[tlse] allow custom issuer for any CA type

[stuggi]

Allow to pre-create CA cert and issuer and configure the issuer to be used for the CA type. Creation of the default CA/issuer for that type will be skipped. Instead the provided issuer will be used and its CA cert added to the bundle. If there is any CA chain required, this must be added via the CustomCABundle.

Jira: OSPRH-5600

[stuggi]

pre-create custom CA cert and issuer for the CA type it should be used. in this example a rootca-internal-custom and rootca-public-custom was created:

$ oc get cert
NAME READY SECRET AGE
rootca-internal-custom False rootca-internal 77s
rootca-public-custom True rootca-public-custom 44m

$ oc get issuer
NAME READY AGE
rootca-internal-custom True 2s
rootca-public-custom True 46m
selfsigned-issuer-custom True 47m 

Configure in the osctlplane tls section for which type it should be used

apiVersion: core.openstack.org/v1beta1
kind: OpenStackControlPlane
metadata:
  name: openstack-network-isolation-ceph
spec:
  tls:
    ingress:
      ca:
        customIssuer: rootca-public-custom
      enabled: true
    podLevel:
      enabled: true
      internal:
        ca:
          customIssuer: rootca-internal-custom

The operator will skip creating the default CA cert and issuer for those and use the issuer to get certificates for the services:

$ oc get cert
NAME                         READY   SECRET                            AGE
galera-openstack-cell1-svc   True    cert-galera-openstack-cell1-svc   3s
galera-openstack-svc         True    cert-galera-openstack-svc         3s
rootca-internal-custom       True    rootca-internal-custom            111s
rootca-ovn                   True    rootca-ovn                        3s
rootca-public-custom         True    rootca-public-custom              47m 

=> no custom issuer for ovn was created and specified, so it got created

The custom created issuers get the labels by the operator, so that they could be identified by the known labelselectors

$ oc get issuer rootca-public-custom -o yaml | yq .metadata.labels
osp-rootca-issuer-public: ""

$ oc get issuer rootca-internal-custom -o yaml | yq .metadata.labels
osp-rootca-issuer-internal: "" 

The custom CA certs from their CA secret gets added to the bundle by the operator. If there is some other CA chain required, that needs to be added via the CustomCaBundle secret.

Certs for the services get now issued using the custom issuer, e.g. keystone internal:

$ oc get cert keystone-internal-svc -o yaml | yq .spec.issuerRef
group: cert-manager.io
kind: Issuer
name: rootca-internal-custom

[stuggi]

in a follow up could add in the validation webhook that the issuer exists

[softwarefactory-project-zuul]

Build failed (check pipeline). Post recheck (without leading slash)
to rerun all jobs. Make sure the failure cause has been resolved before
you rerun jobs.

https://review.rdoproject.org/zuul/buildset/a6fdf2856aab470796c7e87b59e619a3

✔️ openstack-k8s-operators-content-provider SUCCESS in 1h 47m 13s
❌ podified-multinode-edpm-deployment-crc RETRY_LIMIT in 4s
❌ cifmw-crc-podified-edpm-baremetal RETRY_LIMIT in 4s
❌ cifmw-data-plane-adoption-osp-17-to-extracted-crc RETRY_LIMIT in 3s
✔️ openstack-operator-tempest-multinode SUCCESS in 1h 28m 09s

[stuggi]

/test openstack-operator-build-deploy-kuttl

[stuggi]

recheck

[stuggi]

/test openstack-operator-build-deploy-kuttl

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Deydra71, stuggi

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• OWNERS [stuggi]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment