From 30c7e268a7be193caea5dd77e4cac92a5fdc4531 Mon Sep 17 00:00:00 2001 From: Ashleigh Brennan Date: Tue, 23 Dec 2025 08:58:38 -0600 Subject: [PATCH 1/2] DOCPLAN-31: Remove unnecessary module, move to admonition --- ...virt-configuring-certificate-rotation.adoc | 41 +++++++++++++++++ ...ubleshooting-cert-rotation-parameters.adoc | 46 ------------------- ...virt-configuring-certificate-rotation.adoc | 1 - 3 files changed, 41 insertions(+), 47 deletions(-) delete mode 100644 modules/virt-troubleshooting-cert-rotation-parameters.adoc diff --git a/modules/virt-configuring-certificate-rotation.adoc b/modules/virt-configuring-certificate-rotation.adoc index ad0ccdffaf17..dac64faf7507 100644 --- a/modules/virt-configuring-certificate-rotation.adoc +++ b/modules/virt-configuring-certificate-rotation.adoc @@ -58,3 +58,44 @@ For example: ---- $ oc apply -f kubevirt-hyperconverged.yaml ---- + +[WARNING] +==== +Deleting one or more `certConfig` values in the `HyperConverged` CR causes the `certConfig` values to revert to the default values. + +If the default values conflict with one of the following conditions, you receive an error message instead: + +* The value of `ca.renewBefore` must be less than or equal to the value of `ca.duration`. +* The value of `server.duration` must be less than or equal to the value of `ca.duration`. +* The value of `server.renewBefore` must be less than or equal to the value of `server.duration`. + +For example, if you remove the `server.duration` value, the default value of `24h0m0s` is greater than the value of `ca.duration`, which conflicts with the specified conditions: + +[source,yaml,subs="attributes+"] +---- +apiVersion: hco.kubevirt.io/v1beta1 +kind: HyperConverged +metadata: + name: kubevirt-hyperconverged + namespace: {CNVNamespace} +spec: + # ... + certConfig: + ca: + duration: 4h0m0s + renewBefore: 1h0m0s + server: + duration: 4h0m0s + renewBefore: 4h0m0s +# ... +---- + +This results in the following error message: + +[source,terminal] +---- +error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig: ca.duration is smaller than server.duration +---- + +The error message only mentions the first conflict. Review all `certConfig` values before you proceed. +==== diff --git a/modules/virt-troubleshooting-cert-rotation-parameters.adoc b/modules/virt-troubleshooting-cert-rotation-parameters.adoc deleted file mode 100644 index 318468069228..000000000000 --- a/modules/virt-troubleshooting-cert-rotation-parameters.adoc +++ /dev/null @@ -1,46 +0,0 @@ -// Module included in the following assemblies: -// -// * virt/virtual_machines/advanced_vm_management/virt-configuring-certificate-rotation.adoc - -:_mod-docs-content-type: REFERENCE -[id="virt-troubleshooting-cert-rotation-parameters_{context}"] -= Troubleshooting certificate rotation parameters - -[role="_abstract"] -Deleting one or more `certConfig` values in the `HyperConverged` custom resource (CR) causes the `certConfig` values to revert to the default values. - -If the default values conflict with one of the following conditions, you receive an error message instead: - -* The value of `ca.renewBefore` must be less than or equal to the value of `ca.duration`. -* The value of `server.duration` must be less than or equal to the value of `ca.duration`. -* The value of `server.renewBefore` must be less than or equal to the value of `server.duration`. - -For example, if you remove the `server.duration` value, the default value of `24h0m0s` is greater than the value of `ca.duration`, which conflicts with the specified conditions: - -[source,yaml,subs="attributes+"] ----- -apiVersion: hco.kubevirt.io/v1beta1 -kind: HyperConverged -metadata: - name: kubevirt-hyperconverged - namespace: {CNVNamespace} -spec: - # ... - certConfig: - ca: - duration: 4h0m0s - renewBefore: 1h0m0s - server: - duration: 4h0m0s - renewBefore: 4h0m0s -# ... ----- - -This results in the following error message: - -[source,terminal] ----- -error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig: ca.duration is smaller than server.duration ----- - -The error message only mentions the first conflict. Review all `certConfig` values before you proceed. diff --git a/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc b/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc index 48cf762a22d3..64cf4d96ac68 100644 --- a/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc +++ b/virt/post_installation_configuration/virt-configuring-certificate-rotation.adoc @@ -10,4 +10,3 @@ Configure certificate rotation parameters to replace existing certificates. toc::[] include::modules/virt-configuring-certificate-rotation.adoc[leveloffset=+1] -include::modules/virt-troubleshooting-cert-rotation-parameters.adoc[leveloffset=+1] From 135927331972f98ba3f37acd6b8fae8e9ef365c1 Mon Sep 17 00:00:00 2001 From: Ashleigh Brennan Date: Tue, 23 Dec 2025 09:49:08 -0600 Subject: [PATCH 2/2] update structure --- ...virt-configuring-certificate-rotation.adoc | 49 ++++++++----------- 1 file changed, 20 insertions(+), 29 deletions(-) diff --git a/modules/virt-configuring-certificate-rotation.adoc b/modules/virt-configuring-certificate-rotation.adoc index dac64faf7507..9751e64e9ba9 100644 --- a/modules/virt-configuring-certificate-rotation.adoc +++ b/modules/virt-configuring-certificate-rotation.adoc @@ -41,36 +41,14 @@ spec: renewBefore: 12h0m0s ---- + +Deleting one or more `certConfig` values in the `HyperConverged` CR causes the `certConfig` values to revert to the default values. If the default values conflict with one of the following conditions, you receive an error message instead: ++ ** The value of `ca.renewBefore` must be less than or equal to the value of `ca.duration`. ** The value of `server.duration` must be less than or equal to the value of `ca.duration`. ** The value of `server.renewBefore` must be less than or equal to the value of `server.duration`. - -. Apply updates to the `HyperConverged` CR by running the following command: -+ -[source,terminal] ----- -$ oc apply -f .yaml ----- -+ -For example: + -[source,terminal] ----- -$ oc apply -f kubevirt-hyperconverged.yaml ----- - -[WARNING] -==== -Deleting one or more `certConfig` values in the `HyperConverged` CR causes the `certConfig` values to revert to the default values. - -If the default values conflict with one of the following conditions, you receive an error message instead: - -* The value of `ca.renewBefore` must be less than or equal to the value of `ca.duration`. -* The value of `server.duration` must be less than or equal to the value of `ca.duration`. -* The value of `server.renewBefore` must be less than or equal to the value of `server.duration`. - For example, if you remove the `server.duration` value, the default value of `24h0m0s` is greater than the value of `ca.duration`, which conflicts with the specified conditions: - ++ [source,yaml,subs="attributes+"] ---- apiVersion: hco.kubevirt.io/v1beta1 @@ -89,13 +67,26 @@ spec: renewBefore: 4h0m0s # ... ---- - ++ This results in the following error message: - ++ [source,terminal] ---- error: hyperconvergeds.hco.kubevirt.io "kubevirt-hyperconverged" could not be patched: admission webhook "validate-hco.kubevirt.io" denied the request: spec.certConfig: ca.duration is smaller than server.duration ---- - ++ The error message only mentions the first conflict. Review all `certConfig` values before you proceed. -==== + +. Apply updates to the `HyperConverged` CR by running the following command: ++ +[source,terminal] +---- +$ oc apply -f .yaml +---- ++ +For example: ++ +[source,terminal] +---- +$ oc apply -f kubevirt-hyperconverged.yaml +----