RS 7.22.2 minor release docs (#2121)

* DOC-5565 RS 7.22.2 release notes draft

* DOC-5565 Added resolved issues and more details about customer-managed internode encryption certs to RS 7.22.2 release notes

* RS: Customer-managed certificates for internode encryption (#2010)

* DOC-5210 RS: Added ccs_internode_encryption and data_internode_encryption to certificates table

* DOC-5210 Added more details to the INE certificate descriptions

* DOC-5210 Added new section for customer-managed internode encryption certificates

* DOC-5210 Copy edits

* Add <img> handling to show full size image on click, similar to image shortcode

* DOC-5210 More copy edits

* Reduce top margin when headers immediately follow other headers with no regular text in between

* DOC-5564 Added link to customer-provided internode encryption certs in release notes

* DOC-5210 Updated rladmin and REST API examples for customer-provided INE certs

* DOC-5210 Updated rladmin cluster certificate reference for customer-provided INE certs

* DOC-5210 Updated certificate REST API requests reference for customer-provided INE certs

* Added deprecation of PUT /v1/cluster/update_cert to RS 7.22.2 release notes

* DOC-5210 Added new customer_managed_ine_certificates to v2 Prometheus metrics

* DOC-5210 Added new PUT /v1/cluster/certificates examples for updating certs in RS 7.22.2 and later

* Attempting to fix broken img in RS update certs

* DOC-5210 Feedback update to clarify when new certs are used

* DOC-5210 Feedback update to clarify rladmin cluster certificate reference - divided command options into 2 sections

* DOC-5210 Feedback update for auto-copying certs to new nodes

* DOC-5210 Feedback update to add shared and separate INE cert examples for rladmin and REST API

* DOC-5210 Fixed typo

* DOC-5210 Fixed multitabs IDs

* DOC-5210 Updated screenshot for cluster certs screen that includes INE certs section

* DOC-5566 Added build number and checksums to 7.22.2 Sept release notes, removed bug fix that will be in a future maintenance release, mentioned bug fixes in highlights/description

* DOC-5210 Feedback update to add RSA key requirement for customer-provided INE certs

* DOC-5564 Updated RS 7.22.2 release notes build number and checksums

Author: rrelledge

assets/css/index.css

@@ -101,6 +101,25 @@ section.prose {
   @apply mt-16 scroll-mt-6;
 }
 
+/* Reduce top margin when headers immediately follow other headers */
+.prose h1[id] + h2[id],
+.prose h1[id] + h3[id],
+.prose h1[id] + h4[id],
+.prose h1[id] + h5[id],
+.prose h1[id] + h6[id],
+.prose h2[id] + h3[id],
+.prose h2[id] + h4[id],
+.prose h2[id] + h5[id],
+.prose h2[id] + h6[id],
+.prose h3[id] + h4[id],
+.prose h3[id] + h5[id],
+.prose h3[id] + h6[id],
+.prose h4[id] + h5[id],
+.prose h4[id] + h6[id],
+.prose h5[id] + h6[id] {
+  @apply mt-6;
+}
+
 .prose p:empty,
 .prose li:empty {
   @apply hidden;

content/embeds/rs-prometheus-metrics-v2.md

@@ -51,6 +51,7 @@
 | <span class="break-all">node_available_memory_no_overbooking_bytes</span> | gauge | Available RAM in the node (bytes) without taking into account overbooking |
 | node_bigstore_free_bytes | gauge | Sum of free space of back-end flash (used by flash database's [BigRedis]) on all cluster nodes (bytes); returned only when BigRedis is enabled |
 | <span class="break-all">node_cert_expires_in_seconds</span> | gauge | Certificate expiration (in seconds) per given node; read more about [certificates in Redis Enterprise]({{< relref "/operate/rs/security/certificates" >}}) and [monitoring certificates]({{< relref "/operate/rs/security/certificates/monitor-certificates" >}}) |
+| <span class="break-all">customer_managed_ine_certificates</span> | gauge | Indicates whether customer-provided internode encryption certificates are in use<br />0=No<br />1=Yes |
 | <span class="break-all">node_ephemeral_storage_avail_bytes</span> | gauge | Disk space available to RLEC processes on configured ephemeral disk (bytes) |
 | <span class="break-all">node_ephemeral_storage_free_bytes</span> | gauge | Free disk space on configured ephemeral disk (bytes) |
 | node_memory_MemFree_bytes | gauge | Free memory in the node (bytes) |

content/operate/rs/references/cli-utilities/rladmin/cluster/certificate.md

@@ -5,7 +5,7 @@ categories:
 - docs
 - operate
 - rs
-description: Sets the cluster certificate.
+description: Sets cluster certificates.
 headerRange: '[1-2]'
 linkTitle: certificate
 tags:
@@ -14,13 +14,14 @@ toc: 'true'
 weight: $weight
 ---
 
+## `cluster certificate set <certificate_name>`
+
 Sets a cluster certificate to a specified PEM file.
 
 ```sh
-rladmin cluster certificate
-        set <certificate name>
-        certificate_file <certificate filepath>
-        [ key_file <key filepath> ]
+rladmin cluster certificate set <certificate_name>
+        certificate_file <filepath>
+        [ key_file <filepath> ]
 ```
 
 To set a certificate for a specific service, use the corresponding certificate name. See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions.
@@ -29,7 +30,7 @@ To set a certificate for a specific service, use the corresponding certificate n
 
 | Parameter | Type/Value | Description |
 |-----------|------------|-------------|
-| certificate name | 'cm'<br /> 'api'<br /> 'proxy'<br /> 'syncer'<br /> 'metrics_exporter' | Name of the certificate to update |
+| certificate_name | 'cm'<br /> 'api'<br /> 'proxy'<br /> 'syncer'<br /> 'metrics_exporter' | Name of the certificate to update. See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for descriptions. |
 | certificate_file | filepath | Path to the certificate file |
 | key_file | filepath | Path to the key file (optional) |
 
@@ -39,8 +40,47 @@ Reports that the certificate was set to the specified file. Returns an error mes
 
 ### Example
 
+Update the proxy certificate:
+
 ```sh
 $ rladmin cluster certificate set proxy \
        certificate_file /tmp/proxy.pem
 Set proxy certificate to contents of file /tmp/proxy.pem
 ```
+
+## `cluster certificate set internal`
+
+Sets [customer-provided internode encryption certificates]({{<relref "/operate/rs/security/encryption/internode-encryption#customer-provided-certificates">}}).
+
+```sh
+rladmin cluster certificate set internal
+        dpine_certificate_file <filepath>
+        dpine_key_file <filepath>
+        cpine_certificate_file <filepath>
+        cpine_key_file <filepath>
+```
+
+### Parameters
+
+| Parameter | Type/Value | Description |
+|-----------|------------|-------------|
+| dpine_certificate_file | filepath | Path to the data plane internode encryption (DPINE) certificate file |
+| dpine_key_file | filepath | Path to the data plane internode encryption (DPINE) key file |
+| cpine_certificate_file | filepath | Path to the control plane internode encryption (CPINE) certificate file |
+| cpine_key_file | filepath | Path to the control plane internode encryption (CPINE) key file |
+
+### Returns
+
+Reports that the internal certificates were set to the specified files. Returns an error message if the certificates fail to update.
+
+### Example
+
+Set up [customer-provided internode encryption certificates]({{<relref "/operate/rs/security/encryption/internode-encryption#customer-provided-certificates">}}):
+
+```sh
+$ rladmin cluster certificate set internal \
+       dpine_certificate_file /tmp/dpine_cert.pem \
+       dpine_key_file /tmp/dpine_key.pem \
+       cpine_certificate_file /tmp/cpine_cert.pem \
+       cpine_key_file /tmp/cpine_key.pem
+```

content/operate/rs/references/rest-api/objects/certificates.md

@@ -0,0 +1,19 @@
+---
+Title: Certificates object
+alwaysopen: false
+categories:
+- docs
+- operate
+- rs
+description: An object that represents a certificate
+linkTitle: certificates
+weight: $weight
+---
+
+An API object that represents a certificate used by a Redis Enterprise Software cluster.
+
+| Name | Type/Value | Description |
+|------|------------|-------------|
+| name | `cm`<br />`api`<br />`mtls_trusted_ca`<br />`proxy`<br />`metrics_exporter`<br />`syncer`<br />`ldap_client`<br />`ccs_internode_encryption`<br />`data_internode_encryption` | Certificate type.<br />See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions. |
+| certificate | string | The certificate in PEM format |
+| key | string | The private key in PEM format |

content/operate/rs/references/rest-api/requests/cluster/certificates/_index.md

@@ -15,7 +15,8 @@ weight: $weight
 | Method | Path | Description |
 |--------|------|-------------|
 | [GET](#get-cluster-certificates) | `/v1/cluster/certificates` | Get cluster certificates |
-| [PUT](#put-cluster-update_cert) | `/v1/cluster/update_cert` | Update a cluster certificate |
+| [PUT](#put-cluster-certificates) | `/v1/cluster/certificates` | Update cluster certificates |
+| [PUT](#put-cluster-update_cert) | `/v1/cluster/update_cert` | Update a cluster certificate (deprecated as of Redis Enterprise Software version 7.22.2) |
 | [DELETE](#delete-cluster-certificate) | `/v1/cluster/certificates/{certificate_name}` | Delete cluster certificate |
 
 ## Get cluster certificates {#get-cluster-certificates}
@@ -62,15 +63,83 @@ Returns a JSON object that contains the cluster's certificates and keys.
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | No error |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | No error |
 
 
+## Update cluster certificates {#put-cluster-certificates}
+
+```sh
+PUT /v1/cluster/certificates
+```
+
+Replaces multiple cluster certificates with the provided certificates on all nodes within the cluster. This endpoint validates all provided certificates before actually updating the cluster.
+
+See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions.
+
+### Request {#put-certificates-request}
+
+#### Example HTTP request
+
+```sh
+PUT /v1/cluster/certificates
+```
+
+#### Example JSON body
+
+```json
+{
+  "certificates": [
+    {
+      "name": "proxy",
+      "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
+      "key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
+    },
+    {
+      "name": "api",
+      "certificate": "-----BEGIN CERTIFICATE-----\n...\n-----END CERTIFICATE-----",
+      "key": "-----BEGIN PRIVATE KEY-----\n...\n-----END PRIVATE KEY-----"
+    }
+  ]
+}
+```
+
+#### Request headers
+
+| Key | Value | Description |
+|-----|-------|-------------|
+| Host | cnm.cluster.fqdn | Domain name |
+| Accept | application/json | Accepted media type |
+
+#### Request body
+
+Include an array of [certificate objects]({{<relref "/operate/rs/references/rest-api/objects/certificates">}}) in the request body.
+
+### Response {#put-certificates-response}
+
+Returns a `200 OK` status code if all certificates are successfully replaced across the entire cluster.
+
+If the response returns a failed status code, you should retry updating the certificates in case the cluster is no longer in an optimal state.
+
+### Status codes {#put-certificates-status-codes}
+
+| Code | Description |
+|------|-------------|
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | No error |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Failed, invalid certificate(s) |
+| [403 Forbidden](https://www.rfc-editor.org/rfc/rfc9110.html#name-403-forbidden) | Failed, unknown certificate(s) |
+| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Failed, expired certificate(s) |
+| [409 Conflict](https://www.rfc-editor.org/rfc/rfc9110.html#name-409-conflict) | Failed, not all nodes have been updated |
+
 ## Update cluster certificate {#put-cluster-update_cert}
 
 ```sh
 PUT /v1/cluster/update_cert
 ```
 
+{{<note>}}
+This REST API path is deprecated as of Redis Enterprise Software 7.22.2 and will be removed in a future version. Use [`PUT /v1/cluster/certificates`](#put-cluster-certificates) instead.
+{{</note>}}
+
 Replaces an existing certificate on all nodes within the cluster with a new certificate. The new certificate must pass validation before it can replace the old certificate.
 
 See the [certificates table]({{< relref "/operate/rs/security/certificates" >}}) for the list of cluster certificates and their descriptions.
@@ -105,12 +174,12 @@ Otherwise, retry the certificate update in case the failure was due to a tempora
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | No error |
-| [400 Bad Request](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.1) | Failed, invalid certificate. |
-| [403 Forbidden](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4) | Failed, unknown certificate. |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Failed, invalid certificate. |
-| [406 Not Acceptable](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.7) | Failed, expired certificate. |
-| [409 Conflict](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.10) | Failed, not all nodes have been updated. |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | No error |
+| [400 Bad Request](https://www.rfc-editor.org/rfc/rfc9110.html#name-400-bad-request) | Failed, invalid certificate. |
+| [403 Forbidden](https://www.rfc-editor.org/rfc/rfc9110.html#name-403-forbidden) | Failed, unknown certificate. |
+| [404 Not Found](https://www.rfc-editor.org/rfc/rfc9110.html#name-404-not-found) | Failed, invalid certificate. |
+| [406 Not Acceptable](https://www.rfc-editor.org/rfc/rfc9110.html#name-406-not-acceptable) | Failed, expired certificate. |
+| [409 Conflict](https://www.rfc-editor.org/rfc/rfc9110.html#name-409-conflict) | Failed, not all nodes have been updated. |
 
 
 ## Delete cluster certificate {#delete-cluster-certificate}
@@ -143,7 +212,7 @@ Returns a status code that indicates the certificate deletion success or failure
 
 | Code | Description |
 |------|-------------|
-| [200 OK](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.2.1) | Operation successful |
-| [404 Not Found](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.5) | Failed, requested deletion of an unknown certificate |
-| [403 Forbidden](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.4.4) | Failed, requested deletion of a required certificate |
-| [500 Internal Server Error](http://www.w3.org/Protocols/rfc2616/rfc2616-sec10.html#sec10.5.1) | Failed, error while deleting certificate from disk |
+| [200 OK](https://www.rfc-editor.org/rfc/rfc9110.html#name-200-ok) | Operation successful |
+| [404 Not Found](https://www.rfc-editor.org/rfc/rfc9110.html#name-404-not-found) | Failed, requested deletion of an unknown certificate |
+| [403 Forbidden](https://www.rfc-editor.org/rfc/rfc9110.html#name-403-forbidden) | Failed, requested deletion of a required certificate |
+| [500 Internal Server Error](https://www.rfc-editor.org/rfc/rfc9110.html#name-500-internal-server-error) | Failed, error while deleting certificate from disk |

content/operate/rs/release-notes/rs-7-22-releases/_index.md

@@ -55,6 +55,8 @@ For more detailed release notes, select a build version from the following table
 
 - Deprecated the `data_files` option for the `recovery_plan` specified in [`POST /v2/bdbs`]({{<relref "/operate/rs/references/rest-api/requests/bdbs#post-bdbs-v2">}}) requests. Use the new `original_bdb_shards` option to recover a database from the provided list of shards instead.
 
+- Deprecated [`PUT /v1/cluster/update_cert`]({{<relref "/operate/rs/references/rest-api/requests/cluster/certificates#put-cluster-update_cert">}}) REST API requests as of Redis Enterprise Software version 7.22.2. Use [`PUT /v1/cluster/certificates`]({{<relref "/operate/rs/references/rest-api/requests/cluster/certificates#put-cluster-certificates">}}) to update cluster certificates instead.
+
 #### Internal monitoring and v1 Prometheus metrics deprecation
 
 The existing [internal monitoring engine]({{<relref "/operate/rs/monitoring/v1_monitoring">}}) is deprecated. We recommend transitioning to the new [metrics stream engine]({{<relref "/operate/rs/monitoring/metrics_stream_engine">}}) for improved performance, enhanced integration capabilities, and modernized metrics streaming.