-
Notifications
You must be signed in to change notification settings - Fork 4.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refine explanation of meeting regenerate after expiry requirement #28502
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change | ||||
---|---|---|---|---|---|---|
@@ -1,6 +1,7 @@ | ||||||
# Auto Regenerate After Offline Expiry | ||||||
|
||||||
## Table of Contents | ||||||
- [How to meet the requirement](#How-to-meet-the-requirement) | ||||||
- [Items Do NOT Meet the Requirement (227)](#Items-Do-NOT-Meet-the-Requirement-227) | ||||||
- [ (20)](#-20) | ||||||
- [Certificates (9)](#Certificates-9) | ||||||
|
@@ -39,17 +40,23 @@ | |||||
- [Items That DO Meet the Requirement (0)](#Items-That-DO-Meet-the-Requirement-0) | ||||||
|
||||||
|
||||||
## How to meet the requirement | ||||||
Acknowledging that a cert/key pair or CA bundle can auto-regenerate after it expires offline means | ||||||
that if the cluster is shut down until the certificate expires, when the machines are restarted | ||||||
the cluster will automatically create new cert/key pairs or update CA bundles as required without human | ||||||
intervention. | ||||||
To assert that a particular cert/key pair or CA bundle can do this, add the "certificates.openshift.io/auto-regenerate-after-offline-expiry" annotation to the secret or configmap and | ||||||
setting the value of the annotation a github link to the PR adding the annotation. | ||||||
This assertion also means that you have | ||||||
|
||||||
To assert that a particular cert/key pair or CA bundle can do this, add the annotation to the secret or configmap. | ||||||
```yaml | ||||||
annotations: | ||||||
certificates.openshift.io/auto-regenerate-after-offline-expiry: https//github.com/link/to/pr/adding/annotation, "quote escaped formatted name of e2e test that ensures the PKI artifact functions properly" | ||||||
``` | ||||||
|
||||||
This assertion means that you have | ||||||
1. Manually tested that this works or seen someone else manually test that this works. AND | ||||||
2. Written an automated e2e job that your team has an alert for and is a blocking GA criteria, and/or | ||||||
2. Written an automated e2e test to ensure this PKI artifact is function that is a blocking GA criteria, and/or | ||||||
QE has required test every release that ensures the functionality works every release. | ||||||
Links should be provided in the PR adding the annotation. | ||||||
If you have not done this, you should not merge the annotation. | ||||||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more.
Suggested change
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. @vrutkovs based on William's comment, I'm going to merge this to help us communicate where we're at with a perma-link. I'm completely fine adding this extra verbiage, but I need to merge with green verifies. |
||||||
|
||||||
## Items Do NOT Meet the Requirement (227) | ||||||
### (20) | ||||||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think just the test name should be sufficient, we can find out which PR added it with
git blame
(also across releases)There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Based on past experience in kube with api approvals, there's nothing quite like the link embedded.