[stable/2023.1] Enable setting CA for Venafi (#1296)

\n\nCloses #1275
diff --git a/doc/source/deploy/certificates.rst b/doc/source/deploy/certificates.rst
index f99d4f0..8c351c6 100644
--- a/doc/source/deploy/certificates.rst
+++ b/doc/source/deploy/certificates.rst
@@ -216,6 +216,12 @@
 .. code-block:: yaml
 
   cluster_issuer_type: venafi
+  cluster_issuer_venafi_ca: |
+    -----BEGIN CERTIFICATE-----
+    MIIDBjCCAe4CCQDQ3Z0Z2Z0Z0jANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
+    VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+    ...
+    -----END CERTIFICATE-----
   cluster_issuer_venafi_zone: <ZONE>
   cluster_issuer_venafi_tpp_url: <URL>
   cluster_issuer_venafi_tpp_ca_bundle: |
@@ -225,6 +231,12 @@
     ...
     -----END CERTIFICATE-----
 
+.. note::
+
+   If your issuer is an intermediate certificate, you will need to ensure that
+   the ``certificate`` key includes the full chain in the correct order of issuer,
+   intermediate(s), then root.
+
 Authentication
 ~~~~~~~~~~~~~~
 
diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml
index 28ff024..1c6f4b5 100644
--- a/roles/cluster_issuer/defaults/main.yml
+++ b/roles/cluster_issuer/defaults/main.yml
@@ -30,6 +30,7 @@
 #cluster_issuer_acme_cloudflare_api_token: <CLOUDFLARE_API_TOKEN>
 
 cluster_issuer_venafi_secret_name: cert-manager-venafi-credentials
+# cluster_issuer_venafi_ca:
 # cluster_issuer_venafi_access_token:
 # cluster_issuer_venafi_username:
 # cluster_issuer_venafi_password:
diff --git a/roles/cluster_issuer/tasks/type/venafi/main.yml b/roles/cluster_issuer/tasks/type/venafi/main.yml
index 006012f..9baffca 100644
--- a/roles/cluster_issuer/tasks/type/venafi/main.yml
+++ b/roles/cluster_issuer/tasks/type/venafi/main.yml
@@ -61,3 +61,11 @@
             caBundle: "{{ cluster_issuer_venafi_tpp_ca_bundle }}"
             credentialsRef:
               name: "{{ cluster_issuer_venafi_secret_name }}"
+
+- name: Copy CA certificate on host
+  ansible.builtin.copy:
+    content: "{{ cluster_issuer_venafi_ca }}"
+    dest: "{{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt"
+    mode: "0644"
+  notify:
+    - Update CA certificates on host
diff --git a/roles/openstack_cli/templates/atmosphere.sh.j2 b/roles/openstack_cli/templates/atmosphere.sh.j2
index 00635a1..9717677 100644
--- a/roles/openstack_cli/templates/atmosphere.sh.j2
+++ b/roles/openstack_cli/templates/atmosphere.sh.j2
@@ -1,7 +1,7 @@
 alias osc='nerdctl run --rm --network host \
       --volume $PWD:/opt --volume /tmp:/tmp \
       --volume /etc/openstack:/etc/openstack:ro \
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
       --volume {{ '/usr/local/share/ca-certificates/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' if ansible_facts['os_family']
       in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' }} \
 {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
diff --git a/roles/openstack_cli/templates/openrc.j2 b/roles/openstack_cli/templates/openrc.j2
index a5d7acb..d8bed16 100644
--- a/roles/openstack_cli/templates/openrc.j2
+++ b/roles/openstack_cli/templates/openrc.j2
@@ -11,7 +11,7 @@
 export OS_PROJECT_DOMAIN_NAME=Default
 export OS_PROJECT_NAME=admin
 
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
 export OS_CACERT=/usr/local/share/ca-certificates/atmosphere.crt
 {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
 export OS_CACERT=/etc/ssl/certs/ca-certificates.crt
diff --git a/roles/openstacksdk/templates/clouds.yaml.j2 b/roles/openstacksdk/templates/clouds.yaml.j2
index 5b47879..4de4d22 100644
--- a/roles/openstacksdk/templates/clouds.yaml.j2
+++ b/roles/openstacksdk/templates/clouds.yaml.j2
@@ -8,7 +8,7 @@
       user_domain_name: Default
       project_domain_name: Default
     region_name: "{{ openstack_helm_endpoints_keystone_region_name }}"
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
     cacert: "/usr/local/share/ca-certificates/atmosphere.crt"
 {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
     cacert: "/etc/ssl/certs/ca-certificates.crt"