Install Custom Kubernetes Root CA Certificate

Story: 2011399
Task: 52686

Change-Id: I6eea2ae16a20b59c448cab98cc2e4c1309265d82
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>

doc/source/security/kubernetes/kubernetes-root-ca-certificate.rst

@@ -6,6 +6,15 @@
 Install Custom Kubernetes Root CA Certificate
 =============================================
 
+.. note::
+
+    The overrides ``k8s_root_ca_cert``, ``k8s_root_ca_key`` and,
+    ``apiserver_cert_sans`` are planned to be be discontinued in future releases.
+    External connections to kube-apiserver go through a proxy which uses the
+    REST API/GUI certificate, issued by the Platform Issuer (system-local-ca).
+    For instructions on how to configure the Platform Issuer, see `https://docs.starlingx.io/deploy_install_guides/release/ansible_bootstrap_configs.html#platform-issuer-system-local-ca <https://docs.starlingx.io/deploy_install_guides/release/ansible_bootstrap_configs.html#platform-issuer-system-local-ca>`__.
+
+
 By default, the K8S Root |CA| certificate and key are auto-generated and result
 in the other Kubernetes certificates being signed by an internal not well-known
 |CA|; for example, for the Kubernetes API server certificate.
@@ -53,12 +62,12 @@ must be in |PEM| format and the value must be provided as part of a pair
 with <k8s_root_ca_cert>.
 
 .. note::
-    
+
     Ensure the certificates have RSA key length >= 2048 bits. The
     |prod-long| Release |this-ver| provides a new version of ``openssl`` which
     requires a minimum of 2048-bit keys for RSA for better security / encryption
     strength.
-    
+
     You can check the key length by running ``openssl x509 -in <the certificate file> -noout -text``
     and looking for the "Public-Key" in the output. For more information see
     :ref:`Create Certificates Locally using openssl <create-certificates-locally-using-openssl>`.