Merge "Recommendations regarding expired/invalid certificate in backup.(dsR8)"

2024-08-29 14:35:41 +00:00 · 2024-08-29 14:35:41 +00:00 · 3ba02ce8d2
commit 3ba02ce8d2
parent ea093d8ccf 729b2533fa
3 changed files with 21 additions and 2 deletions
--- a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst
+++ b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst
@ -193,6 +193,7 @@ Execution Time for System Backups

 - Systems with at least 4 platform cores will have much faster execution times.

+.. _recommended-backup-and-retention-policies:

 Recommended Backup and Retention Policies
 -----------------------------------------
@ -225,7 +226,8 @@ Recommended Backup and Retention Policies
 - Backups should be performed prior to performing maintenance operations or
  applying configuration changes to the platform or hosted applications.

- The retention period of backups should be approximately one month.
+- The retention period of backups should be shorter than the shortest certificate
+  duration on the system to avoid backup files with expired certificates.

  - Since Kubernetes is an intent-based system, the most recent backup is the
    most important.
--- a/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst
+++ b/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst
@ -10,6 +10,16 @@ Run Ansible Backup Playbook Locally on the Controller

 In this method the Ansible Backup playbook is run on the active controller.

+.. note::
+
+    Ensure that all certificates are valid and not expiring soon prior to the
+    backup. The certificates are not automatically renewed, you MUST renew the
+    soon-to-expire certificates before the backup operation.
+
+.. warning::
+
+    The restore cannot recover expired certificates.
+
 Use one of the following commands to run the Ansible Backup playbook and back
 up the |prod| configuration, data, and user container images in registry.local:

--- a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
+++ b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst
@ -101,10 +101,17 @@ Below you can find other ``-e`` command line options:
    contains all the ssl_ca certificates that will be installed during the
    restore. It will replace
    ``/opt/platform/config/<software-version>/ca-cert.pem``, which is a
-    single certificate containing all the ssl_ca certificates installed in
+    single file containing all the ssl_ca certificates installed in
    the host when the backup was done. The certificate assigned to this
    parameter must follow this same pattern.

+    .. note::
+
+      The ssl_ca certificates are not automatically renewed, you MUST renew
+      the soon-to-expire certificates before the backup operation. The expired
+      ssl_ca certificates are not restored.
+      For more details, see :ref: `Recommended Backup and Retention Policies<recommended-backup-and-retention-policies>`.
+
    For example:

    .. code-block:: none