Merge pull request #53516 from ShaunaDiaz/OSDOCS-4652

OSDOCS-4652: adding Additional information assembly and mods to Configuration

Author: skrthomas

_topic_maps/_topic_map_ms.yml

@@ -106,6 +106,8 @@ Distros: microshift
 Topics:
 - Name: Configuring
   File: microshift-using-config-tools
+- Name: Additional information
+  File: microshift-things-to-know
 ---
 Name: Networking
 Dir: microshift_networking

images/microshift-cert-rotation.png

@@ -0,0 +1,18 @@
+:_content-type: ASSEMBLY
+[id="microshift-things-to-know"]
+= About responsive restarts and security certificates
+include::_attributes/attributes-microshift.adoc[]
+:context: microshift-configuring
+toc::[]
+
+{product-title} responds to system configuration changes and restarts after alterations are detected, including IP address changes, clock adjustments, and security certificate age.
+
+[id="microshift-ip-address-clock-changes_{context}"]
+== IP address changes or clock adjustments
+{product-title} depends on device IP addresses and system-wide clock settings to remain consistent during its runtime. However, these settings may occasionally change on edge devices, such as DHCP or Network Time Protocol (NTP) updates.
+
+When such changes occur, some {product-title} components may stop functioning properly. To mitigate this situation, {product-title} monitors the IP address and system time and restarts if either setting change is detected.
+
+The threshold for clock changes is a time adjustment of greater than 10 seconds in either direction. Smaller drifts on regular time adjustments performed by the Network Time Protocol (NTP) service do not cause a restart.
+
+include::modules/microshift-certificate-lifetime.adoc[leveloffset=+1]

microshift_configuring/attributes renamed to microshift_configuring/_attributes

@@ -0,0 +1,39 @@
+// Module included in the following assemblies:
+//
+// * microshift/microshift-things-to-know.adoc
+
+:_content-type: CONCEPT
+[id="microshift-certificate-lifetime_{context}"]
+= Security certificate lifetime
+{product-title} certificates are separated into two basic groups:
+
+. Short-lived certificates having certificate validity of one year.
+. Long-lived certificates having certificate validity of 10 years.
+
+Most server or leaf certificates are short-lived.
+
+An example of a long-lived certificate is the client certificate for `system:admin user` authentication, or the certificate of the signer of the `kube-apiserver` external serving certificate.
+
+[id="microshift-certificate-rotation_{context}"]
+== Certificate rotation
+As certificates age, {product-title} can be restarted to rotate certificates. A certificate that is close to expiring might also automatically cause a restart. Read the following situation overviews to understand the actions at each moment in time:
+
+. Green zone:
+.. When a short-term certificate is 5 months old, no rotation occurs.
+.. When a long-term certificate is 8.5 years old, no rotation occurs.
+
+. Yellow zone:
+.. When a short-term certificate is 8 months old, it is rotated when {product-title} starts or restarts.
+.. When a long-term certificate is 9 years old, it is rotated when {product-title} starts or restarts.
+
+. Red zone
+.. When a short-term certificate is 8 months old, {product-title} restarts to rotate and apply a new certificate.
+.. When a long-term certificate is 9 years old, {product-title} restarts to rotate and apply a new certificate.
+
+[NOTE]
+====
+If the rotated certificate is a Certificate Authority, all of the certificates it signed rotate.
+====
+
+.Stoplight timeline of {product-title} certificate validity.
+image::microshift-cert-rotation.png[<{product-title} graph with symbolic green-yellow-red stoplight map of certificates>]