diff --git a/_topic_maps/_topic_map_ms.yml b/_topic_maps/_topic_map_ms.yml index ac94368e93..434ceb9b9e 100644 --- a/_topic_maps/_topic_map_ms.yml +++ b/_topic_maps/_topic_map_ms.yml @@ -106,6 +106,8 @@ Distros: microshift Topics: - Name: Configuring File: microshift-using-config-tools +- Name: Additional information + File: microshift-things-to-know --- Name: Networking Dir: microshift_networking diff --git a/images/microshift-cert-rotation.png b/images/microshift-cert-rotation.png new file mode 100644 index 0000000000..49497bbf5f Binary files /dev/null and b/images/microshift-cert-rotation.png differ diff --git a/microshift_configuring/attributes b/microshift_configuring/_attributes similarity index 100% rename from microshift_configuring/attributes rename to microshift_configuring/_attributes diff --git a/microshift_configuring/microshift-things-to-know.adoc b/microshift_configuring/microshift-things-to-know.adoc new file mode 100644 index 0000000000..1f822b810c --- /dev/null +++ b/microshift_configuring/microshift-things-to-know.adoc @@ -0,0 +1,18 @@ +:_content-type: ASSEMBLY +[id="microshift-things-to-know"] += About responsive restarts and security certificates +include::_attributes/attributes-microshift.adoc[] +:context: microshift-configuring +toc::[] + +{product-title} responds to system configuration changes and restarts after alterations are detected, including IP address changes, clock adjustments, and security certificate age. + +[id="microshift-ip-address-clock-changes_{context}"] +== IP address changes or clock adjustments +{product-title} depends on device IP addresses and system-wide clock settings to remain consistent during its runtime. However, these settings may occasionally change on edge devices, such as DHCP or Network Time Protocol (NTP) updates. + +When such changes occur, some {product-title} components may stop functioning properly. To mitigate this situation, {product-title} monitors the IP address and system time and restarts if either setting change is detected. + +The threshold for clock changes is a time adjustment of greater than 10 seconds in either direction. Smaller drifts on regular time adjustments performed by the Network Time Protocol (NTP) service do not cause a restart. + +include::modules/microshift-certificate-lifetime.adoc[leveloffset=+1] \ No newline at end of file diff --git a/modules/microshift-certificate-lifetime.adoc b/modules/microshift-certificate-lifetime.adoc new file mode 100644 index 0000000000..7272a44b29 --- /dev/null +++ b/modules/microshift-certificate-lifetime.adoc @@ -0,0 +1,39 @@ +// Module included in the following assemblies: +// +// * microshift/microshift-things-to-know.adoc + +:_content-type: CONCEPT +[id="microshift-certificate-lifetime_{context}"] += Security certificate lifetime +{product-title} certificates are separated into two basic groups: + +. Short-lived certificates having certificate validity of one year. +. Long-lived certificates having certificate validity of 10 years. + +Most server or leaf certificates are short-lived. + +An example of a long-lived certificate is the client certificate for `system:admin user` authentication, or the certificate of the signer of the `kube-apiserver` external serving certificate. + +[id="microshift-certificate-rotation_{context}"] +== Certificate rotation +As certificates age, {product-title} can be restarted to rotate certificates. A certificate that is close to expiring might also automatically cause a restart. Read the following situation overviews to understand the actions at each moment in time: + +. Green zone: +.. When a short-term certificate is 5 months old, no rotation occurs. +.. When a long-term certificate is 8.5 years old, no rotation occurs. + +. Yellow zone: +.. When a short-term certificate is 8 months old, it is rotated when {product-title} starts or restarts. +.. When a long-term certificate is 9 years old, it is rotated when {product-title} starts or restarts. + +. Red zone +.. When a short-term certificate is 8 months old, {product-title} restarts to rotate and apply a new certificate. +.. When a long-term certificate is 9 years old, {product-title} restarts to rotate and apply a new certificate. + +[NOTE] +==== +If the rotated certificate is a Certificate Authority, all of the certificates it signed rotate. +==== + +.Stoplight timeline of {product-title} certificate validity. +image::microshift-cert-rotation.png[<{product-title} graph with symbolic green-yellow-red stoplight map of certificates>]