From d840f36cefda452fda907598170c5d51fbc29de3 Mon Sep 17 00:00:00 2001
From: Ngairangbam Mili <ngairangbam.mili@windriver.com>
Date: Mon, 25 Aug 2025 03:09:53 +0000
Subject: [PATCH] REST API Access

Story: 2011399
Task: 52686

Change-Id: I6cbb622fd41382338c76a7eda2f0f8a37b7c4b4a
Signed-off-by: Ngairangbam Mili <ngairangbam.mili@windriver.com>
---
 .../security/kubernetes/security-rest-api-access.rst   | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/doc/source/security/kubernetes/security-rest-api-access.rst b/doc/source/security/kubernetes/security-rest-api-access.rst
index 0ed1ade8c..afb43bad6 100644
--- a/doc/source/security/kubernetes/security-rest-api-access.rst
+++ b/doc/source/security/kubernetes/security-rest-api-access.rst
@@ -44,3 +44,13 @@ the following site:
 `https://kubernetes.io/docs/concepts/overview/kubernetes-api/
 <https://kubernetes.io/docs/concepts/overview/kubernetes-api/>`__.
 
+.. note::
+
+    The |prod| REST API/GUI and web server certificate is used by the proxy to
+    access the |prod| REST APIs and Kubernetes API server. The REST API client
+    needs to trust the issuer of this certificate, which is system-local-ca's
+    |RCA| certificate. To retrieve this certificate, use the following command:
+
+    .. code-block:: none
+
+        ~(keystone_admin)]$ kubectl get secret system-local-ca -n cert-manager -o=jsonpath='{.data.ca\.crt}' | base64 --decode