diff --git a/images/324_RHbM_Certificate_Rotation_0323_long-term.png b/images/324_RHbM_Certificate_Rotation_0323_long-term.png new file mode 100644 index 0000000000..c57664f62d Binary files /dev/null and b/images/324_RHbM_Certificate_Rotation_0323_long-term.png differ diff --git a/images/324_RHbM_Certificate_Rotation_0323_short-term.png b/images/324_RHbM_Certificate_Rotation_0323_short-term.png new file mode 100644 index 0000000000..9c8fcbcd83 Binary files /dev/null and b/images/324_RHbM_Certificate_Rotation_0323_short-term.png differ diff --git a/microshift_troubleshooting/microshift-troubleshooting.adoc b/microshift_troubleshooting/microshift-troubleshooting.adoc deleted file mode 100644 index 0cbfa58646..0000000000 --- a/microshift_troubleshooting/microshift-troubleshooting.adoc +++ /dev/null @@ -1,18 +0,0 @@ -:_content-type: ASSEMBLY -[id="microshift-troubleshooting"] -= Troubleshooting -include::_attributes/attributes-microshift.adoc[] -:context: microshift-troubleshooting - -toc::[] - -//DEPRECATED: This assembly is being deprecated for 4.13 and removed from the topic map. Remove it and associated modules from repo for GA if not needed. -//DEPRECATED: This assembly is being deprecated for 4.13 and removed from the topic map. -//TODO: Remove it and associated modules from repo for GA if not needed. - -//Read about troubleshooting and possible solutions for known issues. - -//include::modules/microshift-troubleshooting-nodeport.adoc[leveloffset=+1] -//include::modules/microshift-ki-cni-iptables-deleted.adoc[leveloffset=+1] -//include::modules/microshift-nodeport-unreachable-workaround.adoc[leveloffset=+1] -//these two issues were resolved in 4.12 and 4.13; in 4.13, this last module was moved to KIs in the release notes and assembly in Troubleshooting removed diff --git a/modules/microshift-certificate-lifetime.adoc b/modules/microshift-certificate-lifetime.adoc index d038a0725a..e6bd6ac28c 100644 --- a/modules/microshift-certificate-lifetime.adoc +++ b/modules/microshift-certificate-lifetime.adoc @@ -11,30 +11,41 @@ . Short-lived certificates having certificate validity of one year. . Long-lived certificates having certificate validity of 10 years. -Most server or leaf certificates are short-lived. +Most server or leaf certificates are short-term. An example of a long-lived certificate is the client certificate for `system:admin user` authentication, or the certificate of the signer of the `kube-apiserver` external serving certificate. [id="microshift-certificate-rotation_{context}"] == Certificate rotation -As certificates age, {product-title} can be restarted to rotate certificates. A certificate that is close to expiring might also automatically cause a restart. Read the following situation overviews to understand the actions at each moment in time: - -. Green zone: -.. When a short-term certificate is 5 months old, no rotation occurs. -.. When a long-term certificate is 8.5 years old, no rotation occurs. - -. Yellow zone: -.. When a short-term certificate is 8 months old, it is rotated when {product-title} starts or restarts. -.. When a long-term certificate is 9 years old, it is rotated when {product-title} starts or restarts. - -. Red zone -.. When a short-term certificate is 8 months old, {product-title} restarts to rotate and apply a new certificate. -.. When a long-term certificate is 9 years old, {product-title} restarts to rotate and apply a new certificate. +Certificates that are expired or close to their expiration dates need to be rotated to ensure continued {product-title} operation. When {product-title} restarts for any reason, certificates that are close to expiring are rotated. A certificate that is set to expire imminently, or has expired, can cause an automatic {product-title} restart to perform a rotation. [NOTE] ==== If the rotated certificate is a Certificate Authority, all of the certificates it signed rotate. ==== -.Stoplight timeline of {product-title} certificate validity. -image::microshift-cert-rotation.png[<{product-title} graph with symbolic green-yellow-red stoplight map of certificates>] +[id="microshift-st-certificate-rotation_{context}"] +=== Short-term certificates +The following situations describe {product-title} actions during short-term certificate lifetimes: + +. No rotation: +.. When a short-term certificate is up to 5 months old, no rotation occurs. + +. Rotation at restart: +.. When a short-term certificate is 5 to 8 months old, it is rotated when {product-title} starts or restarts. + +. Automatic restart for rotation: +.. When a short-term certificate is more than 8 months old, {product-title} can automatically restart to rotate and apply a new certificate. + +[id="microshift-lt-certificate-rotation_{context}"] +=== Long-term certificates +The following situations describe {product-title} actions during long-term certificate lifetimes: + +. No rotation: +.. When a long-term certificate is up to 8.5 years old, no rotation occurs. + +. Rotation at restart: +.. When a long-term certificate is 8.5 to 9 years old, it is rotated when {product-title} starts or restarts. + +. Automatic restart for rotation: +.. When a long-term certificate is more than 9 years old, {product-title} can automatically restart to rotate and apply a new certificate.