Extend doc about k8s control plane certificates renewal

hitachienergy · Feb 3, 2022 · 562f8f2 · 562f8f2
1 parent 3e3fbbf
commit 562f8f2
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 0 deletions.
diff --git a/docs/changelogs/CHANGELOG-2.0.md b/docs/changelogs/CHANGELOG-2.0.md
@@ -17,6 +17,7 @@
 - [#2828](https://github.com/epiphany-platform/epiphany/issues/2828) - K8s improvements
   - Re-generate apiserver certificates only by purpose
   - Do not ignore preflight errors in `kubeadm join`
+  - Update documentation about control plane certificates renewal
 - [#2825](https://github.com/epiphany-platform/epiphany/issues/2825) - Upgrade Terraform and providers
   - Terraform 0.12.6 to 1.1.3 ([#2706](https://github.com/epiphany-platform/epiphany/issues/2706))
   - Azurerm provider 1.38.0 to 2.91.0

diff --git a/docs/home/howto/kubernetes/CERTIFICATES.md b/docs/home/howto/kubernetes/CERTIFICATES.md
@@ -2,6 +2,19 @@
 
 ### TLS certificates in a cluster
 
+---
+**NOTE**
+
+1. There are issues encountered for K8s HA clusters when certificates renewal is enabled and applied
+   after `kubeadm reset`. If you restored control plane VMs from snapshots or used this command and plan to
+   run `epicli apply`, make sure that `renew` option is set to `false`.
+
+
+2. By default, kubeadm sets certificates expiration period to 1 year. If the cluster is upgraded, e.g. `kubeadm upgrade`
+   was executed, and different expiration period is required, run `epicli apply` with appropriate configuration.
+
+---
+
 It's possible to regenerate Kubernetes control plane certificates with Epiphany. To do so, additional configuration
 should be specified.