K8SPXC-1754 Updated the update certificates doc with automated steps#307
K8SPXC-1754 Updated the update certificates doc with automated steps#307nastena1606 wants to merge 1 commit intomainfrom
Conversation
There was a problem hiding this comment.
Pull request overview
This PR updates the TLS certificate rotation documentation to add more structured, automated steps for checking certificate validity/expiration and for updating certificates via the Operator, with improved wording and navigation.
Changes:
- Added a “Before you start” section to standardize using a
$NAMESPACEenvironment variable. - Restructured the “Check your certificates for expiration” section into cert-manager vs non–cert-manager tabs with example outputs.
- Rewrote the “update certificates” instructions to describe an Operator-driven automated update flow (via a
*-newSecret) and clarified the downtime flow for expired certs.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| ```{.text .no-copy} | ||
| notBefore=Nov 7 10:54:00 2025 GMT | ||
| notAfter=Nov 7 10:54:00 2026 GMT | ||
| ``` |
There was a problem hiding this comment.
The sample output (notBefore/notAfter) doesn’t match the command shown (openssl ... -text | grep "Not After"), which would typically only print a Not After line (and not notBefore). Update the command (e.g., use -noout -dates and/or adjust grep) or adjust the sample output to match.
| 2. Create a Secrets object and supply the new certificates within it. The Secret name must be in the format `<existing-secret>-new`. For example, if the existing Secret name is `cluster1-ssl-internal`, the new Secret name is `cluster1-ssl-internal-new`. The command to create it is: | ||
|
|
||
| ```bash | ||
| kubectl get secret/cluster1-ssl -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.pem.old | ||
| kubectl get secret/cluster1-ssl -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.pem.old | ||
| kubectl get secret/cluster1-ssl -o jsonpath='{.data.tls\.key}' | base64 --decode > tls.key.old | ||
| kubectl -n $NAMESPACE create secret generic cluster1-ssl-internal-new \ | ||
| --from-file=ca.crt=ca.crt \ |
There was a problem hiding this comment.
The update command creates a generic Secret (which defaults to type Opaque), but earlier this page suggests TLS Secrets should be kubernetes.io/tls. Consider setting the Secret type explicitly (and/or using the appropriate kubectl create secret tls flow). Also, step 1 references generating ca.pem/server.pem/server-key.pem, but this command uses ca.crt/tls.crt/tls.key—please align the filenames so the instructions are consistent and runnable.
Enhanced instructions for checking certificate expiration and validity, and improved overall wording for better clarity.
nastena1606
force-pushed
the
K8SPXC-1754-Doc-automate-cert-update
branch
from
e94df5d to
df42e1a
Compare
nastena1606
requested review from
egegunes,
eleo007,
gkech,
hors,
jvpasinatto,
mayankshah1607,
nmarukovich,
pooknull and
valmiranogueira
as code owners
Enhanced instructions for checking certificate expiration and validity, and improved overall wording for better clarity.