service serving certificates diff --git a/modules/disabling-etcd-encryption.adoc b/modules/disabling-etcd-encryption.adoc index 1b7d8b41ff..d5b4c5d248 100644 --- a/modules/disabling-etcd-encryption.adoc +++ b/modules/disabling-etcd-encryption.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/encrypting-etcd.adoc +// * security/encrypting-etcd.adoc [id="disabling-etcd-encryption_{context}"] = Disabling etcd encryption diff --git a/modules/enabling-etcd-encryption.adoc b/modules/enabling-etcd-encryption.adoc index 831dcd2637..3b0541bc8b 100644 --- a/modules/enabling-etcd-encryption.adoc +++ b/modules/enabling-etcd-encryption.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/encrypting-etcd.adoc +// * security/encrypting-etcd.adoc [id="enabling-etcd-encryption_{context}"] = Enabling etcd encryption diff --git a/modules/etcd-certificates.adoc b/modules/etcd-certificates.adoc index ac3bcd166d..b34434f62f 100644 --- a/modules/etcd-certificates.adoc +++ b/modules/etcd-certificates.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificate-types-descriptions.adoc +// * security/certificate-types-descriptions.adoc [id="etcd-certificates_{context}"] = etcd certificates diff --git a/modules/olm-certificates.adoc b/modules/olm-certificates.adoc index f7da52c4c3..dd3832a20b 100644 --- a/modules/olm-certificates.adoc +++ b/modules/olm-certificates.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificate-types-descriptions.adoc +// * security/certificate-types-descriptions.adoc [id="olm-certificates_{context}"] = OLM certificates diff --git a/modules/proxy-certificates.adoc b/modules/proxy-certificates.adoc index 85852960ed..552252d95c 100644 --- a/modules/proxy-certificates.adoc +++ b/modules/proxy-certificates.adoc @@ -1,7 +1,7 @@ // Module included in the following assemblies: // -// * authentication/certificate-types-descriptions.adoc +// * security/certificate-types-descriptions.adoc [id="proxy-certificates_{context}"] = Proxy certificates diff --git a/modules/service-ca-certificates.adoc b/modules/service-ca-certificates.adoc index 4033712698..64f0c007ba 100644 --- a/modules/service-ca-certificates.adoc +++ b/modules/service-ca-certificates.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificate-types-descriptions.adoc +// * security/certificate-types-descriptions.adoc [id="service-ca-certificates_{context}"] = Service CA certificates diff --git a/modules/user-provided-certificates-for-api-server.adoc b/modules/user-provided-certificates-for-api-server.adoc index f8cfacdf95..e3edb4e997 100644 --- a/modules/user-provided-certificates-for-api-server.adoc +++ b/modules/user-provided-certificates-for-api-server.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// *authentication/certificate-types-descriptions.adoc +// *security/certificate-types-descriptions.adoc [id="user-provided-certificates-for-the-api-server_{context}"] = User-provided certificates for the API server diff --git a/modules/user-provided-certificates-for-default-ingress.adoc b/modules/user-provided-certificates-for-default-ingress.adoc index 036e129402..659619bb84 100644 --- a/modules/user-provided-certificates-for-default-ingress.adoc +++ b/modules/user-provided-certificates-for-default-ingress.adoc @@ -1,6 +1,6 @@ // Module included in the following assemblies: // -// * authentication/certificate-types-descriptions.adoc +// * security/certificate-types-descriptions.adoc [id="user-provided-certificates-for-default-ingress_{context}"] = User-provided certificates for default ingress diff --git a/authentication/allowing-javascript-access-api-server.adoc b/security/allowing-javascript-access-api-server.adoc similarity index 100% rename from authentication/allowing-javascript-access-api-server.adoc rename to security/allowing-javascript-access-api-server.adoc diff --git a/authentication/certificate-types-descriptions.adoc b/security/certificate-types-descriptions.adoc similarity index 92% rename from authentication/certificate-types-descriptions.adoc rename to security/certificate-types-descriptions.adoc index 4ed6e6b4d4..e64fcb2fe8 100644 --- a/authentication/certificate-types-descriptions.adoc +++ b/security/certificate-types-descriptions.adoc @@ -137,7 +137,7 @@ its own certificate. == Management Ingress certificates are managed by the user. See -xref:../authentication/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing +xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing the default ingress certificate] for more information. [discrete] @@ -191,12 +191,12 @@ from expired control plane certificates] .Additional resources -* xref:../authentication/certificates/service-serving-certificate.adoc#add-service-serving[Manually rotate service serving certificates] -* xref:../authentication/certificates/service-serving-certificate.adoc#add-service-serving[Securing service traffic using service serving certificate secrets] +* xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[Manually rotate service serving certificates] +* xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[Securing service traffic using service serving certificate secrets] * xref:../backup_and_restore/disaster_recovery/scenario-3-expired-certs.adoc#dr-recovering-expired-certs[Recovering from expired control plane certificates] * xref:../networking/enable-cluster-wide-proxy.adoc#enable-cluster-wide-proxy[Configuring the cluster-wide proxy] -* xref:../authentication/certificates/api-server.adoc#api-server-certificates[Adding API server certificates] -* xref:../authentication/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing the default ingress certificate] +* xref:../security/certificates/api-server.adoc#api-server-certificates[Adding API server certificates] +* xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing the default ingress certificate] * xref:../nodes/nodes/nodes-nodes-working.adoc#nodes-nodes-working[Working with nodes] * xref:../backup_and_restore/disaster_recovery/scenario-1-infra-recovery.adoc#dr-scenario-1-recover-master-hosts_dr-infrastructure-recovery[Recovering from lost master hosts] diff --git a/authentication/certificates/api-server.adoc b/security/certificates/api-server.adoc similarity index 100% rename from authentication/certificates/api-server.adoc rename to security/certificates/api-server.adoc diff --git a/authentication/certificates/replacing-default-ingress-certificate.adoc b/security/certificates/replacing-default-ingress-certificate.adoc similarity index 100% rename from authentication/certificates/replacing-default-ingress-certificate.adoc rename to security/certificates/replacing-default-ingress-certificate.adoc diff --git a/authentication/certificates/service-serving-certificate.adoc b/security/certificates/service-serving-certificate.adoc similarity index 100% rename from authentication/certificates/service-serving-certificate.adoc rename to security/certificates/service-serving-certificate.adoc diff --git a/authentication/encrypting-etcd.adoc b/security/encrypting-etcd.adoc similarity index 100% rename from authentication/encrypting-etcd.adoc rename to security/encrypting-etcd.adoc diff --git a/security/images b/security/images new file mode 120000 index 0000000000..5e67573196 --- /dev/null +++ b/security/images @@ -0,0 +1 @@ +../images \ No newline at end of file diff --git a/security/modules b/security/modules new file mode 120000 index 0000000000..464b823aca --- /dev/null +++ b/security/modules @@ -0,0 +1 @@ +../modules \ No newline at end of file diff --git a/welcome/index.adoc b/welcome/index.adoc index 85ed3f1cd9..bacbe0a4eb 100644 --- a/welcome/index.adoc +++ b/welcome/index.adoc @@ -178,7 +178,7 @@ xref:../authentication/identity_providers/configuring-google-identity-provider.a and xref:../authentication/identity_providers/configuring-oidc-identity-provider.adoc#configuring-oidc-identity-provider[OpenID]. -- **Manage xref:../authentication/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Ingress], xref:../authentication/certificates/api-server.adoc#api-server-certificates[API server], and xref:../authentication/certificates/service-serving-certificate.adoc#add-service-serving[service] certificates**: {product-title} creates certificates +- **Manage xref:../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Ingress], xref:../security/certificates/api-server.adoc#api-server-certificates[API server], and xref:../security/certificates/service-serving-certificate.adoc#add-service-serving[service] certificates**: {product-title} creates certificates by default for the Ingress Operator, the API server, and for services needed by complex middleware applications that require encryption. At some point, you may need to change, add, and