K8SPXC- 1494 Documented custom duration setup for TLS and CA #271
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…ss to S3 storage
dquote>
dquote> The PR also improves TLS section in docs
modified: docs/TLS.md
modified: docs/backups-restore-to-new-cluster.md
modified: docs/backups-storage.md
modified: docs/operator.md
new file: docs/tls-cert-manager.md
new file: docs/tls-disable.md
new file: docs/tls-manual.md
new file: docs/tls-update.md
modified: mkdocs-base.yml
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
…rations in operator and cert-manager documentation. Added rules and limitations for customizing certificate durations.
modified: docs/operator.md
modified: docs/tls-cert-manager.md
nastena1606
requested review from
egegunes,
eleo007,
gkech,
hors,
jvpasinatto,
nmarukovich,
pooknull and
valmiranogueira
as code owners
Contributor
There was a problem hiding this comment.
Pull request overview
This PR restructures the TLS/SSL documentation by splitting a monolithic TLS.md file into focused topic-based documents, improving discoverability and maintainability. The changes introduce comprehensive guidance on certificate management, including new content about custom certificate duration configuration and custom TLS verification for S3 backups.
Key changes:
- Split TLS documentation into five focused documents covering cert-manager, manual certificate generation, certificate updates, and TLS disabling
- Added documentation for custom certificate duration configuration (
.spec.tls.certValidityDurationand.spec.tls.caValidityDuration) - Enhanced backup storage documentation with custom TLS/SSL certificate verification for S3-compatible storage
Reviewed changes
Copilot reviewed 9 out of 9 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| mkdocs-base.yml | Updated navigation structure to organize TLS documentation as a nested section with five topic-based pages; removed unused configuration items |
| docs/tls-update.md | New document describing certificate update procedures for both automatic (cert-manager) and manual certificates, with and without downtime |
| docs/tls-manual.md | New document providing step-by-step guide for generating TLS certificates manually using cfssl tools |
| docs/tls-disable.md | New document explaining how to deploy and manage clusters without TLS encryption |
| docs/tls-cert-manager.md | New document covering cert-manager installation and configuration, including custom certificate duration settings |
| docs/operator.md | Added documentation for new tls.certValidityDuration, tls.caValidityDuration, and S3 caBundle configuration options |
| docs/backups-storage.md | Enhanced S3 storage configuration with custom TLS certificate verification instructions and reorganized content for clarity |
| docs/backups-restore-to-new-cluster.md | Updated restore instructions to include custom TLS certificate configuration for S3 storage backups |
| docs/TLS.md | Converted from comprehensive guide to overview page linking to newly separated topic documents |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| * a destination key. Take it from the output of the `kubectl get pxc-backup` command. The destination consists of the `s3://` prefix, the S3 bucket name | ||
| and the backup name. | ||
| * the necessary [storage configuration keys](backups-storage.md#configure-storage-for-backups), just like in the `deploy/cr.yaml` file of the source cluster. | ||
| * `verifyTLS` to verify the storage server TLS certificate |
There was a problem hiding this comment.
Missing details on valid values for verifyTLS (likely true/false). The documentation should specify the expected value type and possible values.
Suggested change
| * `verifyTLS` to verify the storage server TLS certificate | |
| * `verifyTLS` (boolean, `true` or `false`) to specify whether to verify the storage server TLS certificate. Set to `true` to enable certificate verification, or `false` to disable it. |
nastena1606
changed the title
it-percona
temporarily deployed
to
K8SPXC-1494-Doc-TLS-cert-duration - percona-mysql-operator-pxc PR #271
Render
Destroyed
it-percona
temporarily deployed
to
K8SPXC-1494-Doc-TLS-cert-duration - percona-mysql-operator-pxc PR #271
Render
Destroyed
egegunes
requested changes
Nov 27, 2025
docs/tls-update.md
Outdated
Comment on lines
93
to
95
| kubectl get secret/ps-cluster1-ssl -o jsonpath='{.data.ca\.crt}' | base64 --decode > ca.pem.old | ||
| kubectl get secret/ps-cluster1-ssl -o jsonpath='{.data.tls\.crt}' | base64 --decode > tls.pem.old | ||
| kubectl get secret/ps-cluster1-ssl -o jsonpath='{.data.tls\.key}' | base64 --decode > tls.key.old |
Contributor
There was a problem hiding this comment.
please remove ps- prefix from cmd examples
nastena1606
force-pushed
the
K8SPXC-1494-Doc-TLS-cert-duration
branch
from
9992118 to
bb5fd77
Compare
egegunes
approved these changes
Nov 28, 2025
docs/operator.md
Outdated
|
|
||
| ### `tls.caValidityDuration` | ||
|
|
||
| Validity period for CA certificate. Minimum accepted duration is 730 hours (approximately 30 days). |
There was a problem hiding this comment.
Found out that the minimum duration must be greater than 730, exatcly 730 hours it will fail :(
Check the fix in https://github.com/percona/percona-xtradb-cluster-operator/pull/2272/files
valmiranogueira
approved these changes
Dec 2, 2025
it-percona
temporarily deployed
to
K8SPXC-1494-Doc-TLS-cert-duration - percona-mysql-operator-pxc PR #271
Render
Destroyed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Documented TLS certificate and CA certificate validity durations in operator and cert-manager documentation. Added rules and limitations for customizing certificate durations.