chore(libvirt): add ca and issuer
diff --git a/Earthfile b/Earthfile
index 197fc0d..7a4cb11 100644
--- a/Earthfile
+++ b/Earthfile
@@ -45,16 +45,16 @@
 
 image:
   FROM python:3.10-slim
-  COPY +build.venv.runtime/venv /venv
-  COPY +build.collections/ /usr/share/ansible
   ENV ANSIBLE_PIPELINING=True
-  ENV PATH=/venv/bin:$PATH
   RUN \
     apt-get update && \
     apt-get install --no-install-recommends -y rsync openssh-client && \
     apt-get clean && \
     rm -rf /var/lib/apt/lists/*
   CMD ["/bin/bash"]
+  COPY +build.venv.runtime/venv /venv
+  ENV PATH=/venv/bin:$PATH
+  COPY +build.collections/ /usr/share/ansible
   ARG tag=latest
   SAVE IMAGE --push ghcr.io/vexxhost/atmosphere:${tag}
 
diff --git a/charts/libvirt/templates/certificate-ca.yaml b/charts/libvirt/templates/certificate-ca.yaml
new file mode 100644
index 0000000..d2182db
--- /dev/null
+++ b/charts/libvirt/templates/certificate-ca.yaml
@@ -0,0 +1,58 @@
+{{/*
+Copyright (c) 2023 VEXXHOST, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if eq .Values.conf.libvirt.listen_tls "1" }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-api-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: {{ .Release.Name }}
+  duration: 87600h0m0s
+  isCA: true
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: self-signed
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  renewBefore: 720h0m0s
+  secretName: {{ .Release.Name }}-api-ca
+{{- end -}}
+{{- if eq .Values.conf.qemu.vnc_tls "1" }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Release.Name }}-vnc-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  commonName: {{ .Release.Name }}
+  duration: 87600h0m0s
+  isCA: true
+  issuerRef:
+    group: cert-manager.io
+    kind: ClusterIssuer
+    name: self-signed
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  renewBefore: 720h0m0s
+  secretName: {{ .Release.Name }}-vnc-ca
+{{- end -}}
diff --git a/charts/libvirt/templates/issuer.yaml b/charts/libvirt/templates/issuer.yaml
new file mode 100644
index 0000000..ac6cc3e
--- /dev/null
+++ b/charts/libvirt/templates/issuer.yaml
@@ -0,0 +1,38 @@
+{{/*
+Copyright (c) 2023 VEXXHOST, Inc.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+  http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/}}
+
+{{- if eq .Values.conf.libvirt.listen_tls "1" }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-api-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  ca:
+    secretName: {{ .Release.Name }}-api-ca
+{{- end -}}
+{{- if eq .Values.conf.qemu.vnc_tls "1" }}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-vnc-ca
+  namespace: {{ .Release.Namespace }}
+spec:
+  ca:
+    secretName: {{ .Release.Name }}-vnc-ca
+{{- end -}}
diff --git a/charts/libvirt/templates/role-cert-manager.yaml b/charts/libvirt/templates/role-cert-manager.yaml
index 69370fc..d91a23b 100644
--- a/charts/libvirt/templates/role-cert-manager.yaml
+++ b/charts/libvirt/templates/role-cert-manager.yaml
@@ -1,4 +1,6 @@
 {{/*
+Copyright (c) 2023 VEXXHOST, Inc.
+
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
 You may obtain a copy of the License at
@@ -38,6 +40,8 @@
       - cert-manager.io
     verbs:
       - get
+      - list
+      - create
     resources:
       - certificates
 {{- end -}}