From e1b59dde35f82495447ddc7d5a224cb23872e412 Mon Sep 17 00:00:00 2001 From: Juanita-Balaraj Date: Wed, 5 Jan 2022 19:25:24 -0500 Subject: [PATCH] Added warning for K8 Root CA update impact on services Updated Patshet 2 comments Updated Patchset 1 comments Signed-off-by: Juanita-Balaraj Change-Id: I764232e87edb856e9efd8e353b2527a91b03b70b --- ...on-commands-for-dcmanager-4947f9fb9588.rst | 36 +++++++++++-------- ...pdate-cloud-orchestration-a627f9d02d6d.rst | 6 ++++ ...oot-ca-certificate-update-8e9df2cd7fb9.rst | 7 +++- 3 files changed, 34 insertions(+), 15 deletions(-) diff --git a/doc/source/dist_cloud/kubernetes/orchestration-commands-for-dcmanager-4947f9fb9588.rst b/doc/source/dist_cloud/kubernetes/orchestration-commands-for-dcmanager-4947f9fb9588.rst index e77d74ca8..2c5e64012 100644 --- a/doc/source/dist_cloud/kubernetes/orchestration-commands-for-dcmanager-4947f9fb9588.rst +++ b/doc/source/dist_cloud/kubernetes/orchestration-commands-for-dcmanager-4947f9fb9588.rst @@ -4,22 +4,29 @@ Kubernetes Root CA Certificate Update for Distributed Cloud Orchestration ========================================================================= +.. warning:: + During the Kubernetes Root |CA| update, ``deployments``, ``daemonsets``, and + ``statefulsets`` present in the cluster are rolling restarted. This impacts + services provided by the application. It is highly recommended to schedule + a Kubernetes Root |CA| update during planned maintenance windows. + You can use the :command:`dcmanager` command to orchestrate the update of the Kubernetes Root |CA| certificate(s) for one or more subclouds in a Distributed Cloud Environment. -The Kubernetes Root |CA| Update Distributed Cloud Orchestration commands for +The Kubernetes Root |CA| update Distributed Cloud Orchestration commands for DCManager use the keyword ``kube-rootca-update-strategy`` and provide the same five subcommands as the other orchestrations: :command:`create, delete, apply, abort, show`. DCManager Kubernetes Root |CA| update orchestration considers a subcloud to be -'out of sync' and needing to be orchestrated based on the -``kube-rootca_sync_status`` field, which is updated based on the presence of -alarms in the subcloud related to the Kubernetes Root |CA| certificate expiring -soon (or expired). +'out of sync' that needs to be orchestrated based on the ``kube-rootca_sync_status`` +field, which is updated based on the presence of alarms in the subcloud +related to the Kubernetes Root |CA| certificate expiring soon (or expired) +status. -- To see synchronization details for a subcloud. +- Use the :command:`dcmanager subcloud show subcloud1` command to + see synchronization details for a subcloud. .. code-block:: @@ -54,7 +61,7 @@ soon (or expired). | platform_sync_status | in-sync | +-----------------------------+----------------------------+ -- A user can pass "help" to see all the arguments for the strategy create +- A user can pass ``help`` to see all the arguments for the :command:`strategy create` command. .. code-block:: @@ -77,7 +84,8 @@ soon (or expired). [--cert-file CERT_FILE] [cloud_name] - Create a kube rootca update strategy. This strategy supports: expiry-date, subject and cert-file. + Create a Kubernetes Root |CA| update strategy. This strategy supports + expiry-date, subject and cert-file parameters. positional arguments: cloud_name Name of a single subcloud to update. @@ -112,7 +120,7 @@ used with other arguments to orchestrate just one subcloud or subcloud group. This is an example of how to orchestrate a new certificate for all subclouds, including those that are in-sync that will expire in one year. -#. Create a Root |CA| update strategy. +#. Create a Kubernetes Root |CA| update strategy. .. code-block:: @@ -160,7 +168,7 @@ including those that are in-sync that will expire in one year. | updated_at | 2021-10-26T14:37:36.865776 | +-----------------------------+----------------------------+ -#. You can view the status of the strategy. +#. You can view the status of the strategy using the following command. .. code-block:: @@ -178,10 +186,10 @@ including those that are in-sync that will expire in one year. | updated_at | 2021-10-26 14:37:36.865776 | +-----------------------------+----------------------------+ - It is typically more useful to monitor the progress of the strategy as it runs - in the subclouds. + It is typically more useful to monitor the progress of the strategy as it + runs in the subclouds. - In this example, the |DC| strategy is running the VIM strategy in the subcloud. + In example below, the |DC| strategy runs the VIM strategy in the subcloud. .. code-block:: @@ -194,7 +202,7 @@ including those that are in-sync that will expire in one year. +-----------+-------+------------------------------------------+----------------------------+----------------------------+-------------+ #. Wait for the strategy to complete. If there are failures, the - :command:`show` command in the previous step can indicate where the failure + :command:`show` command in the previous step indicates where the failure occurred. #. Only one type of DCManager strategy can exist at a time. Once completed, diff --git a/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst b/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst index 7dd9d61fb..a7a8951ca 100644 --- a/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst +++ b/doc/source/security/kubernetes/kubernetes-root-ca-certificate-update-cloud-orchestration-a627f9d02d6d.rst @@ -18,6 +18,12 @@ either an uploaded certificate or an auto generated certificate. Special care should be taken when updating the Root |CA| certificate. +.. warning:: + During the Kubernetes Root |CA| update, ``deployments``, ``daemonsets``, and + ``statefulsets`` present in the cluster are rolling restarted. This impacts + services provided by the application. It is highly recommended to schedule + a Kubernetes Root |CA| update during planned maintenance windows. + .. rubric:: |prereq| - The system is clear of alarms \(with the exception of alarms for locked diff --git a/doc/source/security/kubernetes/manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9.rst b/doc/source/security/kubernetes/manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9.rst index 5f093d8d1..46688e2ed 100644 --- a/doc/source/security/kubernetes/manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9.rst +++ b/doc/source/security/kubernetes/manual-kubernetes-root-ca-certificate-update-8e9df2cd7fb9.rst @@ -15,7 +15,6 @@ certain order and phases, with most of the commands to be executed host by host. .. warning:: - Do **not** let the Kubernetes Root |CA| certificate expire on your system and ensure that certificates with valid/adequate expiry dates are used during renewal as there is no easy way to recover a system if the @@ -23,6 +22,12 @@ host. Special care should be taken when updating the Root |CA| certificate. +.. warning:: + During the Kubernetes Root |CA| update, ``deployments``, ``daemonsets``, and + ``statefulsets`` present in the cluster are rolling restarted. This impacts + services provided by the application. It is highly recommended to schedule + a Kubernetes Root |CA| update during planned maintenance windows. + .. rubric:: |prereq| - The system must be clear of alarms \(with the exception of alarms for locked