Note: Doc team updates the current version of the documentation and the
two previous versions (n-2), but we address *only high-priority, or
customer-reported issues* for -2 releases in support.
Describe the changes in the doc and link to your dev story:

1. - [x] Mandatory: Add the required version to the Fix version/s field.
All supported ACM versions inclduing ACM 2.13.0

2. - [x] Mandatory: Choose the type of documentation change or review.

• [x] We need to update to an existing topic
  https://github.com/stolostron/rhacm-docs/blob/fa4d619229952ad7f2c5803310dabdd3964e1603/observability/use_observability.adoc#querying-metrics-using-the-observability-api

• [x] We need to add a new document to an existing section
  https://github.com/stolostron/rhacm-docs/blob/fa4d619229952ad7f2c5803310dabdd3964e1603/securing_cluster/cert_manage.adoc#L4

• [ ] We need a whole new section; this is a function not
  documented before and doesn't belong in any current section

• [ ] We need an Operator Advisory review and approval

• [ ] We need a z-Stream (Errata) Advisory and Release note
  for MCE and/or ACM

3. - [ ] *Mandatory: *Use the following link to open the doc and find where the
documentation update should go. Note: As the feature and doc is
understood and developed, this placement decision may change:

• Published doc: https://access.redhat.com/documentation/en-us/red_hat_advanced_cluster_management_for_kubernetes/2.10
• Source: https://github.com/stolostron/rhacm-docs

Same as links in section 2

4. - [ ] Mandatory for GA content:

• [ ] Add steps, the diff, known issue, and/or other important
  conceptual information in the following space:

• [ ] *Add Required access level *(example, *Cluster
  Administrator*) for the user to complete the task:

• [ ] Add verification at the end of the task, how does the user
  verify success (a command to run or a result to see?)

• [ ] Add link to dev story here:

5. - [x] Mandatory for bugs: What is the diff? Clearly define what the
problem is, what the change is, and link to the current documentation. Only
use this for a documentation bug.

Change #1: (update documentation to cover ROSA use case)

3. a) ROSA
The secret router-cert-default does not exist if the hub is running on a ROSA OpenShift cluster. Use the CA certificate pointed by spec.defaultCertificate.name in the default ingress controller object and store the content of the tls.crt key in a local file.

1. Step 1: Get the name of the secret from spec.defaultCertificate.name
   SECRET_NAME=$(oc get ingresscontroller default -n openshift-ingress-operator -o jsonpath=" {.spec.defaultCertificate.name}

   ")

1. Step 2: Extract the certificate from the secret
   oc get secret $SECRET_NAME -n openshift-ingress -o jsonpath=" {.data.tls\.crt}

   " | base64 -d > ca.crt

Change #2: move up current bullet 5) to 4). This will validate the extracted ca.crt can be used with curl command successfully.

Change #3: The current bullet 4) is only relevant if you want to configure Custom certificates for rbac-query-proxy route. This was much better described in 2.7 documentation, and was somehow lost in subsequent update (see last bullet that starts with "You can also replace certificates for the rbac-query-proxy route."

I think it is better to move this content under 6.1.2 Managing certificates section, and out of here.

1. Create a new topic "Replacing certificates for rbac-query-proxy route" (parallel to "Replacing certificates for alertmanager route" topic)

You can also replace certificates for the rbac-query-proxy route. See OpenSSL commands to generate CA certificate to create certificates. When creating a Certificate Signing Request (CSR) using the csr.cnf file, ensure that you update the DNS.1 field under the subjectAltName section to match the hostname of the rbac-query-proxy route.

This hostname can be retrieved using the following command:

oc get route rbac-query-proxy -n open-cluster-management-observability -o jsonpath="

"

Run the following command to create proxy-byo-ca and proxy-byo-cert secrets using the generated certificates:

oc -n open-cluster-management-observability create secret tls proxy-byo-ca --cert ./ca.crt --key ./ca.key

oc -n open-cluster-management-observability create secret tls proxy-byo-cert --cert ./ingress.crt --key ./ingress.key