[role:cert-manager] Add self-signed issuer and certificate

For a private PKI, created a custom root certificate using
self-signed clusterIssuer.
To use this for openstack endpoints, need to set variable
`cert_manager_issuer` as following;
cert_manager_issuer:
  ca:
    secretName: root-secret

Sem-Ver: feature

Change-Id: Ie8f46173f7951c141053ad3cf80a5d8926c95724
diff --git a/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml b/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml
new file mode 100644
index 0000000..32066cf
--- /dev/null
+++ b/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml
@@ -0,0 +1,3 @@
+---
+features:
+  - Add self-signed issuer and CA certificate
diff --git a/roles/cert_manager/defaults/main.yml b/roles/cert_manager/defaults/main.yml
index 508c527..40c504f 100644
--- a/roles/cert_manager/defaults/main.yml
+++ b/roles/cert_manager/defaults/main.yml
@@ -20,6 +20,7 @@
 # .. envvar:: cert_manager_issuer [[[
 #
 # Definition for the ``cert-manager`` issuer
+# To use self-signed CA certificate, set cert_manager_issuer.ca.secretName as root-secret.
 cert_manager_issuer:
   acme:
     email: mnaser@vexxhost.com
diff --git a/roles/cert_manager/tasks/main.yml b/roles/cert_manager/tasks/main.yml
index b06b4f6..ee73205 100644
--- a/roles/cert_manager/tasks/main.yml
+++ b/roles/cert_manager/tasks/main.yml
@@ -41,3 +41,37 @@
         name: openstack
         namespace: openstack
       spec: "{{ cert_manager_issuer }}"
+
+- name: Create self-signed issuer
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: ClusterIssuer
+      metadata:
+        name: selfsigned-issuer
+      spec:
+        selfSigned: {}
+
+- name: Bootstrap a custom root certificate for a private PKI
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      apiVersion: cert-manager.io/v1
+      kind: Certificate
+      metadata:
+        name: selfsigned-ca
+        namespace: openstack
+      spec:
+        isCA: true
+        commonName: selfsigned-ca
+        secretName: root-secret
+        duration: 86400h # 3600d
+        renewBefore: 360h # 15d
+        privateKey:
+          algorithm: ECDSA
+          size: 256
+        issuerRef:
+          name: selfsigned-issuer
+          kind: ClusterIssuer
+          group: cert-manager.io