diff --git a/modules/concepts/nav.adoc b/modules/concepts/nav.adoc index c81bfa18c..b420d8ba0 100644 --- a/modules/concepts/nav.adoc +++ b/modules/concepts/nav.adoc @@ -26,4 +26,7 @@ *** xref:observability/logging.adoc[Logging] *** xref:observability/containerdebug.adoc[Container environment] *** xref:observability/telemetry.adoc[Telemetry] +** Maintenance +*** xref:maintenance/crds.adoc[CRD maintenance] +*** xref:maintenance/eos.adoc[End-of-Support check] ** xref:container-images.adoc[] diff --git a/modules/concepts/pages/maintenance/crds.adoc b/modules/concepts/pages/maintenance/crds.adoc new file mode 100644 index 000000000..d04d60d04 --- /dev/null +++ b/modules/concepts/pages/maintenance/crds.adoc @@ -0,0 +1,31 @@ += CustomResourceDefinition (CRD) maintenance +:k8s-webhook-config: https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#configure-customresourcedefinition-to-use-conversion-webhooks + +Starting with SDP 25.11.0, specific operators now manage their own CRD lifecycle independently of Helm or other deployment tools. +The primary reason for this is that the operator is able to inject a {k8s-webhook-config}[conversion webhook configuration] with an up-to-date `caBundle`. +The operator automatically generates a dedicated CA and leaf certificate for the conversion webhook, rotating them every 24 hours. +To maintain secure communication, the operator must continuously inject the up-to-date caBundle into the CRD's webhook configuration. + +This maintenance process can be disabled via a Helm value if desired. + +[WARNING] +==== +It should be noted that when CRD maintenance is disabled, the operator will not deploy and manage the CRDs. +The CRDs need to be deployed manually and the conversion webhook is disabled. +As a result, only custom resources of the stored version can be used. +Only use this setting if you know what you are doing! +==== + +[NOTE] +==== +The following section describe the available fields as well as their default and supported values. +==== + +[source,yaml] +---- +maintenance: + customResourceDefinitions: + maintain: true # <1> +---- + +<1> Boolean: `true`, `false` diff --git a/modules/concepts/pages/maintenance/eos.adoc b/modules/concepts/pages/maintenance/eos.adoc new file mode 100644 index 000000000..3a5d84753 --- /dev/null +++ b/modules/concepts/pages/maintenance/eos.adoc @@ -0,0 +1,25 @@ += End-of-Support (EoS) check + +Starting with SDP 25.11.0, operators emit a warning message on startup and in a regular interval when it may have reached end-of-support. +Most of the operators reach end-of-support one year after they have been released, which roughly translates to three SDP releases. +This is in accordance with our xref:compliance:policies.adoc[support policy]. + +The interval can be adjusted or the check can be disabled completely via Helm values. + +[NOTE] +==== +The following sections describe the available fields as well as their default and supported values. +==== + +[source,yaml] +---- +maintenance: + endOfSupportCheck: + enabled: true # <1> + mode: offline # <2> + interval: 24h # <3> +---- + +<1> Boolean: `true`, `false` +<2> Enum: `offline` (currently no other options available) +<3> Duration: Any duration according to xref:reference:duration.adoc[this format]