feat: allow using wildcard certs
diff --git a/roles/openstack_helm_ingress/README.md b/roles/openstack_helm_ingress/README.md
index 38a9547..67d3329 100644
--- a/roles/openstack_helm_ingress/README.md
+++ b/roles/openstack_helm_ingress/README.md
@@ -1 +1,26 @@
 # `openstack_helm_ingress`
+
+## Using wildcard certificates
+
+If you have an existing wildcard certificate to use for all your endpoints
+with Atmosphere, you can simply configure it as follows;
+
+1. Create a Kubernetes TLS secret using your wildcard certificate, you can refer
+   to the [Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/secret/#tls-secrets)
+    for more details.
+
+    ```shell
+    kubectl -n openstack create secret tls wildcard-certs --key=/path/to/tls.key --cert=/path/to/tls.crt
+    ```
+
+2. Update the `openstack_helm_ingress_secret_name` to point towards the name
+   of the secret you created in step 1.
+
+    ```yaml
+    openstack_helm_ingress_secret_name: wildcard-certs
+    ```
+
+> **Note**
+>
+> If you make this change after a deployment, you will need to re-run all of the
+> playbooks in order to update all the `Ingress` resources.
diff --git a/roles/openstack_helm_ingress/defaults/main.yml b/roles/openstack_helm_ingress/defaults/main.yml
index 137c3d4..ed23163 100644
--- a/roles/openstack_helm_ingress/defaults/main.yml
+++ b/roles/openstack_helm_ingress/defaults/main.yml
@@ -18,4 +18,4 @@
 # certificate.
 #
 # See: https://kubernetes.io/docs/concepts/services-networking/ingress/#tls
-openstack_helm_ingress_secret_name: "{{ openstack_helm_ingress_service_name }}-certs"
+# openstack_helm_ingress_secret_name: wildcard-certs
diff --git a/roles/openstack_helm_ingress/tasks/main.yml b/roles/openstack_helm_ingress/tasks/main.yml
index 1b70b19..d373513 100644
--- a/roles/openstack_helm_ingress/tasks/main.yml
+++ b/roles/openstack_helm_ingress/tasks/main.yml
@@ -12,6 +12,14 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
+- name: Add ClusterIssuer annotations
+  ansible.builtin.set_fact:
+    _openstack_helm_ingress_annotations: "{{ _openstack_helm_ingress_annotations | combine(annotations, recursive=True) }}"
+  vars:
+    annotations:
+      cert-manager.io/cluster-issuer: "{{ openstack_helm_ingress_cluster_issuer }}"
+  when: openstack_helm_ingress_secret_name is not defined
+
 - name: Create Ingress {{ openstack_helm_ingress_name }}
   kubernetes.core.k8s:
     state: present
@@ -36,6 +44,6 @@
                       port:
                         number: "{{ openstack_helm_ingress_service_port }}"
         tls:
-          - secretName: "{{ openstack_helm_ingress_secret_name }}"
+          - secretName: "{{ openstack_helm_ingress_secret_name | default(openstack_helm_ingress_service_name ~ '-certs') }}"
             hosts:
               - "{{ openstack_helm_ingress_host }}"
diff --git a/roles/openstack_helm_ingress/vars/main.yml b/roles/openstack_helm_ingress/vars/main.yml
index a1debf7..ed914d0 100644
--- a/roles/openstack_helm_ingress/vars/main.yml
+++ b/roles/openstack_helm_ingress/vars/main.yml
@@ -12,5 +12,4 @@
 # License for the specific language governing permissions and limitations
 # under the License.
 
-_openstack_helm_ingress_annotations:
-  cert-manager.io/cluster-issuer: "{{ openstack_helm_ingress_cluster_issuer }}"
+_openstack_helm_ingress_annotations: {}