Enable setting CA for Venafi (#1254)

doc/source/deploy/certificates.rst

@@ -216,6 +216,12 @@ you will need to configure the issuer.
 .. code-block:: yaml
 
   cluster_issuer_type: venafi
+  cluster_issuer_venafi_ca: |
+    -----BEGIN CERTIFICATE-----
+    MIIDBjCCAe4CCQDQ3Z0Z2Z0Z0jANBgkqhkiG9w0BAQsFADCBhTELMAkGA1UEBhMC
+    VVMxEzARBgNVBAgTCkNhbGlmb3JuaWExFjAUBgNVBAcTDVNhbiBGcmFuY2lzY28x
+    ...
+    -----END CERTIFICATE-----
   cluster_issuer_venafi_zone: <ZONE>
   cluster_issuer_venafi_tpp_url: <URL>
   cluster_issuer_venafi_tpp_ca_bundle: |
@@ -225,6 +231,12 @@ you will need to configure the issuer.
     ...
     -----END CERTIFICATE-----
 
+.. note::
+
+   If your issuer is an intermediate certificate, you will need to ensure that
+   the ``certificate`` key includes the full chain in the correct order of issuer,
+   intermediate(s), then root.
+
 Authentication
 ~~~~~~~~~~~~~~
 

roles/cluster_issuer/defaults/main.yml

@@ -30,6 +30,7 @@ cluster_issuer_acme_cloudflare_email: "{{ cluster_issuer_acme_email }}"
 #cluster_issuer_acme_cloudflare_api_token: <CLOUDFLARE_API_TOKEN>
 
 cluster_issuer_venafi_secret_name: cert-manager-venafi-credentials
+# cluster_issuer_venafi_ca:
 # cluster_issuer_venafi_access_token:
 # cluster_issuer_venafi_username:
 # cluster_issuer_venafi_password:

roles/cluster_issuer/tasks/type/venafi/main.yml

@@ -64,3 +64,11 @@
             caBundle: "{{ cluster_issuer_venafi_tpp_ca_bundle }}"
             credentialsRef:
               name: "{{ cluster_issuer_venafi_secret_name }}"
+
+- name: Copy CA certificate on host
+  ansible.builtin.copy:
+    content: "{{ cluster_issuer_venafi_ca }}"
+    dest: "{{ '/usr/local/share/ca-certificates' if ansible_facts['os_family'] in ['Debian'] else '/etc/pki/ca-trust/source/anchors' }}/atmosphere.crt"
+    mode: "0644"
+  notify:
+    - Update CA certificates on host

roles/openstack_cli/templates/atmosphere.sh.j2

@@ -1,7 +1,7 @@
 alias osc='nerdctl run --rm --network host \
       --volume $PWD:/opt --volume /tmp:/tmp \
       --volume /etc/openstack:/etc/openstack:ro \
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
       --volume {{ '/usr/local/share/ca-certificates/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' if ansible_facts['os_family']
       in ['Debian'] else '/etc/pki/ca-trust/source/anchors/atmosphere.crt:/usr/local/share/ca-certificates/atmosphere.crt:ro' }} \
 {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}

roles/openstack_cli/templates/openrc.j2

@@ -11,7 +11,7 @@ export OS_PASSWORD="{{ openstack_helm_endpoints['identity']['auth']['admin']['pa
 export OS_PROJECT_DOMAIN_NAME=Default
 export OS_PROJECT_NAME=admin
 
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
 export OS_CACERT=/usr/local/share/ca-certificates/atmosphere.crt
 {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
 export OS_CACERT=/etc/ssl/certs/ca-certificates.crt

roles/openstacksdk/templates/clouds.yaml.j2

@@ -8,7 +8,7 @@ clouds:
       user_domain_name: Default
       project_domain_name: Default
     region_name: "{{ openstack_helm_endpoints_keystone_region_name }}"
-{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca') %}
+{% if cluster_issuer_type is defined and cluster_issuer_type in ('self-signed', 'ca', 'venafi') %}
     cacert: "/usr/local/share/ca-certificates/atmosphere.crt"
 {% elif cluster_issuer_acme_private_ca is defined and cluster_issuer_acme_private_ca | bool %}
     cacert: "/etc/ssl/certs/ca-certificates.crt"