Red Hat SummitChapter 8. Responsive restarts and security certificates
MicroShift responds to system configuration changes and restarts after alterations are detected, including IP address changes, clock adjustments, and security certificate age.
8.1. IP address changes or clock adjustments
MicroShift depends on device IP addresses and system-wide clock settings to remain consistent during its runtime. However, these settings might occasionally change on edge devices.
For example, DHCP or Network Time Protocol (NTP) updates can change times. When these changes occur, some MicroShift components might stop functioning properly. To mitigate this situation, MicroShift monitors the IP address and system time and restarts if either setting changes.
The threshold for clock changes is a time change of greater than 10 seconds in either direction. Smaller drifts on regular time adjustments performed by the Network Time Protocol (NTP) service do not cause a restart.
8.2. Security certificate lifetime
MicroShift certificates are digital certificates that secure communication with communication protocols such as HTTPS. They fall into two basic categories:
- Short-lived certificates
- Have a certificate validity of one year. Most server or leaf certificates are short-lived.
- Long-lived certificates
-
Have a certificate validity of 10 years. An example of a long-lived certificate is the client certificate for
system:admin userauthentication, or the certificate of the signer of thekube-apiserverexternal serving certificate.
MicroShift restarts automatically in certain cases, depending on certificate age.
8.3. Certificate rotation
Certificates that are expired or close to their expiration dates must be rotated to ensure continued MicroShift operation. This rotation can be an automatic process.
When MicroShift restarts for any reason, certificates that are close to expiring are rotated. A certificate that expires soon, or has already expired, can also cause an automatic MicroShift restart to perform a rotation.
If the rotated certificate is a MicroShift certificate authority (CA), then all of the signed certificates rotate. If you created any custom CAs, ensure that the CAs manually rotate.
8.3.1. Short-term certificates rotation
Short-term certificates that are expired or close to their expiration dates must be rotated to ensure continued MicroShift operation.
The following situations describe MicroShift actions during short-term certificate lifetimes:
- No rotation
- When a short-term certificate is up to 5 months old, no rotation occurs.
- Rotation at restart
- When a short-term certificate is 5 to 8 months old, it is rotated when MicroShift starts or restarts.
- Automatic restart for rotation
- When a short-term certificate is more than 8 months old, MicroShift can automatically restart to rotate and apply a new certificate.
8.3.2. Long-term certificates rotation
Long-term certificates that are expired or close to their expiration dates must be rotated to ensure continued MicroShift operation.
The following situations describe MicroShift actions during long-term certificate lifetimes:
- No rotation
- When a long-term certificate is up to 8.5 years old, no rotation occurs.
- Rotation at restart
- When a long-term certificate is 8.5 to 9 years old, it is rotated when MicroShift starts or restarts.
- Automatic restart for rotation
- When a long-term certificate is more than 9 years old, MicroShift might automatically restart so that it can rotate and apply a new certificate.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}