From 7b57fc10ecb2a210202cc4cb3f53f8cd045d6c41 Mon Sep 17 00:00:00 2001 From: Mike Pytlak Date: Mon, 2 Aug 2021 16:12:22 -0400 Subject: [PATCH] BZ:1973274 Added a note on maximum cluster downtime and updated procedure --- modules/graceful-shutdown.adoc | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/modules/graceful-shutdown.adoc b/modules/graceful-shutdown.adoc index 5c43868cd8e3..61f4362d6710 100644 --- a/modules/graceful-shutdown.adoc +++ b/modules/graceful-shutdown.adoc @@ -7,6 +7,11 @@ You can shut down your cluster in a graceful manner so that it can be restarted at a later date. +[NOTE] +==== +You can shut down a cluster until a year from the installation date and expect it to restart gracefully. After a year from the installation date, the cluster certificates expire. +==== + .Prerequisites * You have access to the cluster as a user with the `cluster-admin` role. @@ -19,6 +24,19 @@ It is important to take an etcd backup before performing this procedure so that .Procedure +. If you are shutting the cluster down for an extended period, determine the date on which certificates expire. ++ +[source,terminal] +---- +$ oc -n openshift-kube-apiserver-operator get secret kube-apiserver-to-kubelet-signer -o jsonpath='{.metadata.annotations.auth\.openshift\.io/certificate-not-after}' +---- ++ +.Example output +---- +2022-08-05T14:37:50Zuser@user:~ $ <1> +---- +<1> To ensure that the cluster can restart gracefully, plan to restart it on or before the specified date. As the cluster restarts, the process might require you to manually approve the pending certificate signing requests (CSRs) to recover kubelet certificates. + . Shut down all of the nodes in the cluster. You can do this from your cloud provider's web console, or you can use the below commands: .. Obtain the list of nodes: