Merge pull request #95125 from mburke5678/mco-not-ready-update-trusted-ca

mburke5678 · web-flow · commit dc3d3477839a · 2025-06-25T14:02:58.000-04:00
OCPBUGS55748 Nodes become  temporarily after updating only the trusted CA bundle
diff --git a/modules/customize-certificates-replace-default-router.adoc b/modules/customize-certificates-replace-default-router.adoc
@@ -40,7 +40,9 @@ $ oc patch proxy/cluster \
 +
 [NOTE]
 ====
-If you update only the trusted CA for your cluster, the MCO updates the `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt` file and the Machine Config Controller (MCC) applies the trusted CA update to each node so that a node reboot is not required. Changing any other parameter in the `openshift-config-user-ca-bundle.crt` file, such as `noproxy`, results in the MCO rebooting each node in your cluster.
+If you update only the trusted CA for your cluster, the MCO updates the `/etc/pki/ca-trust/source/anchors/openshift-config-user-ca-bundle.crt` file and the Machine Config Controller (MCC) applies the trusted CA update to each node so that a node reboot is not required. However, with these changes, the Machine Config Daemon (MCD) restarts critical services on each node, such as kubelet and CRI-O. These service restarts cause each node to briefly enter the `NotReady` state until the service is fully restarted.
+
+If you change any other parameter in the `openshift-config-user-ca-bundle.crt` file, such as `noproxy`, the MCO reboots each node in your cluster.
 ====
 
 . Create a secret that contains the wildcard certificate chain and key:
