[role:cert-manager] Add self-signed issuer and certificate
For a private PKI, created a custom root certificate using
self-signed clusterIssuer.
To use this for openstack endpoints, need to set variable
`cert_manager_issuer` as following;
cert_manager_issuer:
ca:
secretName: root-secret
Sem-Ver: feature
Change-Id: Ie8f46173f7951c141053ad3cf80a5d8926c95724
diff --git a/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml b/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml
new file mode 100644
index 0000000..32066cf
--- /dev/null
+++ b/releasenotes/notes/cert_manager-add-self-signed-cert-0d38d09e25c68546.yaml
@@ -0,0 +1,3 @@
+---
+features:
+ - Add self-signed issuer and CA certificate
diff --git a/roles/cert_manager/defaults/main.yml b/roles/cert_manager/defaults/main.yml
index 508c527..40c504f 100644
--- a/roles/cert_manager/defaults/main.yml
+++ b/roles/cert_manager/defaults/main.yml
@@ -20,6 +20,7 @@
# .. envvar:: cert_manager_issuer [[[
#
# Definition for the ``cert-manager`` issuer
+# To use self-signed CA certificate, set cert_manager_issuer.ca.secretName as root-secret.
cert_manager_issuer:
acme:
email: mnaser@vexxhost.com
diff --git a/roles/cert_manager/tasks/main.yml b/roles/cert_manager/tasks/main.yml
index b06b4f6..ee73205 100644
--- a/roles/cert_manager/tasks/main.yml
+++ b/roles/cert_manager/tasks/main.yml
@@ -41,3 +41,37 @@
name: openstack
namespace: openstack
spec: "{{ cert_manager_issuer }}"
+
+- name: Create self-signed issuer
+ kubernetes.core.k8s:
+ state: present
+ definition:
+ apiVersion: cert-manager.io/v1
+ kind: ClusterIssuer
+ metadata:
+ name: selfsigned-issuer
+ spec:
+ selfSigned: {}
+
+- name: Bootstrap a custom root certificate for a private PKI
+ kubernetes.core.k8s:
+ state: present
+ definition:
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: selfsigned-ca
+ namespace: openstack
+ spec:
+ isCA: true
+ commonName: selfsigned-ca
+ secretName: root-secret
+ duration: 86400h # 3600d
+ renewBefore: 360h # 15d
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: selfsigned-issuer
+ kind: ClusterIssuer
+ group: cert-manager.io