[role:cert-manager] Add self-signed issuer and certificate
For a private PKI, created a custom root certificate using
self-signed clusterIssuer.
To use this for openstack endpoints, need to set variable
`cert_manager_issuer` as following;
cert_manager_issuer:
ca:
secretName: root-secret
Sem-Ver: feature
Change-Id: Ie8f46173f7951c141053ad3cf80a5d8926c95724
diff --git a/roles/cert_manager/tasks/main.yml b/roles/cert_manager/tasks/main.yml
index b06b4f6..ee73205 100644
--- a/roles/cert_manager/tasks/main.yml
+++ b/roles/cert_manager/tasks/main.yml
@@ -41,3 +41,37 @@
name: openstack
namespace: openstack
spec: "{{ cert_manager_issuer }}"
+
+- name: Create self-signed issuer
+ kubernetes.core.k8s:
+ state: present
+ definition:
+ apiVersion: cert-manager.io/v1
+ kind: ClusterIssuer
+ metadata:
+ name: selfsigned-issuer
+ spec:
+ selfSigned: {}
+
+- name: Bootstrap a custom root certificate for a private PKI
+ kubernetes.core.k8s:
+ state: present
+ definition:
+ apiVersion: cert-manager.io/v1
+ kind: Certificate
+ metadata:
+ name: selfsigned-ca
+ namespace: openstack
+ spec:
+ isCA: true
+ commonName: selfsigned-ca
+ secretName: root-secret
+ duration: 86400h # 3600d
+ renewBefore: 360h # 15d
+ privateKey:
+ algorithm: ECDSA
+ size: 256
+ issuerRef:
+ name: selfsigned-issuer
+ kind: ClusterIssuer
+ group: cert-manager.io