[THREESCALE-7921] Update docs

Author: tkan145

doc/apicast-crd-reference.md

@@ -36,6 +36,7 @@
 | `httpsPort` | int | No | 8443 only when `httpsCertificateSecretRef` is provided | Controls on which port APIcast should start listening for HTTPS connections. Do not use `8080` as HTTPS port (see [docs](https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_https_port)) |
 | `httpsVerifyDepth` | int | No | N/A | Defines the maximum length of the client certificate chain. (see [docs](https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_https_verify_depth)) |
 | `httpsCertificateSecretRef` | LocalObjectReference | No | APIcast has a default certificate used when `httpsPort` is provided | References secret containing the X.509 certificate in the PEM format and the X.509 certificate secret key |
+| `caCertificateSecretRef` | LocalObjectReference | No | N/A | References secret containing the X.509 CA certificate |
 | `workers` | integer | No | Automatically computed. Check [apicast doc](https://github.com/3scale/APIcast/blob/master/doc/parameters.md#apicast_workers) for further info. | Defines the number of worker processes |
 | `timezone` | string | No | N/A | The local timezone of the APIcast deployment pods. Its value must be a compatible value with the tz database | Defines the number of worker processes |
 | `customPolicies` | [][CustomPolicySpec](#CustomPolicySpec) | No | N/A | List of custom policies |

doc/operator-user-guide.md

@@ -311,6 +311,37 @@ $ echo quit | openssl s_client -showcerts -connect 127.0.0.1:8443 2>/dev/null |
 
 The downloaded certificate should match provided certificate.
 
+#### Override default CA certificate at pod level
+You can override the default CA certificate used by APIcast pod with `caCertificateSecretRef` field.
+
+Steps to override CA certificate at pod level:
+
+1.- Genrate CA certificate
+```
+openssl genrsa -out rootCA.key 2048
+openssl req -batch -new -x509 -nodes -key rootCA.key -sha256 -days 1024 -out rootCA.pem
+```
+
+2.- Create the certificate secret
+```
+kubectl create secret generic cacert --namespace=apicast-test --from-file=ca-bundle.crt=rootCA.pem
+```
+
+3.- Reference the certificate secret in APIcast CR
+
+```
+apiVersion: apps.3scale.net/v1alpha1
+kind: APIcast
+metadata:
+  name: apicast1
+spec:
+  ...
+  caCertificateSecretRef:
+    name: cacert
+```
+
+See [APIcast CRD reference](apicast-crd-reference.md)
+
 ### Reconciliation
 After an APIcast self-managed gateway solution has been installed, APIcast
 operator enables updating a given set of parameters from the custom resource