doc updates for the new auto-discovery feature

Yuvaraj Kakaraparthi · Yuvaraj Kakaraparthi · commit 425e71951fca · 2022-11-03T18:05:20.000-07:00
diff --git a/docs/book/src/tasks/certs/auto-rotate-certificates-in-kcp.md b/docs/book/src/tasks/certs/auto-rotate-certificates-in-kcp.md
@@ -2,7 +2,7 @@
 
 When using Kubeadm Control Plane provider (KCP) it is possible to configure automatic certificate rotations. KCP does this by triggering a rollout when the certificates on the control plane machines are about to expire.
 
-If configured, the certificate rollout feature is available for all new control plane machines created using ClusterAPI v1.3 and above. To enable it for existing control plane machines see [Enabling Certificate Expiry Rollout for Existing Control Plane Machines](#enabling-certificate-expiry-rollout-for-existing-control-plane-machines)
+If configured, the certificate rollout feature is available for all new and existing control plane machines.
 
 ### Configuring Machine Rollout
 
@@ -39,8 +39,8 @@ KCP uses the value in the corresponding Control Plane machine's `Machine.Status.
 
 `Machine.Status.CertificatesExpiryDate` gets its value from one of the following 2 places:
 
-* `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the Machine object. This annotation is not applied by default and it can be set by users to opt-in in this feature for existing control plane machines (see instructions below).
-* `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the Bootstrap Config object referenced by the machine. This value is automatically set for machines bootstrapped with CABPK with CAPI >= v1.3.
+* `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the Machine object. This annotation is not applied by default and it can be set by users to manually override the certificate expiry information.
+* `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the Bootstrap Config object referenced by the machine. This value is automatically set for machines bootstrapped with CABPK that are owned by the KCP resource.
 
 The annotation value is a [RFC3339] format timestamp. The annotation value on the machine object, if provided, will take precedence.  
 
@@ -50,6 +50,8 @@ The annotation value is a [RFC3339] format timestamp. The annotation value on th
 
 The time captured in the Bootstrap Config annotation is an approximate time at which the machine certificates will expire (1 year from creation). The time captured in the annotation will be a little earlier than the actual certificate expiry time.
 
+It is assumed that all the certificates has the same expiration time. If not, it is assumed that the kube-apiserver certificate expires before other certificates.
+
 </aside>
 
 <aside class="note warning">
@@ -60,13 +62,5 @@ If the annotation is delete from the object, the certificate expiry information
 
 </aside>
 
-### Enabling Certificate Expiry Rollout for Existing Control Plane Machines
-
-To enable rollout for certificate expiry to work on existing machines we need to update existing control plane machines with the current certificate expiry time. To do this do the following for each of the control plane machines:
-
-* SSH into the control plane node and get the current certificate expiry time using `kubeadm certs check-expiration`. From the output note the certificate expiry time of the `apiserver` certificate.
-* Add the certificate expiry time as the `machine.cluster.x-k8s.io/certificates-expiry` annotation value on the control plane machine object. The value should be a [RFC3339] format timestamp.
-Example: If the certificate expiry time is `Sep 29, 2023 02:08 UTC` add `machine.cluster.x-k8s.io/certificates-expiry: 2023-09-29T02:08:00Z` as an annotation on the control plane machine object.
-
 <!-- links -->
 [RFC3339]: https://www.ietf.org/rfc/rfc3339.txt
