Merge "Bootstrap overrides"

doc/source/deploy_install_guides/release/ansible_bootstrap_configs.rst

@@ -441,3 +441,40 @@ configuration file.
 
    Default authentication via service account tokens is always supported,
    even when OpenID Connect authentication is configured.
+
+
+.. _ansible_bootstrap_configs_platform_issuer:
+
+---------------------------------
+Platform Issuer (system-local-ca)
+---------------------------------
+
+.. code-block:: none
+
+    'system_local_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0).
+    'system_local_ca_key': # the key encoded in a single-line base64 string (via base64 -w0).
+    'system_root_ca_cert': # the certificate encoded in a single-line base64 string (via base64 -w0).
+    'ica_duration':  # optional override for changing the minimum expected expiration time for the ICA provided in years (default is 3).
+    'rca_duration': # optional override for changing the minimum expected expiration time for the RCA provided in years (default is 3).
+    'system_platform_certificate': # Dictionary containing data for customize the platform certificates (DNS, expiration, SANs). Supported fields:
+      dns_domain             # e.g. <lab domain name>.<domain>.com
+      duration               # Amount of time from emission to expiration date - e.g. '2160h'
+      renewBefore            # Amount of time to renew the certificate before expiration date - e.g. '360h'
+                             # 'subject_' fields override common Relative Distinguished Names (RDNs) to be included in the certs.
+      subject_C              # Country
+      subject_ST             # State or Province
+      subject_L              # Location
+      subject_O              # Organization
+      subject_OU             # Organizational Unit
+      subject_CN             # CommonName
+
+.. note::
+
+    The ``system-local-ca`` |TLS| certs and key are shared between
+    SystemController and subclouds in DC systems. Considering this, the
+    overrides for the |RCA|/|ICA| certs and key are not applicable to
+    subclouds, but the leaf certificates can still be configured with the
+    override ``system_platform_certificate`` in separate ways.
+
+For more info about the overrides, look into the inventory parameters described
+in :ref:`migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d`.

doc/source/deploy_install_guides/release/bare_metal/aio_duplex_install_kubernetes.rst

@@ -454,9 +454,15 @@ Bootstrap system on controller-0
             - 1.2.3.4
 
 
-      Refer to :ref:`Ansible Bootstrap Configurations <ansible_bootstrap_configs_r7>`
+      Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
-      for information on additional Ansible bootstrap configurations for advanced
+      ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
-      Ansible bootstrap scenarios.
+      external Root |CA|) for managing / signing all of the |prod|
+      Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
+      more details.
+
+      Refer to :ref:`ansible_bootstrap_configs_r7` for information on
+      additional Ansible bootstrap configurations for advanced Ansible
+      bootstrap scenarios.
 
 #. Run the Ansible bootstrap playbook:
 

doc/source/deploy_install_guides/release/bare_metal/aio_simplex_install_kubernetes.rst

@@ -428,10 +428,15 @@ Bootstrap system on controller-0
          docker_no_proxy:
             - 1.2.3.4
 
+      Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
+      ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
+      external Root |CA|) for managing / signing all of the |prod|
+      Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
+      more details.
 
-      Refer to :ref:`Ansible Bootstrap Configurations
+      Refer to :ref:`ansible_bootstrap_configs_r7` for information on
-      <ansible_bootstrap_configs_r7>` for information on additional Ansible
+      additional Ansible bootstrap configurations for advanced Ansible
-      bootstrap configurations for advanced Ansible bootstrap scenarios.
+      bootstrap scenarios.
 
 #. Run the Ansible bootstrap playbook:
 

doc/source/deploy_install_guides/release/bare_metal/rook_storage_install_kubernetes.rst

@@ -158,10 +158,14 @@ Bootstrap system on controller-0
 
         EOF
 
-   Refer to :ref:`Ansible Bootstrap Configurations
+   Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
-   <ansible_bootstrap_configs_r7>` for information on additional Ansible
+   ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
-   bootstrap configurations for advanced Ansible bootstrap scenarios, such as
+   external Root |CA|) for managing / signing all of the |prod| Certificates.
-   Docker proxies when deploying behind a firewall, etc. Refer to
+   See :ref:`ansible_bootstrap_configs_platform_issuer` for more details.
+
+   Refer to :ref:`ansible_bootstrap_configs_r7` for information on additional
+   Ansible bootstrap configurations for advanced Ansible bootstrap scenarios,
+   such as Docker proxies when deploying behind a firewall, etc. Refer to
    |docker_proxy_config| for details about Docker proxy settings.
 
 #. Run the Ansible bootstrap playbook:

doc/source/shared/_includes/incl-bootstrap-sys-controller-0-standard.rest

@@ -163,6 +163,12 @@
          docker_no_proxy:
             - 1.2.3.4
 
+      Configure ``system_local_ca_cert``, ``system_local_ca_key`` and
+      ``system_root_ca_cert`` to setup a local intermediate |CA| (signed by an
+      external Root |CA|) for managing / signing all of the |prod|
+      Certificates. See :ref:`ansible_bootstrap_configs_platform_issuer` for
+      more details.
+
       Refer to :ref:`Ansible Bootstrap Configurations
       <ansible_bootstrap_configs_r7>` for information on additional
       Ansible bootstrap configurations for advanced Ansible bootstrap