[role:cert-manager] Add self-signed issuer and certificate For a private PKI, created a custom root certificate using self-signed clusterIssuer. To use this for openstack endpoints, need to set variable `cert_manager_issuer` as following; cert_manager_issuer: ca: secretName: root-secret Sem-Ver: feature Change-Id: Ie8f46173f7951c141053ad3cf80a5d8926c95724

commit: 05a72edc9e99e34cd954a024f1255dec3a26c5fd [log] [tgz]
author: okozachenko <okozachenko1203@gmail.com> Tue Apr 12 23:01:43 2022 +1000
committer: okozachenko <okozachenko1203@gmail.com> Mon Apr 18 17:40:37 2022 +1000
tree: 6bb053c993b54039db9bf48154e52c00fc7057f0
parent: 740dca943ffe59c8e240172e953a90d0c980c1e9 [diff]
diff --git a/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml b/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml
new file mode 100644
index 0000000..32066cf
--- /dev/null
+++ b/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml

@@ -0,0 +1,3 @@
+---
+features:
+  - Add self-signed issuer and CA certificate

diff --git a/roles/cert_manager/defaults/main.yml b/roles/cert_manager/defaults/main.yml
index 508c527..40c504f 100644
--- a/roles/cert_manager/defaults/main.yml
+++ b/roles/cert_manager/defaults/main.yml

@@ -20,6 +20,7 @@
 # .. envvar:: cert_manager_issuer [[[
 #
 # Definition for the ``cert-manager`` issuer
+# To use self-signed CA certificate, set cert_manager_issuer.ca.secretName as root-secret.
 cert_manager_issuer:
   acme:
     email: mnaser@vexxhost.com

diff --git a/roles/cert_manager/tasks/main.yml b/roles/cert_manager/tasks/main.yml
index b06b4f6..ee73205 100644
--- a/roles/cert_manager/tasks/main.yml
+++ b/roles/cert_manager/tasks/main.yml

@@ -41,3 +41,37 @@
         name: openstack
         namespace: openstack
       spec: "{{ cert_manager_issuer }}"
+
+- name: Create self-signed issuer
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: ClusterIssuer
+      metadata:
+        name: selfsigned-issuer
+      spec:
+        selfSigned: {}
+
+- name: Bootstrap a custom root certificate for a private PKI
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: selfsigned-ca
+        namespace: openstack
+      spec:
+        isCA: true
+        commonName: selfsigned-ca
+        secretName: root-secret
+        duration: 86400h # 3600d
+        renewBefore: 360h # 15d
+        privateKey:
+          algorithm: ECDSA
+          size: 256
+        issuerRef:
+          name: selfsigned-issuer
+          kind: ClusterIssuer
+          group: cert-manager.io
commit	05a72edc9e99e34cd954a024f1255dec3a26c5fd	[log] [tgz]
author	okozachenko <okozachenko1203@gmail.com>	Tue Apr 12 23:01:43 2022 +1000
committer	okozachenko <okozachenko1203@gmail.com>	Mon Apr 18 17:40:37 2022 +1000
tree	6bb053c993b54039db9bf48154e52c00fc7057f0
parent	740dca943ffe59c8e240172e953a90d0c980c1e9 [diff]