-
Bug
-
Resolution: Done
-
Normal
-
None
-
4.14
-
None
-
Moderate
-
No
-
False
-
-
Release Note Not Required
-
In Progress
Description of problem:
In our docs, e.g. : https://docs.openshift.com/container-platform/4.14/security/certificate_types_descriptions/proxy-certificates.html#customization We have references to the user-CA, which is laid down by the MCO, and previously caused a reboot to apply. The MCO now considers it under the "disruptionless update" case, similar to sshkey or container registry cases. It will now instead run update-ca-trust and restart the crio service. The most a user will see is a temporary "NotReady" for the node (and an updating pool status) for a few seconds before everything goes back to normal. Confusingly, we actually shipped it in 4.14 as a completely non-machineconfig update case (similar to kubelet CA) but it was changed in https://github.com/openshift/machine-config-operator/pull/4063 to be a "MachineConfig, but disruptionless update". Unlike kubelet CA, this will
not
apply to paused pools. Kubelet CA is disruptionless and uses a new format, The docs should be updated to call out this new behaviour.
Version-Release number of selected component (if applicable):
4.14.z
How reproducible:
Steps to Reproduce:
1.
2.
3.
Actual results:
Expected results:
Additional info:
- links to