From 0d3b4493af4420b945aedd77ad12c0b502c5c706 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Natalie=20Klestrup=20R=C3=B6ijezon?= Date: Thu, 1 Feb 2024 15:32:56 +0100 Subject: [PATCH] CA rotation docs cleanups As requested by @lfrancke (https://github.com/stackabletech/secret-operator/issues/93#issuecomment-1921381739) --- docs/modules/secret-operator/pages/secretclass.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/modules/secret-operator/pages/secretclass.adoc b/docs/modules/secret-operator/pages/secretclass.adoc index 7811aadf..8ed859c5 100644 --- a/docs/modules/secret-operator/pages/secretclass.adoc +++ b/docs/modules/secret-operator/pages/secretclass.adoc @@ -63,11 +63,11 @@ Users can use podOverrides to extend the certificate lifetime by adding volume a Certificate authorities also have a limited lifetime, and need to be rotated before they expire to avoid cluster disruption. If configured to provision its own CA (`autoTls.ca.autoGenerate`), the Secret Operator will create CA certificates that are valid for 2 years (`autoTls.ca.caCertificateLifetime`), -and initiate rotation once less than half of that time remains. If configured _not_ to provision its own CA, a warning will instead be issued in that case. +and initiate rotation once less than half of that time remains. To avoid disruption and let the new CA propagate through the cluster, the Secret Operator will prefer using the oldest CA that will last for the entire lifetime of the issued certificate. -Expired certificates will currently not be deleted automatically, and should be cleaned up manually. +NOTE: Expired CA certificates will currently not be deleted automatically. They should be cleaned up manually. ==== Reference