feat: trust private acme CA (#1216)

Related: #1185
We disscused with @mpiscaer on Slack about the reason why this happens and found that such a configuration was not foreseen.
Mounting whole directory like here: https://github.com/vexxhost/ansible-collection-kubernetes/blob/main/roles/cert_manager/vars/main.yml#L21 is a bad idea because on EL distros this host path doesn't exist.

Reviewed-by: Mohammed Naser <mnaser@vexxhost.com>
Reviewed-by: Michiel Piscaer <michiel@piscaer.com>
Reviewed-by: Tadas Sutkaitis
diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml
index 407acaf..15db6a4 100644
--- a/roles/cluster_issuer/defaults/main.yml
+++ b/roles/cluster_issuer/defaults/main.yml
@@ -15,6 +15,8 @@
 cluster_issuer_name: "{{ atmosphere_ingress_cluster_issuer }}"
 cluster_issuer_type: acme
 
+cluster_issuer_acme_private_ca: false
+
 cluster_issuer_acme_server: https://acme-v02.api.letsencrypt.org/directory
 # cluster_issuer_acme_email:
 cluster_issuer_acme_private_key_secret_name: cert-manager-issuer-account-key
diff --git a/roles/openstack_cli/templates/atmosphere.sh.j2 b/roles/openstack_cli/templates/atmosphere.sh.j2
index 416a825..00635a1 100644
--- a/roles/openstack_cli/templates/atmosphere.sh.j2
+++ b/roles/openstack_cli/templates/atmosphere.sh.j2
@@ -3,7 +3,10 @@
       --volume /etc/openstack:/etc/openstack:ro \
 {% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
       --volume {{ '/usr/local/share/ca-certificates/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' if ansible_facts['os_family']
-      in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/etc/pki/ca-trust/source/anchors/atmosphere.crt:ro' }} \
+      in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' }} \
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+      --volume {{ '/etc/ssl/certs/ca-certificates.crt:/etc/ssl/certs/ca-certificates.crt:ro' if ansible_facts['os_family']
+      in ['Debian'] else '/etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt:/etc/ssl/certs/ca-certificates.crt:ro' }} \
 {% endif %}
       --env-file <(env | grep OS_) \
       {{ atmosphere_images['openstack_cli'] }}'
diff --git a/roles/openstack_cli/templates/openrc.j2 b/roles/openstack_cli/templates/openrc.j2
index 87e5e34..a5d7acb 100644
--- a/roles/openstack_cli/templates/openrc.j2
+++ b/roles/openstack_cli/templates/openrc.j2
@@ -12,5 +12,7 @@
 export OS_PROJECT_NAME=admin
 
 {% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
-export OS_CACERT={{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt
+export OS_CACERT=/usr/local/share/ca-certificates/atmosphere.crt
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+export OS_CACERT=/etc/ssl/certs/ca-certificates.crt
 {% endif %}
diff --git a/roles/openstacksdk/templates/clouds.yaml.j2 b/roles/openstacksdk/templates/clouds.yaml.j2
index efb2245..5b47879 100644
--- a/roles/openstacksdk/templates/clouds.yaml.j2
+++ b/roles/openstacksdk/templates/clouds.yaml.j2
@@ -9,5 +9,7 @@
       project_domain_name: Default
     region_name: "{{ openstack_helm_endpoints_keystone_region_name }}"
 {% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
-    cacert: "{{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt"
+    cacert: "/usr/local/share/ca-certificates/atmosphere.crt"
+{% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
+    cacert: "/etc/ssl/certs/ca-certificates.crt"
 {% endif %}