feat(tls): Change Issuer to ClusterIssuer

ClusterIssuer does not belong to a single namespace (unlike Issuer)
and can be referenced by Certificate resources from multiple different
namespaces. When internal TLS is added to multiple namespaces, same
ClusterIssuer can be used instead of one Issuer per namespace.

Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359

Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf

cinder/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Cinder
 name: cinder
-version: 0.1.6
+version: 0.1.7
 home: https://docs.openstack.org/cinder/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Cinder/OpenStack_Project_Cinder_vertical.png
 sources:

cinder/values_overrides/tls.yaml

@@ -97,6 +97,7 @@ endpoints:
           secretName: cinder-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
       internal: https
@@ -110,6 +111,7 @@ endpoints:
           secretName: cinder-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
       internal: https
@@ -123,6 +125,7 @@ endpoints:
           secretName: cinder-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
       internal: https

glance/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Glance
 name: glance
-version: 0.1.1
+version: 0.1.2
 home: https://docs.openstack.org/glance/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Glance/OpenStack_Project_Glance_vertical.png
 sources:

glance/values_overrides/tls.yaml

@@ -92,6 +92,7 @@ endpoints:
           secretName: glance-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
       public: https
@@ -105,6 +106,7 @@ endpoints:
           secretName: glance-tls-reg
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
       public: https

heat/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Heat
 name: heat
-version: 0.1.2
+version: 0.1.3
 home: https://docs.openstack.org/heat/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Heat/OpenStack_Project_Heat_vertical.png
 sources:

heat/values_overrides/tls.yaml

@@ -144,6 +144,7 @@ endpoints:
           secretName: heat-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
     port:
@@ -156,6 +157,7 @@ endpoints:
           secretName: heat-tls-cfn
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
     port:
@@ -169,7 +171,7 @@ endpoints:
           secretName: heat-tls-cloudwatch
           issuerRef:
             name: ca-issuer
-            kind: Issuer
+            kind: ClusterIssuer
   ingress:
     port:
       ingress:

horizon/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Horizon
 name: horizon
-version: 0.1.3
+version: 0.1.4
 home: https://docs.openstack.org/horizon/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Horizon/OpenStack_Project_Horizon_vertical.png
 sources:

horizon/values_overrides/tls.yaml

@@ -93,6 +93,7 @@ endpoints:
           secretName: horizon-tls-web
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
       public: https

keystone/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Keystone
 name: keystone
-version: 0.1.3
+version: 0.1.4
 home: https://docs.openstack.org/keystone/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Keystone/OpenStack_Project_Keystone_vertical.png
 sources:

keystone/values_overrides/tls.yaml

@@ -68,7 +68,7 @@ endpoints:
           secretName: keystone-tls-api
           issuerRef:
             name: ca-issuer
-            kind: Issuer
+            kind: ClusterIssuer
     scheme:
       default: https
       public: https

neutron/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Neutron
 name: neutron
-version: 0.1.6
+version: 0.1.7
 home: https://docs.openstack.org/neutron/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Neutron/OpenStack_Project_Neutron_vertical.png
 sources:

neutron/values_overrides/tls.yaml

@@ -117,6 +117,7 @@ endpoints:
           secretName: neutron-tls-server
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
     port:

nova/Chart.yaml

@@ -14,7 +14,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Nova
 name: nova
-version: 0.1.7
+version: 0.1.8
 home: https://docs.openstack.org/nova/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Nova/OpenStack_Project_Nova_vertical.png
 sources:

nova/values_overrides/tls.yaml

@@ -171,6 +171,7 @@ endpoints:
           secretName: nova-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: 'https'
     port:
@@ -183,6 +184,7 @@ endpoints:
           secretName: metadata-tls-metadata
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
     port:
@@ -195,6 +197,7 @@ endpoints:
           secretName: nova-novncproxy-tls-proxy
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
     port:
@@ -207,6 +210,7 @@ endpoints:
           secretName: nova-tls-spiceproxy
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
   placement:
@@ -216,6 +220,7 @@ endpoints:
           secretName: placement-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
     port:

placement/Chart.yaml

@@ -16,7 +16,7 @@ apiVersion: v1
 appVersion: v1.0.0
 description: OpenStack-Helm Placement
 name: placement
-version: 0.1.4
+version: 0.1.5
 home: https://docs.openstack.org/placement/latest/
 icon: https://www.openstack.org/themes/openstack/images/project-mascots/Placement/OpenStack_Project_Placement_vertical.png
 sources:

placement/values_overrides/tls.yaml

@@ -68,6 +68,7 @@ endpoints:
           secretName: placement-tls-api
           issuerRef:
             name: ca-issuer
+            kind: ClusterIssuer
     scheme:
       default: https
     port:

tools/scripts/tls/cert-manager.sh

@@ -2,7 +2,7 @@
 
 set -eux
 
-: ${CERT_MANAGER_VERSION:="v0.15.0"}
+: ${CERT_MANAGER_VERSION:="v1.1.0"}
 
 cert_path="/etc/openstack-helm"
 ca_cert_root="$cert_path/certs/ca"
@@ -126,14 +126,12 @@ helm repo update
 helm install --name cert-manager --namespace cert-manager \
   --version ${CERT_MANAGER_VERSION} jetstack/cert-manager \
   --set installCRDs=true \
-  --set featureGates=ExperimentalCertificateControllers=true \
   --set extraArgs[0]="--enable-certificate-owner-ref=true"
 
 # helm 3 command
 # helm install cert-manager jetstack/cert-manager --namespace cert-manager \
 #   --version ${CERT_MANAGER_VERSION} \
 #   --set installCRDs=true \
-#.  --set featureGates=ExperimentalCertificateControllers=true \
 #   --set extraArgs[0]="--enable-certificate-owner-ref=true"
 
 helm repo remove jetstack
@@ -147,16 +145,15 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: ca-key-pair
-  namespace: openstack
+  namespace: cert-manager
 data:
   tls.crt: $crt
   tls.key: $key
 ---
-apiVersion: cert-manager.io/v1alpha3
-kind: Issuer
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
 metadata:
   name: ca-issuer
-  namespace: openstack
 spec:
   ca:
     secretName: ca-key-pair