diff --git a/docs/operations/ci/upgrades/cico-workspace-container.md b/docs/operations/ci/upgrades/cico-workspace-container.md
new file mode 100644
index 0000000..294290f
--- /dev/null
+++ b/docs/operations/ci/upgrades/cico-workspace-container.md
@@ -0,0 +1,30 @@
+# cico-workspace container upgrade
+
+## Overview
+
+We provide a [template](https://github.com/centosci/images/blob/master/cico-workspace/openshift/templates/centosci-workspace.yml) that is used to pre-deploy dedicated jenkins pod in our openshift setup.
+It's using jenkins container maintained by Red Hat (RH catalog) and also a specific jenkins-agent container (called cico-workspace) that is spun up for each job that should run in that jenkins environment (dedicated per project/tenant in CI ocp infra)
+
+All that is also discussed in the "Onboard Tenants" section.
+
+## Updating cico-workspace image
+
+The `cico-workspace` container image is available in dedicated [Quay.io](https://quay.io/repository/centosci/cico-workspace) repository.
+That's the repositry/registry that ocp.ci cluster is using to spin up cico-workspace containers on demand, always verifying if there is a new one and then pulling :
+
+```xml
+ quay.io/centosci/cico-workspace:latest
+ false
+ true
+```
+
+The container (re)build process happens either through :
+
+ * git commit/push in upstream [git repository](https://github.com/centosci/images)
+ * a manual build trigger in quay.io
+
+Some notes about what we provide in that cico-workspace image :
+
+ * centos 7 updated container with jenkins agent (java)
+ * ansible (from our own configmanagement SIG)
+ * [python-cicoclient](https://github.com/CentOS/python-cicoclient/) rpm built through cbs.centos.org koji, and needed to interact easily with Duffy API when requesting a node to run tests on
diff --git a/docs/security/tls.md b/docs/security/tls.md
index 75f08a4..66b8ce4 100644
--- a/docs/security/tls.md
+++ b/docs/security/tls.md
@@ -248,11 +248,13 @@ You can still "force" the playbook execution if you want, from ansible bot host
There is no dedicated ansible host/management station for ci infra (yet) so you have to run it yourself.
Once you have pushed the renewed certs (through git-crypted pkistore git repo), you can just apply with :
```
-for role in haproxy ocp-admin-node ; do
+for role in haproxy ocp-admin-nodei jenkins-server ; do
ansible-playbook playbooks/role-${role}.yml --tags "tls,pki,certs"
done
```
+
+
#### CentOS Stream infra
Same as for other parts of infra, except that you *have* to encrypt with ansible-vault before git commit/git push operations (important).
Once done :
diff --git a/mkdocs.yml b/mkdocs.yml
index ed6d420..b9345be 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -50,6 +50,7 @@ nav:
- Upgrades:
- operations/ci/upgrades/upgrade-notification-template.md
- operations/ci/upgrades/upgrade-jenkins.md
+ - operations/ci/upgrades/cico-workspace-container.md
- Spikes:
- Configure default permissions for ACO users: operations/ci/configuring_default_aco_user_permissions.md