Merge pull request #113392 from wgabor0427/OSDOCS-17172-node-certificates

OSDOCS-17172-node-certificates CQA

Author: dfitzmau

modules/renewing-node-certificates.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * security/certificate_types_descriptions/node-certificates.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="renewing-node-certificates_{context}"]
+= Renewing node certificates
+
+[role="_abstract"]
+Although the kubelet CA certificate automatically renews at 292 days, you can manually trigger renewal earlier by annotating the `kube-apiserver-to-kubelet-signer` secret.
+
+The old CA certificate is removed after 365 days. Nodes are not rebooted when a kubelet CA certificate is renewed or removed.
+
+.Procedure
+
+* Annotate the secret to trigger manual renewal by running the following command:
++
+[source,terminal]
+----
+$ oc annotate -n openshift-kube-apiserver-operator secret kube-apiserver-to-kubelet-signer auth.openshift.io/certificate-not-after-
+----

security/certificate_types_descriptions/node-certificates.adoc

@@ -6,32 +6,16 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-== Purpose
+[role="_abstract"]
+Manage node certificates in {product-title}, including understanding their purpose for kubelet-API server communication, automatic rotation schedule, and how to manually renew the kubelet CA certificate.
 
 Node certificates are signed by the cluster and allow the kubelet to communicate with the Kubernetes API server. They come from the kubelet CA certificate, which is generated by the bootstrap process.
 
-== Location
-
 The kubelet CA certificate is located in the `kube-apiserver-to-kubelet-signer` secret in the `openshift-kube-apiserver-operator` namespace.
 
-== Management
-
-These certificates are managed by the system and not the user.
-
-== Expiration
-
-Node certificates are automatically rotated after 30 days.
-
-== Renewal
-
-The Kubernetes API Server Operator automatically generates a new `kube-apiserver-to-kubelet-signer` CA certificate at 292 days. The old CA certificate is removed after 365 days. Nodes are not rebooted when a kubelet CA certificate is renewed or removed.
-
-Cluster administrators can manually renew the kubelet CA certificate by running the following command:
+These certificates are managed by the system and not the user and are automatically rotated after 30 days.
 
-[source,terminal]
-----
-$ oc annotate -n openshift-kube-apiserver-operator secret kube-apiserver-to-kubelet-signer auth.openshift.io/certificate-not-after-
-----
+include::modules/renewing-node-certificates.adoc[leveloffset=+1]
 
 
 [role="_additional-resources"]