chore: switch to clusterissuer
diff --git a/atmosphere/tasks/kubernetes/cert_manager.py b/atmosphere/tasks/kubernetes/cert_manager.py
index c40156e..48b8bf2 100644
--- a/atmosphere/tasks/kubernetes/cert_manager.py
+++ b/atmosphere/tasks/kubernetes/cert_manager.py
@@ -41,19 +41,19 @@
         )
 
 
-class Issuer(pykube.objects.NamespacedAPIObject):
+class ClusterIssuer(pykube.objects.APIObject):
     version = "cert-manager.io/v1"
-    endpoint = "issuers"
-    kind = "Issuer"
+    endpoint = "clusterissuers"
+    kind = "ClusterIssuer"
 
 
-class ApplyIssuerTask(base.ApplyKubernetesObjectTask):
-    def __init__(self, namespace: str, name: str, spec: dict):
+class ApplyClusterIssuerTask(base.ApplyKubernetesObjectTask):
+    def __init__(self, name: str, spec: dict):
         self._spec = spec
 
         super().__init__(
-            kind=Issuer,
-            namespace=namespace,
+            kind=ClusterIssuer,
+            namespace=None,
             name=name,
             requires=set(
                 [
@@ -62,15 +62,14 @@
             ),
         )
 
-    def generate_object(self) -> Issuer:
-        return Issuer(
+    def generate_object(self) -> ClusterIssuer:
+        return ClusterIssuer(
             self.api,
             {
                 "apiVersion": self._obj_kind.version,
                 "kind": self._obj_kind.kind,
                 "metadata": {
                     "name": self._obj_name,
-                    "namespace": self._obj_namespace,
                 },
                 "spec": self._spec,
             },
@@ -79,8 +78,7 @@
 
 def issuer_tasks_from_config(config: config.Issuer) -> list:
     objects = [
-        ApplyIssuerTask(
-            namespace=constants.NAMESPACE_OPENSTACK,
+        ApplyClusterIssuerTask(
             name="self-signed",
             spec={
                 "selfSigned": {},
@@ -114,7 +112,7 @@
             #               credentials in this case.
             objects.append(
                 v1.ApplySecretTask(
-                    constants.NAMESPACE_OPENSTACK,
+                    constants.NAMESPACE_CERT_MANAGER,
                     "cert-manager-issuer-tsig-secret-key",
                     data={
                         "tsig-secret-key": config.solver.tsig_secret,
@@ -142,7 +140,7 @@
             #               credentials in this case.
             objects.append(
                 v1.ApplySecretTask(
-                    constants.NAMESPACE_OPENSTACK,
+                    constants.NAMESPACE_CERT_MANAGER,
                     "cert-manager-issuer-route53-credentials",
                     data={
                         "secret-access-key": config.solver.secret_access_key,
@@ -170,7 +168,7 @@
         #               certificate and key in this case.
         objects.append(
             v1.ApplySecretTask(
-                constants.NAMESPACE_OPENSTACK,
+                constants.NAMESPACE_CERT_MANAGER,
                 "cert-manager-issuer-ca",
                 data={
                     "tls.crt": config.certificate,
@@ -188,7 +186,7 @@
         # NOTE(mnaser): We have to setup the self-signed CA in this case
         objects += [
             ApplyCertificateTask(
-                namespace=constants.NAMESPACE_OPENSTACK,
+                namespace=constants.NAMESPACE_CERT_MANAGER,
                 name="self-signed-ca",
                 spec={
                     "isCA": True,
@@ -198,7 +196,7 @@
                     "renewBefore": "360h",
                     "privateKey": {"algorithm": "ECDSA", "size": 256},
                     "issuerRef": {
-                        "kind": "Issuer",
+                        "kind": "ClusterIssuer",
                         "name": "self-signed",
                     },
                 },
@@ -211,8 +209,4 @@
             }
         }
 
-    return objects + [
-        ApplyIssuerTask(
-            namespace=constants.NAMESPACE_OPENSTACK, name="openstack", spec=spec
-        )
-    ]
+    return objects + [ApplyClusterIssuerTask(name="openstack", spec=spec)]
diff --git a/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py b/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py
index 81e6a2a..debc07a 100644
--- a/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py
+++ b/atmosphere/tests/unit/tasks/kubernetes/test_cert_manager.py
@@ -20,22 +20,20 @@
             ),
             [
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "self-signed",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "selfSigned": {},
                     },
                 },
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "openstack",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "acme": {
@@ -75,11 +73,10 @@
             ),
             [
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "self-signed",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "selfSigned": {},
@@ -90,18 +87,17 @@
                     "kind": pykube.Secret.kind,
                     "metadata": {
                         "name": "cert-manager-issuer-tsig-secret-key",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
+                        "namespace": constants.NAMESPACE_CERT_MANAGER,
                     },
                     "stringData": {
                         "tsig-secret-key": "secret123",
                     },
                 },
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "openstack",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "acme": {
@@ -146,11 +142,10 @@
             ),
             [
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "self-signed",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "selfSigned": {},
@@ -161,18 +156,17 @@
                     "kind": pykube.Secret.kind,
                     "metadata": {
                         "name": "cert-manager-issuer-route53-credentials",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
+                        "namespace": constants.NAMESPACE_CERT_MANAGER,
                     },
                     "stringData": {
                         "secret-access-key": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY",
                     },
                 },
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "openstack",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "acme": {
@@ -225,11 +219,10 @@
             ),
             [
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "self-signed",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "selfSigned": {},
@@ -240,7 +233,7 @@
                     "kind": pykube.Secret.kind,
                     "metadata": {
                         "name": "cert-manager-issuer-ca",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
+                        "namespace": constants.NAMESPACE_CERT_MANAGER,
                     },
                     "stringData": {
                         "tls.crt": textwrap.dedent(
@@ -264,11 +257,10 @@
                     },
                 },
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "openstack",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "ca": {
@@ -288,11 +280,10 @@
             ),
             [
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "self-signed",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "selfSigned": {},
@@ -303,7 +294,7 @@
                     "kind": cert_manager.Certificate.kind,
                     "metadata": {
                         "name": "self-signed-ca",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
+                        "namespace": constants.NAMESPACE_CERT_MANAGER,
                     },
                     "spec": {
                         "isCA": True,
@@ -313,17 +304,16 @@
                         "renewBefore": "360h",
                         "privateKey": {"algorithm": "ECDSA", "size": 256},
                         "issuerRef": {
-                            "kind": "Issuer",
+                            "kind": "ClusterIssuer",
                             "name": "self-signed",
                         },
                     },
                 },
                 {
-                    "apiVersion": cert_manager.Issuer.version,
-                    "kind": cert_manager.Issuer.kind,
+                    "apiVersion": cert_manager.ClusterIssuer.version,
+                    "kind": cert_manager.ClusterIssuer.kind,
                     "metadata": {
                         "name": "openstack",
-                        "namespace": constants.NAMESPACE_OPENSTACK,
                     },
                     "spec": {
                         "ca": {
diff --git a/roles/atmosphere/templates/cluster_role.yml b/roles/atmosphere/templates/cluster_role.yml
index 2a0d447..2b4cc2b 100644
--- a/roles/atmosphere/templates/cluster_role.yml
+++ b/roles/atmosphere/templates/cluster_role.yml
@@ -5,6 +5,10 @@
   name: atmosphere
 rules:
   - apiGroups: [""]
+    resources: ["namespaces", "services", "configmaps", "secrets"]
+    verbs: ["get", "create", "patch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
     resources: ["namespaces", "services"]
     verbs: ["get", "create", "patch"]
   - apiGroups: ["source.toolkit.fluxcd.io"]
@@ -13,3 +17,9 @@
   - apiGroups: ["helm.toolkit.fluxcd.io"]
     resources: ["helmreleases"]
     verbs: ["get", "create", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "clusterissuers"]
+    verbs: ["get", "create", "patch"]
+  - apiGroups: ["ceph.rook.io"]
+    resources: ["cephclusters", "cephobjectstores"]
+    verbs: ["get", "create", "patch"]
diff --git a/roles/atmosphere/templates/role.yml b/roles/atmosphere/templates/role.yml
index 1a0a38e..21040ab 100644
--- a/roles/atmosphere/templates/role.yml
+++ b/roles/atmosphere/templates/role.yml
@@ -5,15 +5,9 @@
   namespace: openstack
   name: atmosphere
 rules:
-  - apiGroups: [""]
-    resources: ["secrets"]
-    verbs: ["get", "create", "patch"]
   - apiGroups: ["pxc.percona.com"]
     resources: ["perconaxtradbclusters"]
     verbs: ["get", "create", "patch"]
   - apiGroups: ["rabbitmq.com"]
     resources: ["rabbitmqclusters"]
     verbs: ["get", "create", "patch"]
-  - apiGroups: ["cert-manager.io"]
-    resources: ["certificates", "issuers"]
-    verbs: ["get", "create", "patch"]
diff --git a/roles/certificates/tasks/main.yml b/roles/certificates/tasks/main.yml
index 72ed046..4cdb916 100644
--- a/roles/certificates/tasks/main.yml
+++ b/roles/certificates/tasks/main.yml
@@ -22,7 +22,7 @@
         api_version: v1
         kind: Secret
         name: "{{ (atmosphere_issuer_config.type == 'self-signed') | ternary('cert-manager-selfsigned-ca', 'cert-manager-issuer-ca') }}"
-        namespace: openstack
+        namespace: cert-manager
         wait: true
         wait_sleep: 1
         wait_timeout: 300
diff --git a/roles/openstack_helm_ingress/vars/main.yml b/roles/openstack_helm_ingress/vars/main.yml
index a000c50..4c860cf 100644
--- a/roles/openstack_helm_ingress/vars/main.yml
+++ b/roles/openstack_helm_ingress/vars/main.yml
@@ -13,7 +13,7 @@
 # under the License.
 
 _openstack_helm_ingress_annotations:
-  cert-manager.io/issuer: openstack
+  cert-manager.io/cluster-issuer: atmosphere
 
 _openstack_helm_ingress_paths: "{{ openstack_helm_ingress_paths + __openstack_helm_ingress_paths }}"
 __openstack_helm_ingress_paths:
diff --git a/roles/openstack_helm_octavia/tasks/main.yml b/roles/openstack_helm_octavia/tasks/main.yml
index dce8c18..14001e1 100644
--- a/roles/openstack_helm_octavia/tasks/main.yml
+++ b/roles/openstack_helm_octavia/tasks/main.yml
@@ -156,7 +156,7 @@
             size: 256
           issuerRef:
             name: self-signed
-            kind: Issuer
+            kind: ClusterIssuer
             group: cert-manager.io
 
       - apiVersion: cert-manager.io/v1