Create OpenLDAP certificate on bootstrap

Add OpenLDAP certificate to Platform Certificate docs
Fix greybar errors in output
Removed OpenLDAP item

Story: 2009834
Task: 46638

Signed-off-by: Elisamara Aoki Goncalves <elisamaraaoki.goncalves@windriver.com>
Change-Id: I8001aef58fe6b206030462d15645cff7599d6d75

doc/source/security/kubernetes/https-access-overview.rst

@@ -55,6 +55,10 @@ in the following sections.
     +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
     |                                                                                                                                                                                                                                                  |
     +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
+    | OpenLDAP Server Certificate                               | Yes                                                                         | auto-renewed by system                                                                                 |
+    +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
+    |                                                                                                                                                                                                                                                  |
+    +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+
     | OIDC Client and Dex Server Server Certificate             | No                                                                          | auto-renewed if configured with cert-manager;                                                          |
     |                                                           |                                                                             | NOT AUTO-RENEWED if configured with an externally generated certificate, CUSTOMER MUST renew via CLI.  |
     +-----------------------------------------------------------+-----------------------------------------------------------------------------+--------------------------------------------------------------------------------------------------------+

doc/source/security/kubernetes/migrate-platform-certificates-to-use-cert-manager-c0b1727e4e5d.rst

@@ -59,10 +59,11 @@ controllers/subclouds.
           vars:
             system_local_ca_cert: <base64_cert>
             system_local_ca_key: <base64_key>
-           root_ca_cert: <base64_cert>
+            system_root_ca_cert: <base64_cert>
           children:
             target_group:
               vars:
+                system_platform_certificate:
                   dns_domain: xyz.com
                   duration: 2160h # 90d
                   renewBefore: 360h # 15d
@@ -79,6 +80,7 @@ controllers/subclouds.
                 # Sudo password
                 ansible_become_pass: <sysadmin-passwd>
 
+
     The inventory parameters have the following meanings:
 
     ``system_local_ca_cert`` and ``system_local_ca_key``
@@ -86,51 +88,52 @@ controllers/subclouds.
         (self-signed, internal Root |CA|) or use an external Root
         |CA| that would make this an Intermediate |CA|.
 
-   ``root_ca_cert``
+    ``system_root_ca_cert``
         The Root |CA| that signed ``system_local_ca_cert``. If
         ``system_local_ca_cert`` is a self-signed, internal Root |CA|
-       certificate, duplicate the value of ``system_local_ca_cert``
+        certificate, duplicate the value of ``system_local_ca_cert`` in this
-       in this field.
+        field.
 
     ``ca_duration``
-       |ICA| duration validation parameter. This will be used against
+        |CA| duration validation parameter. This will be used against
-       ``system_local_ca_cert`` and ``root_ca_cert`` to ensure that they have
+        ``system_local_ca_cert`` and ``system_root_ca_cert`` to ensure that
-       sufficient duration remaining. It defaults to 3 years, as this is
+        they have sufficient duration remaining. It defaults to 3 years, as
-       typical for |CA| certificates and this certificate must be renewed
+        this is typical for |CA| certificates and this certificate must be
-       manually. Only override if necessary.
+        renewed manually. Only override if necessary.
 
-   ``dns_domain``
+    ``system_platform_certificate.dns_domain``
-       The DNS domain that will be used to build the full dns name for
+        The |DNS| domain that will be used to build the full dns name for the
-       the |SANs| List of the Platform Certificates. E.g.
+        |SANs| List of the Platform Certificates. E.g.
-       starlingx-restapi-gui.<dns_domain> would appear in the |SANs| list of
+        ``starlingx-restapi-gui.<dns_domain>`` would appear in the |SANs| list
-       the REST API & Web Server certificate. in the server certificates.
+        of the REST API & Web Server certificate. in the server certificates.
 
-   ``duration``
+    ``system_platform_certificate.duration``
         The duration of certificate validity to use in all Platform
         Certificates, in hours. The Platform Server Certificates will be
         auto-renewed by Cert-Manager.
 
-   ``renewBefore``
+    ``system_platform_certificate.renewBefore``
         The number of hours before certificate expiry that the Platform
         Certificate should be auto-renewed by Cert-Manager.
 
-   ``subject_*`` fields
+    ``system_platform_certificate.subject_*fields``
         Subject related fields that will be added to all platform certificates:
 
-       * ``subject_C``: country
+        - ``system_platform_certificate.subject_C``: country
 
-       * ``subject_ST``: State or Province
+        - ``system_platform_certificate.subject_ST``: State or Province
 
-       * ``subject_L``: Location
+        - ``system_platform_certificate.subject_L``: Location
 
-       * ``subject_O``: Organization
+        - ``system_platform_certificate.subject_O``: Organization
 
-       * ``subject_OU``: Organization Unit
+        - ``system_platform_certificate.subject_OU``: Organization Unit
 
-       * ``subject_CN``: Common Name
+        - ``system_platform_certificate.subject_CN``: Common Name
 
-       * ``subject_prefix``: An optional field to add a prefix to further
+        - ``system_platform_certificate.subject_prefix``: An optional field
-         identify the certificate, such as 'starlingx' for instance
+            to add a prefix to further identify the certificate, such as |prod|
+            for instance
 
     ``ansible_ssh_user``
         The username to use to connect to the target system using ``ssh``.
@@ -200,8 +203,9 @@ controllers/subclouds.
         * ``subcloud1``, ``subcloud2``: A comma separated list of hosts the
           playbook will target.
 
-       * ``localhost``: Will target the localhost (standalone systems or system
+        * ``localhost``: Will target the localhost (standalone systems or
-         controller)
+          system controller)
+
         * ``all_online_subclouds``: Will query ``dcmanager subcloud list`` and
           retrieve a list of online subclouds to target.