mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
OSDOCS-5651: update cert rotation images for TP
This commit is contained in:
“Shauna Diaz”
BIN
images/324_RHbM_Certificate_Rotation_0323_long-term.png
Normal file
BIN
images/324_RHbM_Certificate_Rotation_0323_long-term.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 46 KiB |
BIN
images/324_RHbM_Certificate_Rotation_0323_short-term.png
Normal file
BIN
images/324_RHbM_Certificate_Rotation_0323_short-term.png
Normal file
Binary file not shown.
|
After Width: | Height: | Size: 46 KiB |
@@ -1,18 +0,0 @@
|
||||
:_content-type: ASSEMBLY
|
||||
[id="microshift-troubleshooting"]
|
||||
= Troubleshooting
|
||||
include::_attributes/attributes-microshift.adoc[]
|
||||
:context: microshift-troubleshooting
|
||||
|
||||
toc::[]
|
||||
|
||||
//DEPRECATED: This assembly is being deprecated for 4.13 and removed from the topic map. Remove it and associated modules from repo for GA if not needed.
|
||||
//DEPRECATED: This assembly is being deprecated for 4.13 and removed from the topic map.
|
||||
//TODO: Remove it and associated modules from repo for GA if not needed.
|
||||
|
||||
//Read about troubleshooting and possible solutions for known issues.
|
||||
|
||||
//include::modules/microshift-troubleshooting-nodeport.adoc[leveloffset=+1]
|
||||
//include::modules/microshift-ki-cni-iptables-deleted.adoc[leveloffset=+1]
|
||||
//include::modules/microshift-nodeport-unreachable-workaround.adoc[leveloffset=+1]
|
||||
//these two issues were resolved in 4.12 and 4.13; in 4.13, this last module was moved to KIs in the release notes and assembly in Troubleshooting removed
|
||||
@@ -11,30 +11,41 @@
|
||||
. Short-lived certificates having certificate validity of one year.
|
||||
. Long-lived certificates having certificate validity of 10 years.
|
||||
|
||||
Most server or leaf certificates are short-lived.
|
||||
Most server or leaf certificates are short-term.
|
||||
|
||||
An example of a long-lived certificate is the client certificate for `system:admin user` authentication, or the certificate of the signer of the `kube-apiserver` external serving certificate.
|
||||
|
||||
[id="microshift-certificate-rotation_{context}"]
|
||||
== Certificate rotation
|
||||
As certificates age, {product-title} can be restarted to rotate certificates. A certificate that is close to expiring might also automatically cause a restart. Read the following situation overviews to understand the actions at each moment in time:
|
||||
|
||||
. Green zone:
|
||||
.. When a short-term certificate is 5 months old, no rotation occurs.
|
||||
.. When a long-term certificate is 8.5 years old, no rotation occurs.
|
||||
|
||||
. Yellow zone:
|
||||
.. When a short-term certificate is 8 months old, it is rotated when {product-title} starts or restarts.
|
||||
.. When a long-term certificate is 9 years old, it is rotated when {product-title} starts or restarts.
|
||||
|
||||
. Red zone
|
||||
.. When a short-term certificate is 8 months old, {product-title} restarts to rotate and apply a new certificate.
|
||||
.. When a long-term certificate is 9 years old, {product-title} restarts to rotate and apply a new certificate.
|
||||
Certificates that are expired or close to their expiration dates need to be rotated to ensure continued {product-title} operation. When {product-title} restarts for any reason, certificates that are close to expiring are rotated. A certificate that is set to expire imminently, or has expired, can cause an automatic {product-title} restart to perform a rotation.
|
||||
|
||||
[NOTE]
|
||||
====
|
||||
If the rotated certificate is a Certificate Authority, all of the certificates it signed rotate.
|
||||
====
|
||||
|
||||
.Stoplight timeline of {product-title} certificate validity.
|
||||
image::microshift-cert-rotation.png[<{product-title} graph with symbolic green-yellow-red stoplight map of certificates>]
|
||||
[id="microshift-st-certificate-rotation_{context}"]
|
||||
=== Short-term certificates
|
||||
The following situations describe {product-title} actions during short-term certificate lifetimes:
|
||||
|
||||
. No rotation:
|
||||
.. When a short-term certificate is up to 5 months old, no rotation occurs.
|
||||
|
||||
. Rotation at restart:
|
||||
.. When a short-term certificate is 5 to 8 months old, it is rotated when {product-title} starts or restarts.
|
||||
|
||||
. Automatic restart for rotation:
|
||||
.. When a short-term certificate is more than 8 months old, {product-title} can automatically restart to rotate and apply a new certificate.
|
||||
|
||||
[id="microshift-lt-certificate-rotation_{context}"]
|
||||
=== Long-term certificates
|
||||
The following situations describe {product-title} actions during long-term certificate lifetimes:
|
||||
|
||||
. No rotation:
|
||||
.. When a long-term certificate is up to 8.5 years old, no rotation occurs.
|
||||
|
||||
. Rotation at restart:
|
||||
.. When a long-term certificate is 8.5 to 9 years old, it is rotated when {product-title} starts or restarts.
|
||||
|
||||
. Automatic restart for rotation:
|
||||
.. When a long-term certificate is more than 9 years old, {product-title} can automatically restart to rotate and apply a new certificate.
|
||||
|
||||
Reference in New Issue
Block a user