diff --git a/modules/virt-configuring-certificate-rotation.adoc b/modules/virt-configuring-certificate-rotation.adoc index ad0ccdffaf17..9751e64e9ba9 100644 --- a/modules/virt-configuring-certificate-rotation.adoc +++ b/modules/virt-configuring-certificate-rotation.adoc @@ -41,9 +41,41 @@ spec: renewBefore: 12h0m0s ---- + +Deleting one or more `certConfig` values in the `HyperConverged` CR causes the `certConfig` values to revert to the default values. If the default values conflict with one of the following conditions, you receive an error message instead: ++ ** The value of `ca.renewBefore` must be less than or equal to the value of `ca.duration`. ** The value of `server.duration` must be less than or equal to the value of `ca.duration`. ** The value of `server.renewBefore` must be less than or equal to the value of `server.duration`. ++ +For example, if you remove the `server.duration` value, the default value of `24h0m0s` is greater than the value of `ca.duration`, which conflicts with the specified conditions: ++ +[source,yaml,subs="attributes+"] +---- +apiVersion: hco.kubevirt.io/v1beta1 +kind: HyperConverged +metadata: + name: kubevirt-hyperconverged + namespace: {CNVNamespace} +spec: + # ... + certConfig: + ca: + duration: 4h0m0s + renewBefore: 1h0m0s + server: + duration: 4h0m0s + renewBefore: 4h0m0s +# ... +---- ++ +This results in the following error message: ++ +[source,terminal] +---- +error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig: ca.duration is smaller than server.duration +---- ++ +The error message only mentions the first conflict. Review all `certConfig` values before you proceed. . Apply updates to the `HyperConverged` CR by running the following command: + diff --git a/modules/virt-troubleshooting-cert-rotation-parameters.adoc b/modules/virt-troubleshooting-cert-rotation-parameters.adoc deleted file mode 100644 index 318468069228..000000000000 --- a/modules/virt-troubleshooting-cert-rotation-parameters.adoc +++ /dev/null @@ -1,46 +0,0 @@ -// Module included in the following assemblies: -// -// * virt/virtual_machines/advanced_vm_management/virt-configuring-certificate-rotation.adoc - -:_mod-docs-content-type: REFERENCE -[id="virt-troubleshooting-cert-rotation-parameters_{context}"] -= Troubleshooting certificate rotation parameters - -[role="_abstract"] -Deleting one or more `certConfig` values in the `HyperConverged` custom resource (CR) causes the `certConfig` values to revert to the default values. - -If the default values conflict with one of the following conditions, you receive an error message instead: - -* The value of `ca.renewBefore` must be less than or equal to the value of `ca.duration`. -* The value of `server.duration` must be less than or equal to the value of `ca.duration`. -* The value of `server.renewBefore` must be less than or equal to the value of `server.duration`. - -For example, if you remove the `server.duration` value, the default value of `24h0m0s` is greater than the value of `ca.duration`, which conflicts with the specified conditions: - -[source,yaml,subs="attributes+"] ----- -apiVersion: hco.kubevirt.io/v1beta1 -kind: HyperConverged -metadata: - name: kubevirt-hyperconverged - namespace: {CNVNamespace} -spec: - # ... - certConfig: - ca: - duration: 4h0m0s - renewBefore: 1h0m0s - server: - duration: 4h0m0s - renewBefore: 4h0m0s -# ... ----- - -This results in the following error message: - -[source,terminal] ----- -error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig: ca.duration is smaller than server.duration ----- - -The error message only mentions the first conflict. Review all `certConfig` values before you proceed. diff --git a/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc b/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc index 48cf762a22d3..64cf4d96ac68 100644 --- a/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc +++ b/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc @@ -10,4 +10,3 @@ Configure certificate rotation parameters to replace existing certificates. toc::[] include::modules/virt-configuring-certificate-rotation.adoc[leveloffset=+1] -include::modules/virt-troubleshooting-cert-rotation-parameters.adoc[leveloffset=+1]