From 729b2533fa1a1038c3984a39870f388d0001b7a3 Mon Sep 17 00:00:00 2001 From: Suzana Fernandes Date: Wed, 14 Aug 2024 11:40:55 +0000 Subject: [PATCH] Recommendations regarding expired/invalid certificate in backup.(dsR8) Bug: 2077106 Change-Id: Iaaf157cc53f4cf3a42e249c184665739bc9e36a6 Signed-off-by: Suzana Fernandes --- .../kubernetes/backing-up-starlingx-system-data.rst | 4 +++- ...sible-backup-playbook-locally-on-the-controller.rst | 10 ++++++++++ ...ning-restore-playbook-locally-on-the-controller.rst | 9 ++++++++- 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst index c81cc5cac..2d7c66087 100644 --- a/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst +++ b/doc/source/backup/kubernetes/backing-up-starlingx-system-data.rst @@ -193,6 +193,7 @@ Execution Time for System Backups - Systems with at least 4 platform cores will have much faster execution times. +.. _recommended-backup-and-retention-policies: Recommended Backup and Retention Policies ----------------------------------------- @@ -225,7 +226,8 @@ Recommended Backup and Retention Policies - Backups should be performed prior to performing maintenance operations or applying configuration changes to the platform or hosted applications. -- The retention period of backups should be approximately one month. +- The retention period of backups should be shorter than the shortest certificate + duration on the system to avoid backup files with expired certificates. - Since Kubernetes is an intent-based system, the most recent backup is the most important. diff --git a/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst b/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst index c158919d0..f12bcad00 100644 --- a/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst +++ b/doc/source/backup/kubernetes/running-ansible-backup-playbook-locally-on-the-controller.rst @@ -10,6 +10,16 @@ Run Ansible Backup Playbook Locally on the Controller In this method the Ansible Backup playbook is run on the active controller. +.. note:: + + Ensure that all certificates are valid and not expiring soon prior to the + backup. The certificates are not automatically renewed, you MUST renew the + soon-to-expire certificates before the backup operation. + +.. warning:: + + The restore cannot recover expired certificates. + Use one of the following commands to run the Ansible Backup playbook and back up the |prod| configuration, data, and user container images in registry.local: diff --git a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst index a18edb72b..961204a10 100644 --- a/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst +++ b/doc/source/backup/kubernetes/running-restore-playbook-locally-on-the-controller.rst @@ -101,10 +101,17 @@ Below you can find other ``-e`` command line options: contains all the ssl_ca certificates that will be installed during the restore. It will replace ``/opt/platform/config//ca-cert.pem``, which is a - single certificate containing all the ssl_ca certificates installed in + single file containing all the ssl_ca certificates installed in the host when the backup was done. The certificate assigned to this parameter must follow this same pattern. + .. note:: + + The ssl_ca certificates are not automatically renewed, you MUST renew + the soon-to-expire certificates before the backup operation. The expired + ssl_ca certificates are not restored. + For more details, see :ref: `Recommended Backup and Retention Policies`. + For example: .. code-block:: none