tiproxy: add note about reloading certificates once an hour (#22138)

dveeden · web-flow · commit 9cff933fa38c · 2025-12-09T09:04:14.000Z
diff --git a/enable-tls-between-components.md b/enable-tls-between-components.md
@@ -264,7 +264,9 @@ After configuring TLS for communication between TiDB components, you can use the
 
 ## Reload certificates
 
-- If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, TiProxy, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.
+- If your TiDB cluster is deployed in a local data center, to reload the certificates and keys, TiDB, PD, TiKV, TiFlash, TiCDC, and all kinds of clients reread the current certificates and key files each time a new connection is created, without restarting the TiDB cluster.
+
+- TiProxy reloads certificates from disk once an hour.
 
 - If your TiDB cluster is deployed on your own managed cloud, make sure that the issuance of TLS certificates is integrated with the certificate management service of the cloud provider. The TLS certificates of the TiDB, PD, TiKV, TiFlash, TiCDC, and TiProxy components can be automatically rotated without restarting the TiDB cluster.
 
diff --git a/tiproxy/tiproxy-configuration.md b/tiproxy/tiproxy-configuration.md
@@ -221,6 +221,10 @@ When you need to isolate computing layer resources, you can configure multiple v
 
 ### security
 
+> **Note:**
+>
+> TiProxy reloads certificates from disk once an hour. Therefore, any changes that you make to certificate files on disk can take up to one hour to take effect.
+
 There are four TLS objects in the `[security]` section with different names. They share the same configuration format and fields, but they are interpreted differently depending on their names.
 
 ```toml
