Recommended "renewBefore" value for a certificate (r8, r7, r5, r5, dsR8, dsR7, dsR6, dsR5)

Add note as include
Add include where renewBefore is mentioned
Address patchset 1 review comments

Closes-Bug: 2042545

Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9
Signed-off-by: Ron Stone <ronald.stone@windriver.com>
This commit is contained in:
Ron Stone 2023-11-01 17:04:03 +00:00
parent 591824df28
commit b7e75df19b
8 changed files with 36 additions and 9 deletions

View File

@ -26,6 +26,8 @@ Update the following fields:
you desire. The system will automatically renew and re-install the
certificate.
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
* The ``subject`` fields to identify your particular system.
* The ``ipAddresses`` with the |OAM| Floating IP Address and the MGMT Floating

View File

@ -89,6 +89,8 @@ Configure OIDC Auth Applications
EOF
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
#. Apply the configuration.
.. code-block:: none

View File

@ -12,15 +12,15 @@ You can access the system from a remote workstation using one of two methods.
.. _configure-remote-cli-access-ul-jt2-lcy-ljb:
- The first method involves using the remote |CLI| tarball from the
|prod| CENGEN build servers to install a set of container-backed remote
CLIs and clients for accessing a remote |prod-long|. This provides
access to the :command:`system` and :command:`dcmanager` |prod| CLIs,
the OpenStack CLI for Keystone and Barbican in the platform, and
Kubernetes-related CLIs (kubectl, helm). This approach is simple to
install, portable across Linux, macOS, and Windows, and provides access
to all |prod-long| CLIs. However, commands such as those that reference
local files or require a shell are awkward to run in this environment.
- The first method involves using the remote |CLI| tarball from StarlingX
Public build servers to install a set of container-backed remote CLIs and
clients for accessing a remote |prod-long|. This provides access to the
:command:`system` and :command:`dcmanager` |prod| CLIs, the OpenStack CLI
for Keystone and Barbican in the platform, and Kubernetes-related CLIs
(kubectl, helm). This approach is simple to install, portable across Linux,
macOS, and Windows, and provides access to all |prod-long| CLIs. However,
commands such as those that reference local files or require a shell are
difficult to run in this environment.
- The second method involves installing the :command:`kubectl` and
:command:`helm` clients directly on the remote host. This method only

View File

@ -28,6 +28,8 @@ Update the following fields:
you desire. The system will automatically renew and re-install the
certificate.
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
* The ``subject`` fields to identify your particular system.
* The ``ipAddresses`` with the |OAM| Floating IP Address for this system.

View File

@ -102,6 +102,8 @@ for use in a lab environment.
kind: Issuer
" | kubectl apply -f -
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
#. Create the |PEM| files for Server certificate and key.
.. code-block:: none

View File

@ -160,6 +160,8 @@ playbook are:
If a separate set of overrides are required for a group of hosts,
``children`` groups can be added under ``target_group``.
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
The following example illustrates using one set of ssh/sudo passwords for
subcloud1 and subcloud2 and another set of ssh/sudo passwords for
subcloud3.

View File

@ -0,0 +1,15 @@
.. _recommended-renewbefore-value-for-certificates-c929cf42b03b:
.. note::
The Certificate usage of Cert-manager Documentation
(https://cert-manager.io/docs/usage/certificate/) states that one should
"Take care when setting the ``renewBefore`` field to be very close to the
duration as this can lead to a renewal loop, where the Certificate is always
in the renewal period."
In the light of the statement above, you must not set ``renewBefore`` to a
value very close to the "duration" value, such as a renewBefore of 29 days
and a duration of 30 days. Instead, you could set values such as
renewBefore=15 days and duration=30 days to avoid renewal loops.

View File

@ -146,6 +146,8 @@ This example requires that:
selector:
app: example-app
.. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
#. If example-app existed, you would access it from your browser
with ``https://abccompany-starlingx.mycompany.com:31118``.