Recommended "renewBefore" value for a certificate (r8, r7, r5, r5, dsR8, dsR7, dsR6, dsR5)

Add note as include Add include where renewBefore is mentioned Address patchset 1 review comments Closes-Bug: 2042545 Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9 Signed-off-by: Ron Stone <ronald.stone@windriver.com>
2023-11-01 17:04:03 +00:00 · 2023-11-01 17:04:03 +00:00 · 1a3ebc83dc
parent 62a901d684
commit 1a3ebc83dc
7 changed files with 39 additions and 10 deletions
--- a/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
+++ b/doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst
@ -31,6 +31,8 @@ Update the following fields:
  you desire. The system will automatically renew and re-install the
  certificate.

+  .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
 * The ``subject`` fields to identify your particular system.

 * The ``ipAddresses`` with the |OAM| Floating IP Address and the MGMT Floating
--- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
+++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
@ -76,6 +76,8 @@ Configure OIDC Auth Applications

            EOF

+         .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
      #. Apply the configuration.

         .. code-block:: none
--- a/doc/source/security/kubernetes/configure-remote-cli-access.rst
+++ b/doc/source/security/kubernetes/configure-remote-cli-access.rst
@ -11,16 +11,15 @@ You can access the system from a remote workstation using one of two methods.

 .. _configure-remote-cli-access-ul-jt2-lcy-ljb:

-
-   The first method involves using the remote |CLI| tarball from the
-    |prod| CENGEN build servers to install a set of container-backed remote
-    CLIs and clients for accessing a remote |prod-long|. This provides
-    access to the :command:`system` and :command:`dcmanager` |prod| CLIs,
-    the OpenStack CLI for Keystone and Barbican in the platform, and
-    Kubernetes-related CLIs \(kubectl, helm\). This approach is simple to
-    install, portable across Linux, macOS, and Windows, and provides access
-    to all |prod-long| CLIs. However, commands such as those that reference
-    local files or require a shell are awkward to run in this environment.
+-   The first method involves using the remote |CLI| tarball from StarlingX
+    Public build servers to install a set of container-backed remote CLIs and
+    clients for accessing a remote |prod-long|. This provides access to the
+    :command:`system` and :command:`dcmanager` |prod| CLIs, the OpenStack CLI
+    for Keystone and Barbican in the platform, and Kubernetes-related CLIs
+    (kubectl, helm). This approach is simple to install, portable across Linux,
+    macOS, and Windows, and provides access to all |prod-long| CLIs. However,
+    commands such as those that reference local files or require a shell are
+    difficult to run in this environment.

 -   The second method involves installing the :command:`kubectl` and
    :command:`helm` clients directly on the remote host. This method only
--- a/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst
+++ b/doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst
@ -91,6 +91,8 @@ for use in a lab environment.
                kind: Issuer
            " | kubectl apply -f -

+        .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
    #.  Create the |PEM| files for Server certificate and key.

        .. code-block:: none
--- a/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
+++ b/doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst
@ -175,8 +175,15 @@ controllers/subclouds.
                 hosts:
                   subcloud3:

+   .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
+
 #. Run the playbook.

+    The following example illustrates using one set of ssh/sudo passwords for
+    subcloud1 and subcloud2 and another set of ssh/sudo passwords for
+    subcloud3.
+
   Execute the Ansible playbook to start the migration process. You will be
   prompted for the vault password created in the previous step.

--- a/doc/source/shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+++ b/doc/source/shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
@ -0,0 +1,15 @@
+.. _recommended-renewbefore-value-for-certificates-c929cf42b03b:
+
+
+.. note::
+
+   The Certificate usage of Cert-manager Documentation
+   (https://cert-manager.io/docs/usage/certificate/) states that one should
+   "Take care when setting the ``renewBefore`` field to be very close to the
+   duration as this can lead to a renewal loop, where the Certificate is always
+   in the renewal period."
+
+   In the light of the statement above, you must not set ``renewBefore`` to a
+   value very close to the "duration" value, such as a renewBefore of 29 days
+   and a duration of 30 days. Instead, you could set values such as
+   renewBefore=15 days and duration=30 days to avoid renewal loops.
--- a/doc/source/usertasks/kubernetes/internal-ca-and-nodeport-example-2afa2a84603a.rst
+++ b/doc/source/usertasks/kubernetes/internal-ca-and-nodeport-example-2afa2a84603a.rst
@ -146,6 +146,8 @@ This example requires that:
          selector:
            app: example-app

+    .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
 #.  If example-app existed, you would access it from your browser
    with ``https://abccompany-starlingx.mycompany.com:31118``.