From bd7118083a3a95bdc3fc75220feaf65c571110e4 Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Thu, 17 Apr 2025 17:04:59 -0400 Subject: [PATCH 1/2] MCO 4.19 Release Notes --- release_notes/ocp-4-19-release-notes.adoc | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/release_notes/ocp-4-19-release-notes.adoc b/release_notes/ocp-4-19-release-notes.adoc index 79c05d324ac3..eaca8f69ef15 100644 --- a/release_notes/ocp-4-19-release-notes.adoc +++ b/release_notes/ocp-4-19-release-notes.adoc @@ -427,6 +427,14 @@ Starting in {product-title} 4.14, Extended Update Support (EUS) is extended to t [id="ocp-release-notes-machine-config-operator_{context}"] === Machine Config Operator +[id="ocp-release-notes-machine-config-operator-cert-changes_{context}"] +==== Changes to the Machine Config Operator +The Machine Config Server (MCS) CA bundle created by the installation program is now stored in the `machine-config-server-ca` config map in the `openshift-machine-config-operator` namespace. The bundle was previously stored in the `root-ca` configmap in the `kube-system namespace`. The `root-ca` configmap is no longer used in a cluster that cluster upgrades to {product-title} {product-version}. This change was made to make it clear that this CA bundle is managed by the Machine Config Operator (MCO). + +The MCS signing key is stored in the `machine-config-server-ca` secret in the `openshift-machine-config-operator` namespace. + +The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon installation or upgrade to {product-title} {product-version}, the CA signing key is not retained. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period. + [id="ocp-release-notes-management-console_{context}"] === Management console From c3a8f6381de42a137c8fa098c6a452b75009693d Mon Sep 17 00:00:00 2001 From: Michael Burke Date: Thu, 17 Apr 2025 17:07:51 -0400 Subject: [PATCH 2/2] added fake link to docs --- release_notes/ocp-4-19-release-notes.adoc | 2 ++ 1 file changed, 2 insertions(+) diff --git a/release_notes/ocp-4-19-release-notes.adoc b/release_notes/ocp-4-19-release-notes.adoc index eaca8f69ef15..309ec3ce2775 100644 --- a/release_notes/ocp-4-19-release-notes.adoc +++ b/release_notes/ocp-4-19-release-notes.adoc @@ -435,6 +435,8 @@ The MCS signing key is stored in the `machine-config-server-ca` secret in the `o The MCS CA and MCS cert are valid for 10 years and are automatically rotated by the MCO at approximately 8 years. Upon installation or upgrade to {product-title} {product-version}, the CA signing key is not retained. As a result, the CA bundle is immediately considered expired when the MCO certificate controller comes up. This expiration causes an immediate certificate rotation, even if the cluster is not 10 years old. After that point, the next rotation takes place at the standard 8 year period. +For more information about the MCO certificates, see ../security_and_compliance/certificate-types-and-descriptions.adoc#cert-types-machine-config-operator-certificates + [id="ocp-release-notes-management-console_{context}"] === Management console