Update docs for how system-local-ca is updated by end user

Brief Description
-----------------

Subcloud add fails at pre-deployment phase with a timeout

Severity
--------

Provide the severity of the defect.

<Critical: System/Feature is not usable after the defect>

Steps to Reproduce
-------------------

Run the dcmanager subcloud add command

Expected Behavior
-----------------

Subcloud should install

Actual Behavior
---------------

Subcloud add sometimes fails at pre-deploy phase

Reproducibility
---------------

Intermittent, seen on multiple occasions when using the dcmanager remote client, experienced also from the active system controller.

A system controller reinstall was attempted but the issue persisted.

System Configuration
--------------------

Duplex system controller

Load info (eg: 2022-03-10_20-00-07)

SW_VERSION="22.12"
BUILD_TARGET="Host Installer"
BUILD_TYPE="Formal"
BUILD_ID="2022-12-19_02-22-00"
SRC_BUILD_ID="38"

JOB="wrcp-22.12-debian"
BUILD_BY="jenkins"
BUILD_NUMBER="50"
BUILD_HOST="yow-wrcp-lx.wrs.com"

Last Pass

Subcloud was installed successfully when it went past the pre-deploy phase

Timestamp/Logs

provided in the logs:

dcmanager.zip /var/log/dmanager folder
dcmanager-failed-prep.log ( /var/log/dcmanager/dcmanager.log) from previous system controller installation.
Important log message observed:

2023-02-15 18:06:33.911 88049 ERROR dcmanager.manager.subcloud_manager return self.create_namespaced_custom_object_with_http_info(group, version, namespace, plural, body, **kwargs) # noqa: E501

Workaround: Doc Updates:
------------------------

https://docs.starlingx.io/security/kubernetes/https-access-overview.html

HTTPS and Certificates Management Overview
Certificates are required for secure HTTPS access and authentication on Cloud Platform platform. This table lists all the platform certificates, and indicates which certificates are automatically created/renewed by the system versus which certificates must be manually created/renewed by the system administrator. Platform certificates that are associated with optional platform components are only present if the optional platform component is configured (e.g. OIDC). Platform certificates that are associated with Distributed Cloud (DC) are only present on DC SystemController systems or DC Subclouds.
Certificate Auto Created Renewal Status
Etcd:
     etcd Root CA certificate Yes NOT AUTO-RENEWED; Default expiry is set at 10 years
     etcd server certificate Yes auto-renewed by cron job
     etcd client certificate Yes auto-renewed by cron job
     kube-apiserver’s etcd client certificate Yes auto-renewed by cron job
============================================= ==================== =============================
Kubernetes:
     Kubernetes Root CA Certificate Yes NOT AUTO-RENEWED; Default expiry is set at 10 years; MUST be renewed via CLI.
     Cluster Admin client certificate used by kubectl Yes auto-renewed by cron job
     kube-controller-manager client certificate Yes auto-renewed by cron job
     kube-scheduler client certificate Yes auto-renewed by cron job
     kube-apiserver server certificate Yes auto-renewed by cron job
     kube-apiserver’s kubelet client certificate Yes auto-renewed by cron job
     kubelet client certificate Yes auto-renewed by kubelet feature enabled by default
============================================= ==================== =============================
system-local-ca Yes NOT AUTO-RENEWED; MUST be renewed via CLI.
============================================= ==================== =============================
OpenLDAP Server Certificate Yes auto-renewed by system
============================================= ==================== =============================
StarlingX REST API & HORIZON Server Certificate Yes (But the auto-created certificate is self-signed and should be changed) auto-renewed if configured with cert-manager;
NOT AUTO-RENEWED if configured with system certificate-install .., MUST be renewed via CLI
============================================= ==================== =============================
Local Registry Server Certificate Yes (But the auto-created certificate is self-signed and should be changed) auto-renewed if configured with cert-manager;
NOT AUTO-RENEWED if configured with system certificate-install .., MUST be renewed via CLI
============================================= ==================== =============================
OIDC:
     OIDC Client and Dex Server Server Certificate No auto-renewed if configured with cert-manager;
NOT AUTO-RENEWED if configured with an externally generated certificate, MUST be renewed via CLI.
     OIDC Client and Dex Server CA certificate No NOT AUTO-RENEWED; MUST be renewed via CLIs
     OIDC Remote WAD CA Certificate No NOT AUTO-RENEWED; MUST be renewed via CLIs

============================================= ==================== =============================
Vault:
     Vault Server Certificate Yes NOT AUTO-RENEWED; MUST be renewed via CLIs

     Vault Root CA certificate Yes NOT AUTO-RENEWED; MUST be renewed via CLIs

============================================= ==================== =============================
Portieris:
     Portieris Server Certificate Yes Auto renewed by cert-manager; BUT MUST restart Portieris after the certificate is renewed
     Portieris remote registry and notary server CA Certificate No NOT AUTO-RENEWED; MUST be renewed via CLIs

============================================= ==================== =============================
DC Admin Endpoints:
     Root CA DC Admin Endpoint CA Certificate Yes auto-renewed
     Intermediate CA DC Admin Endpoint CA Certificate Yes auto-renewed
     DC Admin Endpoint Server Certificate Yes auto-renewed
============================================= ==================== =============================
System trusted CA Certificates No NOT AUTO-RENEWED as these are certificates that are not necessarily owned by the platform
Where:
• Auto created: the certificate is generated during system deployment or triggered by certain operations.
• Renewal Status: whether the certificate is renewed automatically by the system when expiry date approaches.
The specific certificates, and details such as expiration date, that are present on a Cloud Platform system can be displayed with a local script, ‘sudo show-certs.sh’, see Display Certificates Installed on a System.
Cloud Platform monitors the installed certificates on the system by raising alarms for expired certificates and certificates that will expire soon, see Expiring-Soon and Expired Certificate Alarms.