docs: document how the certificate is handled

Author: dkoshkin

docs/content/addons/registry-certificate.png

@@ -31,6 +31,25 @@ spec:
             registry: {}
 ```
 
+
+## Registry Certificate
+
+1. A root CA Certificate is deployed in the provider's namespace.
+2. cert-manager generates a 10-year self-signed root Certificate
+   and creates a Secret `registry-addon-root-ca` in the provider's namespace.
+3. BCC handler copies `ca.crt` from the `registry-addon-root-ca` Secret
+   to a new cluster Secret `<cluster-name>-registry-addon-ca`.
+   A client pushing to the registry can use either the root CA Secret or the cluster Secret to trust the registry.
+4. The cluster CA Secret contents (`ca.crt`) is written out as files on the Nodes
+   and used by Containerd to trust the registry addon.
+5. During the initial cluster creation, the ACPI handler uses the root CA to create a new 2-year server certificate
+   for the registry and creates a Secret `registry-tls` on the remote cluster.
+6. During cluster upgrades, the BCU handler renews the server certificate
+   and updates the Secret `registry-tls` on the remote cluster with the new certificate.
+   It is expected that clusters will be upgraded at least once every 2 years to avoid certificate expiration.
+
+![registry-certificate.png](registry-certificate.png)
+
 [Distribution]: https://github.com/distribution/distribution
 [Cluster API Add-on Provider for Helm]: https://github.com/kubernetes-sigs/cluster-api-addon-provider-helm
 [Regsync]: https://regclient.org/usage/regsync/