From 48f110dd38be3558181dbd559f2e001e72ed7b63 Mon Sep 17 00:00:00 2001
From: Dmitriy Rabotyagov <dmitriy.rabotyagov@citynetwork.eu>
Date: Wed, 9 Jun 2021 22:02:11 +0300
Subject: [PATCH] [doc] Document CA generation upgrade step

Change-Id: If22b80235d352f6d561243aebf70c6af3bd08287
---
 doc/source/admin/upgrades/major-upgrades.rst | 21 ++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/doc/source/admin/upgrades/major-upgrades.rst b/doc/source/admin/upgrades/major-upgrades.rst
index cf21285074..98f6b74a26 100644
--- a/doc/source/admin/upgrades/major-upgrades.rst
+++ b/doc/source/admin/upgrades/major-upgrades.rst
@@ -156,6 +156,27 @@ Upgrade hosts
 
 Before installing the infrastructure and OpenStack, update the host machines.
 
+With the introduction of the PKI ansible role, OSA now manages its own Certificate
+Authority (CA) when self-signed certificates are used. Before proceeding
+with the upgrade, you will need to override ``openstack_pki_authorities``
+and ``openstack_pki_service_intermediate_cert_name`` in your user_variables.
+Otherwise, sample authorities will be generated for root and intermediate
+certificates and all self-signed certificates generated later will be
+signed with them.
+
+.. warning::
+
+    Usage of non-trusted certificates for RabbitMQ is not possible
+    due to requirements of newer ``amqp`` versions.
+
+To generate new CA, you will need to run the following command:
+
+.. code-block:: console
+
+    # openstack-ansible certificate-authority.yml
+
+Once CA is generated, we can proceed with standard OpenStack upgrade steps:
+
 .. code-block:: console
 
     # openstack-ansible setup-hosts.yml --limit '!galera_all:!rabbitmq_all'