Set issuer config separately in values
diff --git a/charts/libvirt/templates/daemonset-libvirt.yaml b/charts/libvirt/templates/daemonset-libvirt.yaml
index b2a2bce..35cd6e1 100644
--- a/charts/libvirt/templates/daemonset-libvirt.yaml
+++ b/charts/libvirt/templates/daemonset-libvirt.yaml
@@ -89,9 +89,9 @@
             - name: TYPE
               value: api
             - name: ISSUER_KIND
-              value: {{ .Values.conf.libvirt.issuer.kind }}
+              value: {{ .Values.issuers.libvirt.kind }}
             - name: ISSUER_NAME
-              value: {{ .Values.conf.libvirt.issuer.name }}
+              value: {{ .Values.issuers.libvirt.name }}
             - name: POD_UID
               valueFrom:
                 fieldRef:
@@ -126,9 +126,9 @@
             - name: TYPE
               value: vnc
             - name: ISSUER_KIND
-              value: {{ .Values.conf.vencrypt.issuer.kind }}
+              value: {{ .Values.issuers.vencrypt.kind }}
             - name: ISSUER_NAME
-              value: {{ .Values.conf.vencrypt.issuer.name }}
+              value: {{ .Values.issuers.vencrypt.name }}
             - name: POD_UID
               valueFrom:
                 fieldRef:
diff --git a/charts/libvirt/values.yaml b/charts/libvirt/values.yaml
index 7314f78..60653f0 100644
--- a/charts/libvirt/values.yaml
+++ b/charts/libvirt/values.yaml
@@ -90,6 +90,17 @@
   configmap: ceph-etc
   user_secret_name: pvc-ceph-client-key
 
+# Issuers for TLS certificates
+issuers:
+  # Issuer to issue a certificate for libvirt api when listen_tls is enabled
+  libvirt:
+    kind: ClusterIssuer
+    name: ca-clusterissuer
+  # Issuer to issue a certificate for vencrypt
+  vencrypt:
+    kind: ClusterIssuer
+    name: ca-clusterissuer
+
 conf:
   ceph:
     enabled: true
@@ -105,10 +116,6 @@
         secret_uuid: null
         user_secret_name: null
   libvirt:
-    # Issuer to issue a certificate for libvirt api when listen_tls is enabled.
-    issuer:
-      kind: ClusterIssuer
-      name: ca-clusterissuer
     listen_tcp: "1"
     listen_tls: "0"
     auth_tcp: "none"
@@ -125,13 +132,9 @@
     stdio_handler: "file"
     user: "nova"
     group: "kvm"
+    default_tls_x509_cert_dir: /etc/pki/qemu
   kubernetes:
     cgroup: "kubepods.slice"
-  vencrypt:
-    # Issuer to use for the vencrypt certs.
-    issuer:
-      kind: ClusterIssuer
-      name: ca-clusterissuer
 
 pod:
   probes:
diff --git a/hack/sync-charts.sh b/hack/sync-charts.sh
index 5de6162..7eddf21 100755
--- a/hack/sync-charts.sh
+++ b/hack/sync-charts.sh
@@ -109,7 +109,7 @@
 LIBVIRT_VERSION=0.1.23
 curl -sL https://tarballs.opendev.org/openstack/openstack-helm-infra/libvirt-${LIBVIRT_VERSION}.tgz \
   | tar -xz -C ${ATMOSPHERE}/charts
-curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm-infra~893406/revisions/4/patch?download' \
+curl 'https://review.opendev.org/changes/openstack%2Fopenstack-helm-infra~893406/revisions/5/patch?download' \
   | base64 --decode \
   | filterdiff -p1 -x 'releasenotes/*' \
   | filterdiff -p2 -x 'Chart.yaml' \
diff --git a/roles/libvirt/vars/main.yml b/roles/libvirt/vars/main.yml
index 0eef048..7bda6b5 100644
--- a/roles/libvirt/vars/main.yml
+++ b/roles/libvirt/vars/main.yml
@@ -23,9 +23,6 @@
     ceph:
       enabled: "{{ atmosphere_ceph_enabled | default(true) | bool }}"
     libvirt:
-      issuer:
-        kind: Issuer
-        name: libvirt-api-ca
       listen_tcp: "0"
       listen_tls: "1"
       listen_addr: 0.0.0.0
@@ -33,7 +30,10 @@
       default_tls_x509_cert_dir: /etc/pki/qemu
       default_tls_x509_verify: "1"
       vnc_tls: "1"
+  issuers:
+    libvirt:
+      kind: Issuer
+      name: libvirt-api-ca
     vencrypt:
-      issuer:
-        kind: Issuer
-        name: libvirt-vnc-ca
+      kind: Issuer
+      name: libvirt-vnc-ca