From cfed9ee0dc21f2b0b27be235757344ca77046772 Mon Sep 17 00:00:00 2001
From: Elaine Fonaro <elaine.fonaro@windriver.com>
Date: Mon, 19 Dec 2022 20:38:36 -0300
Subject: [PATCH] Add a note users to lock/unlock controller nodes after
 installing a ssl_ca

- Added a note for lock/unlock controler node.
- Added a reference for installing a root CA.

Closes-bug: 1995145

Signed-off-by: Elaine Fonaro <elaine.fonaro@windriver.com>
Change-Id: I293ecc19348308e60da7f5922d169c455b895576
---
 .../configure-oidc-auth-applications.rst        | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
index c085fcf31..5fcb21143 100644
--- a/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
+++ b/doc/source/security/kubernetes/configure-oidc-auth-applications.rst
@@ -43,6 +43,19 @@ Configure OIDC Auth Applications
       :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`)
       will be used to issue this certificate.
 
+      .. note::
+          If a signing |CA| is not a well-known trusted |CA|, you must ensure the
+          system trusts the |CA| by specifying it either during the bootstrap
+          phase of system installation, by specifying ``ssl_ca_cert: <certificate_file>``
+          in the ansible bootstrap overrides localhost.yml file, or by using the
+          :command:`system certificate-install -m ssl_ca <certificate_file>`
+          command.
+
+      Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
+      for installing a root |CA|, which includes instruction to `lock/unlock`
+      controller nodes when using :command:`system certificate-install`
+      command.
+
       .. important::
           The namespace for ``oidc-auth-apps`` must be ``kube-system``.
 
@@ -244,6 +257,10 @@ Configure OIDC Auth Applications
           overrides ``localhost.yml`` file, or by using the :command:`system
           certificate-install -m ssl_ca dex-ca.pem` command.
 
+          Also refer to :ref:`Add a Trusted CA <add-a-trusted-ca>`
+          for installing a root |CA|, which includes instruction to `lock/unlock`
+          controller nodes when using :command:`system certificate-install`
+          command.
 
       #.  Create the secret, ``local-dex.tls``, with the certificate and key,
           to be used by the **oidc-auth-apps**, as well as the secret,