Document webhook certificate renewal after system suspend#2181
Conversation
✅ Deploy Preview for cert-manager ready!Built without sensitive environment variables
To edit notification comments on pull requests, go to your Netlify project configuration. |
dadf138 to
40e431c
Compare
There was a problem hiding this comment.
Pull request overview
Adds documentation for the cert-manager 1.21 fix that ensures the webhook’s self-signed serving certificate renews correctly after system suspend (S3/S4) or VM live migration, preventing post-resume x509: certificate has expired or is not yet valid webhook failures.
Changes:
- Expands webhook troubleshooting guidance for expired serving certificates with root cause, upgrade guidance, and a restart workaround.
- Adds a “Major Themes” release-notes entry explaining the pre-1.21 failure mode and the 1.21 renewal behavior, plus a changelog bullet under “Bug or Regression”.
- Updates webhook concepts documentation to note renewal resilience since 1.21.
Reviewed changes
Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
| content/docs/troubleshooting/webhook.md | Documents suspend/migration as a known cause of webhook serving cert expiry errors and provides remediation guidance. |
| content/docs/releases/release-notes/release-notes-1.21.md | Adds a Major Themes narrative and a Bug/Regression changelog entry for the webhook renewal fix. |
| content/docs/concepts/webhook.md | Notes that dynamic serving certificate renewal is resilient to suspend/migration starting in 1.21. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Add a Major Themes entry to the 1.21 release notes explaining the webhook serving certificate renewal fix for system suspend and VM live migration (cert-manager/cert-manager#8464). Add a note to the webhook concepts page about the renewal resilience improvement in 1.21. Expand the troubleshooting section for "x509: certificate has expired" with the system suspend root cause and the upgrade path. Signed-off-by: Richard Wall <richard.wall@cyberark.com>
40e431c to
3f1117c
Compare
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: wallrj The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
845087a
into
cert-manager:release-next
Preview:
Pull Request Motivation
cert-manager/cert-manager#8464 fixes a bug where the webhook serving certificate
is not renewed after system suspend (S3/S4) or VM live migration. This PR adds
documentation for the fix ahead of the 1.21 release.
Changes
release-notes-1.21.md): add a Major Themes entryexplaining the bug (monotonic clock stops during suspend, one-shot timer never
fires) and the fix (periodic ticker polling wall-clock time). Add a Bug or
Regression changelog entry.
concepts/webhook.md): note that since 1.21, automaticrenewal is resilient to system suspend and VM live migration.
troubleshooting/webhook.md): expand thepreviously stub "x509: certificate has expired" section with the system suspend
root cause, upgrade path, and restart workaround.
Testing
Visual review of the three modified pages.