Recommended "renewBefore" value for a certificate (r8, r7, r5, r5, dsR8, dsR7, dsR6, dsR5)

Add note as include
Add include where renewBefore is mentioned
Address patchset 1 review comments

Closes-Bug: 2042545

Change-Id: Iad4f58fd2cd4743605089b453ededce1e720c8e9
Signed-off-by: Ron Stone <ronald.stone@windriver.com>

doc/source/security/kubernetes/configure-docker-registry-certificate-after-installation-c519edbfe90a.rst

@@ -26,6 +26,8 @@ Update the following fields:
   you desire. The system will automatically renew and re-install the
   certificate.
 
+  .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
 * The ``subject`` fields to identify your particular system.
 
 * The ``ipAddresses`` with the |OAM| Floating IP Address and the MGMT Floating

doc/source/security/kubernetes/configure-oidc-auth-applications.rst

@@ -89,6 +89,8 @@ Configure OIDC Auth Applications
 
             EOF
 
+         .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
       #. Apply the configuration.
 
          .. code-block:: none

doc/source/security/kubernetes/configure-remote-cli-access.rst

@@ -12,15 +12,15 @@ You can access the system from a remote workstation using one of two methods.
 .. _configure-remote-cli-access-ul-jt2-lcy-ljb:
 
 
--   The first method involves using the remote |CLI| tarball from the
+-   The first method involves using the remote |CLI| tarball from StarlingX
-    |prod| CENGEN build servers to install a set of container-backed remote
+    Public build servers to install a set of container-backed remote CLIs and
-    CLIs and clients for accessing a remote |prod-long|. This provides
+    clients for accessing a remote |prod-long|. This provides access to the
-    access to the :command:`system` and :command:`dcmanager` |prod| CLIs,
+    :command:`system` and :command:`dcmanager` |prod| CLIs, the OpenStack CLI
-    the OpenStack CLI for Keystone and Barbican in the platform, and
+    for Keystone and Barbican in the platform, and Kubernetes-related CLIs
-    Kubernetes-related CLIs (kubectl, helm). This approach is simple to
+    (kubectl, helm). This approach is simple to install, portable across Linux,
-    install, portable across Linux, macOS, and Windows, and provides access
+    macOS, and Windows, and provides access to all |prod-long| CLIs. However,
-    to all |prod-long| CLIs. However, commands such as those that reference
+    commands such as those that reference local files or require a shell are
-    local files or require a shell are awkward to run in this environment.
+    difficult to run in this environment.
 
 -   The second method involves installing the :command:`kubectl` and
     :command:`helm` clients directly on the remote host. This method only

doc/source/security/kubernetes/configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f.rst

@@ -28,6 +28,8 @@ Update the following fields:
   you desire. The system will automatically renew and re-install the
   certificate.
 
+  .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
 * The ``subject`` fields to identify your particular system.
 
 * The ``ipAddresses`` with the |OAM| Floating IP Address for this system.

doc/source/security/kubernetes/create-certificates-locally-using-cert-manager-on-the-controller.rst

@@ -102,6 +102,8 @@ for use in a lab environment.
                 kind: Issuer
             " | kubectl apply -f -
 
+        .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
     #.  Create the |PEM| files for Server certificate and key.
 
         .. code-block:: none

doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst

@@ -160,6 +160,8 @@ playbook are:
     If a separate set of overrides are required for a group of hosts,
     ``children`` groups can be added under ``target_group``.
 
+    .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest 
+
     The following example illustrates using one set of ssh/sudo passwords for
     subcloud1 and subcloud2 and another set of ssh/sudo passwords for
     subcloud3.

doc/source/shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest

@@ -0,0 +1,15 @@
+.. _recommended-renewbefore-value-for-certificates-c929cf42b03b:
+
+
+.. note::
+
+   The Certificate usage of Cert-manager Documentation
+   (https://cert-manager.io/docs/usage/certificate/) states that one should
+   "Take care when setting the ``renewBefore`` field to be very close to the
+   duration as this can lead to a renewal loop, where the Certificate is always
+   in the renewal period."
+
+   In the light of the statement above, you must not set ``renewBefore`` to a
+   value very close to the "duration" value, such as a renewBefore of 29 days
+   and a duration of 30 days. Instead, you could set values such as
+   renewBefore=15 days and duration=30 days to avoid renewal loops.

doc/source/usertasks/kubernetes/internal-ca-and-nodeport-example-2afa2a84603a.rst

@@ -146,6 +146,8 @@ This example requires that:
           selector:
             app: example-app
 
+    .. include:: /shared/_includes/recommended-renewbefore-value-for-certificates-c929cf42b03b.rest
+
 #.  If example-app existed, you would access it from your browser
     with ``https://abccompany-starlingx.mycompany.com:31118``.