Merge pull request #72185 from jldohmann/OCPBUGS-25163

jldohmann · web-flow · commit 0297eb848809 · 2024-02-29T11:23:12.000-06:00
OCPBUGS-25163: update disruptionless MCO behavior
diff --git a/security/certificate_types_descriptions/proxy-certificates.adoc b/security/certificate_types_descriptions/proxy-certificates.adoc
@@ -96,7 +96,7 @@ Updating the user-provided trust bundle consists of either:
 * updating the PEM-encoded certificates in the config map referenced by `trustedCA,` or
 * creating a config map in the namespace `openshift-config` that contains the new trust bundle and updating `trustedCA` to reference the name of the new config map.
 
-The mechanism for writing CA certificates to the {op-system} trust bundle is exactly the same as writing any other file to {op-system}, which is done through the use of machine configs. When the Machine Config Operator (MCO) applies the new machine config that contains the new CA certificates, the node is rebooted. During the next boot, the service `coreos-update-ca-trust.service` runs on the {op-system} nodes, which automatically update the trust bundle with the new CA certificates. For example:
+The mechanism for writing CA certificates to the {op-system} trust bundle is exactly the same as writing any other file to {op-system}, which is done through the use of machine configs. When the Machine Config Operator (MCO) applies the new machine config that contains the new CA certificates, it runs the program `update-ca-trust` afterwards and restarts the CRI-O service on the {op-system} nodes. This update does not require a node reboot. Restarting the CRI-O service automatically updates the trust bundle with the new CA certificates. For example:
 
 [source,yaml]
 ----
