Merge branch 'harvester:main' into alexarnoldy-NetApp-doc-updates

harvester · Jan 6, 2025 · f23f9d4 · f23f9d4
2 parents 0ebd0d2 + 804df1d
commit f23f9d4
Show file tree

Hide file tree

Showing 4 changed files with 93 additions and 11 deletions.
diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml
@@ -5,8 +5,7 @@ on:
     branches: [main]
 
 jobs:
-  deploy:
-    name: Deploy to GitHub Pages
+  build:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v2
@@ -18,11 +17,21 @@ jobs:
         run: |
           yarn install --frozen-lockfile
           yarn build
-      # Popular action to deploy to GitHub Pages:
-      # Docs: https://github.com/peaceiris/actions-gh-pages#%EF%B8%8F-docusaurus
-      - name: Deploy to GitHub Pages
-        uses: peaceiris/actions-gh-pages@v3
+      - name: Upload static files as artifact
+        id: deployment
+        uses: actions/upload-pages-artifact@v3
         with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          # Build output to publish to the `gh-pages` branch:
-          publish_dir: ./build
+          path: ./build
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      id-token: write
+      pages: write
+    needs: build
+    environment:
+      name: github-pages
+      url: ${{ steps.deployment.outputs.page_url }}
+    steps:
+      - name: Deploy to GitHub Pages
+        id: deployment
+        uses: actions/deploy-pages@v4
diff --git a/kb/2023-08-23/using_rook_ceph_storage.md b/kb/2023-08-23/using_rook_ceph_storage.md
@@ -119,7 +119,7 @@ kubectl apply -f ./csi/rbd/snapshotclass-external.yaml
 
 ## Configure Harvester Cluster
 
-Before you can make use of Harvester's **Backup & Snapshot** features, you need to set up some essential configurations through the Harvester [csi-driver-config](https://docs.harvesterhci.io/v1.2/advanced/settings#csi-driver-config) setting. To set up these configurations, follow these steps:
+Before you can make use of Harvester's **Backup & Snapshot** features, you need to set up some essential configurations through the Harvester [csi-driver-config](https://docs.harvesterhci.io/v1.4/advanced/index#csi-driver-config) setting. To set up these configurations, follow these steps:
 
 1. Login to the Harvester UI, then navigate to **Advanced** > **Settings**.
 1. Find and select **csi-driver-config**, and then click on the **⋮** > **Edit Setting** to access the configuration options.
@@ -137,4 +137,4 @@ With these configurations in place, your Harvester cluster is ready to make the
 
 ![rook-ceph-volume-external](./imgs/rook-ceph-volume-external.png)
 
-![rook-ceph-vm-external](./imgs/rook-ceph-vm-external.png)
+![rook-ceph-vm-external](./imgs/rook-ceph-vm-external.png)
diff --git a/kb/2024-11-28/imgs/kubevirt_certs_expired.png b/kb/2024-11-28/imgs/kubevirt_certs_expired.png
diff --git a/kb/2024-11-28/kubevirt_cert_rotation.md b/kb/2024-11-28/kubevirt_cert_rotation.md
@@ -0,0 +1,73 @@
+---
+title: KubeVirt Certificates Rotation
+description: KubeVirt Certificates Rotation.
+slug: kubevirt_certificates_rotation
+authors:
+  - name: Cooper Tseng
+    title: Software Engineer
+    url: https://github.com/brandboat
+    image_url: https://github.com/brandboat.png
+tags: [harvester, kubevirt, certificates, cert, ca]
+hide_table_of_contents: false
+---
+
+Harvester's embedded Rancher UI may display warnings about expiring KubeVirt certificates. You can safely ignore these warnings because automatic certificate rotation is handled by KubeVirt and is enabled by default.
+
+![kubevirt-certs-expired](./imgs/kubevirt_certs_expired.png)
+
+## KubeVirt Certificate Rotation Strategy
+KubeVirt provides a self-signed certificate mechanism that rotates both CA and certifcates on a defined recurring interval. You can check the setting  `certificateRotateStrategy` by running the following command:
+```sh
+kubectl get kubevirt -n harvester-system -o yaml
+```
+By default, the value of `certificateRotateStrategy` is empty, which means that KubeVirt uses its default rotation settings and no manual configuration is required.
+```yaml
+certificateRotateStrategy: {}
+```
+
+## Configuration Fields
+
+You can use the following fields to configure `certificateRotateStrategy`.
+- `.ca.duration`: Validity period of the CA certificate. The default value is "168h".
+- `.ca.renewBefore`: Amount of time before a CA certificate expires during which a new certificate is issued. The default value is "33.6h".
+- `.server.duration`: Validity period of server component certificates (for example, virt-api, virt-handler, and virt-operator). The default value is "24h".
+- `.server.renewBefore`: Amount of time before a server certificate expires during which a new certificate is issued. The default value is "4.8h".
+
+Example of a complete configuration:
+```yaml
+certificateRotateStrategy:
+  selfSigned:
+    ca:
+      duration: 168h
+      renewBefore: 33.6h
+    server:
+      duration: 24h
+      renewBefore: 4.8h
+```
+
+## Certificate Rotation Triggers
+
+Certificate rotation can be triggered by several conditions. The following list only outlines key triggers and is not exhaustive.
+- Missing certificate: A required certificate does not exist.
+- Invalid CA signature: A certificate was not signed by the specified CA.
+- Proactive renewal: The `renewBefore` value takes effect. A new certificate must be issued before the current one expires.
+- CA expiration: The CA certificate has expired, so the certificate signed by the CA is also rotated.
+
+When certificate rotation is triggered, you should see `virt-operator` log records similar to the following:
+```txt
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-virt-api-certs updated","pos":"core.go:278","timestamp":"2024-12-06T08:02:01.045809Z"}
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-controller-certs updated","pos":"core.go:278","timestamp":"2024-12-06T08:02:01.056759Z"}
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-exportproxy-certs updated","pos":"core.go:278","timestamp":"2024-12-06T08:02:01.063530Z"}
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-virt-handler-server-certs updated","pos":"core.go:278","timestamp":"2024-12-06T08:02:01.068608Z"}
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-virt-handler-certs updated","pos":"core.go:278","timestamp":"2024-12-06T08:02:01.074555Z"}
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-operator-certs updated","pos":"core.go:278","timestamp":"2024-12-06T08:02:01.078719Z"}
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-export-ca updated","pos":"core.go:278","timestamp":"2024-12-06T08:03:36.063496Z"}
+{"component":"virt-operator","level":"info","msg":"secret kubevirt-ca updated","pos":"core.go:278","timestamp":"2024-12-06T08:04:06.052750Z"}
+```
+
+## References
+
+- Harvester: [Issue 5798](https://github.com/harvester/harvester/issues/5798)
+- https://kubevirt.io/2020/KubeVirt-Security-Fundamentals.html
+- https://github.com/kubevirt/kubevirt/blob/v1.1.1/pkg/virt-operator/resource/generate/components/secrets.go#L326
+- https://github.com/kubevirt/kubevirt/blob/v1.1.1/pkg/virt-operator/resource/apply/certificates.go