system-local-ca update

Update documentation regarding system-local-ca.
Fix conflict.

Story: 2009811
Task: 50152

Change-Id: I0ae5f4eaee4f4612a570ed88fa81df2bf18bb2a1
Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>

doc/source/_vendor/rl-strings.txt

@@ -296,7 +296,7 @@
 .. |remote-windows-active-directory-accounts| replace:: :ref:`Remote Windows Active Directory Accounts <remote-windows-active-directory-accounts>`
 .. |cert-manager-post-installation-setup| replace:: :ref:`Cert-Manager Post Installation Setup <cert-manager-post-installation-setup>`
 .. |configure-remote-cli-access| replace:: :ref:`Configure Remote CLI Access <configure-remote-cli-access>`
-.. |starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834| replace:: :ref:`System Local CA Issuer <starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834>`
+.. |system-local-ca-issuer-9196c5794834| replace:: :ref:`System Local CA Issuer <system-local-ca-issuer-9196c5794834>`
 .. |install-security-profiles-operator-1b2f9a0f0108| replace:: :ref:`Install Security Profiles Operator (SPO) <install-security-profiles-operator-1b2f9a0f0108>`
 .. |operator-login-authentication-logging| replace:: :ref:`Operator Login/Authentication Logging <operator-login-authentication-logging>`
 .. |configure-the-keystone-token-expiration-time| replace:: :ref:`Configure the Keystone Token Expiration Time <configure-the-keystone-token-expiration-time>`

doc/source/security/kubernetes/configure-oidc-auth-applications.rst

@@ -46,7 +46,7 @@ Configure OIDC Auth Applications
       Certificates used by ``oidc-auth-apps`` can be managed by Cert-Manager.
       Doing so will automatically renew the certificates before they expire.
       The ``system-local-ca`` ClusterIssuer (see
-      :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`)
+      :ref:`system-local-ca-issuer-9196c5794834`)
       will be used to issue this certificate.
 
       .. note::

doc/source/security/kubernetes/https-access-overview.rst

@@ -63,7 +63,7 @@ present on |DC| SystemController systems or |DC| Subclouds.
     | system-local-ca                                                     |  The |CA| certificate used to create Cert-Manager ClusterIssuer for signing a variety of StarlingX server certificates.                                            | Yes                                                                          | NOT AUTO-RENEWED. MUST be renewed via CLI                                                                |
     |                                                                     |  For Laboratory environment, K8s Root CA Certificate is used by default. For product environment, the |CA| certificate should be set                               |                                                                              |                                                                                                          |
     |                                                                     |  to an Intermediate |CA| Cert/Key that has been signed by an external public Root |CA| at bootstrap through overrides or through the proper update procedure.      |                                                                              |                                                                                                          |
-    |                                                                     |  For information on ``system-local-ca``, see :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`.                                    |                                                                              |                                                                                                          |
+    |                                                                     |  For information on ``system-local-ca``, see :ref:`system-local-ca-issuer-9196c5794834`.                                                                           |                                                                              |                                                                                                          |
     +---------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------+------------------------------------------------------------------------------+----------------------------------------------------------------------------------------------------------+
     | system-openldap-local-certificate                                   |  Certificate used by OpenLDAP server to identify itself over HTTPS. It is typically signed by **system-local-ca**. Services such as                                | Yes                                                                          | auto-renewed by system                                                                                   |
     |                                                                     |  |SSH|/|SSSD| that access OpenLDAP verify this serving certificate with **system-local-ca**.                                                                       |                                                                              |                                                                                                          |

doc/source/security/kubernetes/index-security-kub-81153c1254c3.rst

@@ -101,7 +101,7 @@ HTTPS Certificate Management
    utility-script-to-display-certificates
    etcd-certificates-c1fc943e4a9c
    kubernetes-certificates-f4196d7cae9c
-   starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834
+   system-local-ca-issuer-9196c5794834
    local-ldap-certificates-4e1df1e39341
    configure-rest-api-apps-and-web-admin-server-certs-after-inst-6816457ab95f
    configure-docker-registry-certificate-after-installation-c519edbfe90a

doc/source/security/kubernetes/starlingx-rest-api-applications-and-the-web-administration-server-deprecated.rst

@@ -8,7 +8,7 @@ StarlingX REST API Applications and the Web Administration Server Certificate
 
 .. note::
     This procedure is deprecated. For up-to-date information, refer to:
-    :ref:`starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834`.
+    :ref:`system-local-ca-issuer-9196c5794834`.
 
 By default, |prod| provides HTTP access to REST API application endpoints
 \(Keystone, Barbican and |prod|) and the web administration server. For

doc/source/security/kubernetes/system-local-ca-issuer-9196c5794834.rst

@@ -1,25 +1,61 @@
-.. _starlingx-rest-api-applications-and-the-web-admin-server-cert-9196c5794834:
+.. _system-local-ca-issuer-9196c5794834:
 
 ======================
 System Local CA Issuer
 ======================
 
 
-At installation time, a ``system-local-ca`` ClusterIssuer is created. The
+At installation time, a ClusterIssuer named ``system-local-ca`` is created,
-intent is that the ``system-local-ca`` can be the single root of trust for
+intended to be the single root of trust for Platform Certificates, such that
-Platform Certificates, such that external clients, using Platform APIs, need
+external clients, using Platform APIs, need only add a single Root |CA| public
-only add the single ``system-local-ca`` public certificate to their list of
+certificate in their list of trusted |CAs| for the purpose of validating Platform
-trusted |CAs| for the purpose of validating Platform server certificates. 
+server certificates.
 
-At installation time, the ``cert-manager/system-local-ca`` TLS Secret, which is
+The Intermediate |CA| |TLS| cert and key are customizable during installation
-used for CA Signing by the ``system-local-ca`` ClusterIssuer, is initially set
+using bootstrap overrides, see :ref:`ansible_bootstrap_configs_r7`. If the
-to the Kubernetes Root CA. At installation time, the Kubernetes Root |CA| is
+overrides are not provided, the issuer will be set to use the Kubernetes Root
-either auto-generated or explicitly set thru bootstrap playbook overrides (see
+|CA|. The data is stored in a K8s |TLS| secret in namespace ``cert-manager``,
-:ref:`kubernetes-root-ca-certificate`).
+named ``system-local-ca``.
 
-In a Distributed Cloud System, by default, the Subclouds are deployed with the
+In a Distributed Cloud System, by default, the subclouds are deployed with the
-same Kubernetes Root |CA| and the same ``system-local-ca`` as the
+same |TLS| cert and key in ``system-local-ca`` issuer as the SystemController.
-SystemController.
+
+This ClusterIssuer, during bootstrap, will automatically issue:
+
+- Local OpenLDAP certificate (in DC SystemController or Standalone controller).
+
+- REST API & Web Server certificate.
+
+- Docker Registry certificate.
+
+The Root |CA| public certificate of ``system-local-ca`` can be retrieve with the
+following command trough the CLI:
+
+.. code-block:: none
+
+    $ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode
+
+You can also create other server certificates using this issuer and use it in
+you applications. These certificates will be renewed automatically by
+cert-manager. A snippet of how this can be included in a Kubernetes resource
+file (to be applied afterwards), for reference:
+
+.. code-block:: none
+
+    apiVersion: cert-manager.io/v1
+    kind: Certificate
+    metadata:
+        name: <cert-name>
+        namespace: <cert-namespace>
+    spec:
+        secretName: <secret-name (where the cert will be stored) >
+        dnsNames:
+        - ...
+        ipAddresses:
+        - ...
+        issuerRef:
+            name: system-local-ca
+            kind: ClusterIssuer
 
 .. note::