Merge "Notes regarding restore"

2024-12-12 15:01:49 +00:00 · 2024-12-12 15:01:49 +00:00 · 16e1d08027
commit 16e1d08027
parent 1c1e274f53 c77108bf63
2 changed files with 34 additions and 16 deletions
--- a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
+++ b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
@ -24,6 +24,12 @@ following commands to run the Ansible Restore playbook:

    ~(keystone_admin)]$ ansible-playbook /usr/share/ansible/stx-ansible/playbooks/restore_platform.yml -e "initial_backup_dir=<location_of_tarball ansible_become_pass=<admin_password> admin_password=<admin_password backup_filename=<backup_filename> wipe_ceph_osds=<true/false> ssl_ca_certificate_file=<complete path>/<ssl_ca certificates file>"

+.. note::
+    If there are any expired ``ssl_ca`` certificates in the backup, the restore
+    (both, legacy and optimized) filters out the expired certificates and
+    restores only the valid ones. 
+
+  
 Below you can find other ``-e`` command line options:

 **Common**
@ -117,19 +123,15 @@ Below you can find other ``-e`` command line options:
        hardware. For more details, see :ref:`node-replacement-for-aiominussx-using-optimized-backup-and-restore-6603c650c80d`.


-   ``ssl_ca_certificate_file`` defines a single certificate that
-    contains all the ssl_ca certificates that will be installed during the
-    restore. It will replace
-    ``/opt/platform/config/<software-version>/ca-cert.pem``, which is a
-    single file containing all the ssl_ca certificates installed in
-    the host when the backup was done. The certificate assigned to this
-    parameter must follow this same pattern.
+-   ``ssl_ca_certificate_file`` defines a single certificate or a bundle that
+    contains all the ``ssl_ca`` certificates that will be installed during the
+    restore. 

    .. note::

-      The ssl_ca certificates are not automatically renewed, you MUST renew
+      The ``ssl_ca`` certificates are not automatically renewed, you MUST renew
      the soon-to-expire certificates before the backup operation. The expired
-      ssl_ca certificates are not restored.
+      ``ssl_ca`` certificates are not restored.
      For more details, see :ref:`Recommended Backup and Retention Policies<recommended-backup-and-retention-policies>`.

    For example:
@ -142,6 +144,16 @@ Below you can find other ``-e`` command line options:

        -e "ssl_ca_certificate_file=/home/sysadmin/new_ca-cert.pem"

+    .. note::
+
+        In **legacy** restore, when this option is used, it replaces all
+        ``ssl_ca`` certificates in the backup {{
+        with the one specified in ``ssl_ca_certificate_file``.
+
+        In the **optimized** restore, when this option is used, it adds certificates
+        from ``ssl_ca_certificate_file`` to the existing ``ssl_ca`` certificates in
+        the backup” }}.
+
    This parameter depends on ``on_box_data`` value.

    When ``on_box_data=true`` or not defined, ``ssl_ca_certificate_file``
--- a/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst
+++ b/doc/source/backup/kubernetes/system-backup-running-ansible-restore-playbook-remotely.rst
@ -142,13 +142,9 @@ In this method you can run Ansible Restore playbook and point to controller-0.

            scp: /tmp/.ansible-sysadmin/tmp/ansible-tmp-1687355968.13-696694507261/source: No space left on device

-    -   ``ssl_ca_certificate_file`` defines a single certificate that
-        contains all the ssl_ca certificates that will be installed during the
-        restore. It will replace the
-        ``/opt/platform/config/<software-version>/ca-cert.pem``, which is a
-        single certificate containing all the ssl_ca certificates installed in
-        the host when backup was done. So, the certificate assigned to this
-        parameter must follow this same pattern.
+    -   ``ssl_ca_certificate_file`` defines a single certificate or a bundle that
+        contains all the ``ssl_ca`` certificates that will be installed during the
+        restore. 

        For example:

@ -160,6 +156,16 @@ In this method you can run Ansible Restore playbook and point to controller-0.

            -e "ssl_ca_certificate_file=/home/sysadmin/new_ca-cert.pem"

+        .. note::
+
+            In **legacy** restore, when this option is used, it replaces all
+            ``ssl_ca`` certificates in the backup {{
+            with the one specified in ``ssl_ca_certificate_file``.
+
+            In the **optimized** restore, when this option is used, it adds certificates
+            from ``ssl_ca_certificate_file`` to the existing ``ssl_ca`` certificates in
+            the backup” }}.
+
    .. note::

        If the backup contains patches, Ansible Restore playbook will apply