[tlse] allow custom issuer for any CA type

apis/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -16320,6 +16320,8 @@ spec:
                     properties:
                       ca:
                         properties:
+                          customIssuer:
+                            type: string
                           duration:
                             type: string
                           renewBefore:
@@ -16343,6 +16345,8 @@ spec:
                         properties:
                           ca:
                             properties:
+                              customIssuer:
+                                type: string
                               duration:
                                 type: string
                               renewBefore:
@@ -16360,6 +16364,8 @@ spec:
                         properties:
                           ca:
                             properties:
+                              customIssuer:
+                                type: string
                               duration:
                                 type: string
                               renewBefore:

apis/core/v1beta1/openstackcontrolplane_types.go

@@ -30,6 +30,7 @@ import (
 	keystonev1 "github.com/openstack-k8s-operators/keystone-operator/api/v1beta1"
 	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/route"
+	"github.com/openstack-k8s-operators/lib-common/modules/common/service"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/tls"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/util"
 	"github.com/openstack-k8s-operators/lib-common/modules/storage"
@@ -53,6 +54,8 @@ const (
 
 	// RabbitMqContainerImage is the fall-back container image for RabbitMQ
 	RabbitMqContainerImage = "quay.io/podified-antelope-centos9/openstack-rabbitmq:current-podified"
+
+	OvnDbCaName = tls.DefaultCAPrefix + "ovn"
 )
 
 // OpenStackControlPlaneSpec defines the desired state of OpenStackControlPlane
@@ -243,7 +246,19 @@ type CertSection struct {
 	// +kubebuilder:validation:Optional
 	// +operator-sdk:csv:customresourcedefinitions:type=spec
 	// Ca - defines details for CA cert config
-	Ca CertConfig `json:"ca,omitempty"`
+	Ca CACertConfig `json:"ca,omitempty"`
+}
+
+// CACertConfig defines details for ca cert configs
+type CACertConfig struct {
+	// +kubebuilder:validation:optional
+	//+operator-sdk:csv:customresourcedefinitions:type=spec
+	CertConfig `json:",inline"`
+
+	// +kubebuilder:validation:Optional
+	// CustomIssuer - use pre-created issue for this CA. No CA and issure is being created
+	// the CA cert and chain needs to be added using the CaBundleSecretName.
+	CustomIssuer *string `json:"customIssuer,omitempty"`
 }
 
 // CertConfig defines details for cert configs
@@ -826,3 +841,38 @@ func SetupDefaults() {
 
 	SetupOpenStackControlPlaneDefaults(openstackControlPlaneDefaults)
 }
+
+// IsCustomIssuer - returns true if CustomIssuer is provided and not empty string
+func (ca CACertConfig) IsCustomIssuer() bool {
+	return ca.CustomIssuer != nil && *ca.CustomIssuer != ""
+}
+
+// GetPublicIssuer - returns the public CA issuer name or custom if configured
+func (instance OpenStackControlPlane) GetPublicIssuer() string {
+	// use custom issuer if set
+	if instance.Spec.TLS.Ingress.Ca.IsCustomIssuer() {
+		return *instance.Spec.TLS.Ingress.Ca.CustomIssuer
+	}
+
+	return tls.DefaultCAPrefix + string(service.EndpointPublic)
+}
+
+// GetInternalIssuer - returns the internal CA issuer name or custom if configured
+func (instance OpenStackControlPlane) GetInternalIssuer() string {
+	// use custom issuer if set
+	if instance.Spec.TLS.PodLevel.Internal.Ca.IsCustomIssuer() {
+		return *instance.Spec.TLS.PodLevel.Internal.Ca.CustomIssuer
+	}
+
+	return tls.DefaultCAPrefix + string(service.EndpointInternal)
+}
+
+// GetOvnIssuer - returns the ovn CA issuer name or custom if configured
+func (instance OpenStackControlPlane) GetOvnIssuer() string {
+	// use custom issuer if set
+	if instance.Spec.TLS.PodLevel.Ovn.Ca.IsCustomIssuer() {
+		return *instance.Spec.TLS.PodLevel.Ovn.Ca.CustomIssuer
+	}
+
+	return OvnDbCaName
+}

config/crd/bases/core.openstack.org_openstackcontrolplanes.yaml

@@ -16320,6 +16320,8 @@ spec:
                     properties:
                       ca:
                         properties:
+                          customIssuer:
+                            type: string
                           duration:
                             type: string
                           renewBefore:
@@ -16343,6 +16345,8 @@ spec:
                         properties:
                           ca:
                             properties:
+                              customIssuer:
+                                type: string
                               duration:
                                 type: string
                               renewBefore:
@@ -16360,6 +16364,8 @@ spec:
                         properties:
                           ca:
                             properties:
+                              customIssuer:
+                                type: string
                               duration:
                                 type: string
                               renewBefore:

go.mod

@@ -22,7 +22,7 @@ require (
 	github.com/openstack-k8s-operators/infra-operator/apis v0.3.1-0.20240308113717-eaf5876d69c3
 	github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91
 	github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba
-	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240313084555-12e3d33d7a2d
+	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240314165949-fec16b14c33b
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.3.1-0.20240306153230-dc65ab49ebc0
 	github.com/openstack-k8s-operators/manila-operator/api v0.3.1-0.20240305194401-0fda28a84acb

go.sum

@@ -105,8 +105,8 @@ github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-2
 github.com/openstack-k8s-operators/ironic-operator/api v0.3.1-0.20240229174131-28e3aee56d91/go.mod h1:Yac7wRClzl1/a7uBso4w8wq6Rjm+JLIouEsLre7VSDE=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba h1:0wfKrQMGwjh/kKTH/UpZGKk91HrnReYieHFG73OC+Vg=
 github.com/openstack-k8s-operators/keystone-operator/api v0.3.1-0.20240310093110-b4b2614f40ba/go.mod h1:gB/IeXuvocAv0yNSf79U1lBHhbx6fdWUB501xFJ0l+A=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240313084555-12e3d33d7a2d h1:IjMM7Ci7JkrefHtuMGkiB/A+xWKPMxJHG9yjr2SGH08=
-github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240313084555-12e3d33d7a2d/go.mod h1:RV+rktKvegjYBQLuBKt8ax29UMqsU/D/sfSjQPr6XIs=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240314165949-fec16b14c33b h1:Umvz8j2ySAAo7CbDIigCU9QcU1jywkkofNpjF4i3uKk=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.0.0-20240314165949-fec16b14c33b/go.mod h1:RV+rktKvegjYBQLuBKt8ax29UMqsU/D/sfSjQPr6XIs=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0 h1:1Q/9F3SAKvLN9vX+YxwaEB0WvBekj9eakQPoQbI1K6w=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.3.1-0.20240306153230-dc65ab49ebc0/go.mod h1:R2plZL2JdwDMJwv9+pkPmCB1Mww81J75G0MxRzi2Kug=
 github.com/openstack-k8s-operators/lib-common/modules/openstack v0.3.1-0.20240306153230-dc65ab49ebc0 h1:HRoVOnK5nOSvYKU3Y2N8Ed2SikuRQYSRESeo/ILv0vM=