Apply new openstack-operator config

tests/config/base/openstack_control_plane.yaml

@@ -7,11 +7,18 @@ spec:
   storageClass: local-storage
 
   tls:
-    endpoint:
+    podLevel:
+      enabled: true
       internal:
-        enabled: true
-      public:
-        enabled: true
+        ca:
+          customIssuer: rootca-internal
+      ovn:
+        ca:
+          customIssuer: rootca-internal
+    ingress:
+      ca:
+        customIssuer: rootca-internal
+      enabled: true
 
   barbican:
     enabled: false

tests/roles/ovn_adoption/handlers/main.yaml

@@ -4,3 +4,5 @@
     {{ oc_header }}
     oc delete pod ovn-copy-data
     {% if storage_reclaim_policy.lower() == "delete" %}oc delete pvc ovn-data{% endif %}
+    oc delete certificate ovn-data-cert
+    oc delete secret ovn-data-cert

tests/roles/pcp_cleanup/tasks/main.yaml

@@ -20,6 +20,8 @@
 
     oc delete --wait=false pod ovn-copy-data || true
     oc delete secret osp-secret || true
+    oc delete issuer rootca-internal --ignore-not-found
+    oc delete secret rootca-internal --ignore-not-found
   when: pcp_cleanup_enabled|bool
 
 - name: revert standalone VM to snapshotted state

tests/roles/tls_adoption/tasks/main.yaml

@@ -1,60 +1,29 @@
-- name: patch rootca-internal with cert and key from IPA
+- name: Create Certificate Issuer with cert and key from IPA
   ansible.builtin.shell: |
     {{ shell_header }}
     {{ oc_header }}
     IPA_SSH="{{ ipa_ssh }}"
     $IPA_SSH pk12util -o /tmp/freeipa.p12 -n 'caSigningCert\ cert-pki-ca' -d /etc/pki/pki-tomcat/alias -k /etc/pki/pki-tomcat/alias/pwdfile.txt -w /etc/pki/pki-tomcat/alias/pwdfile.txt
     KEY_LENGTH=`$IPA_SSH openssl pkcs12 -in /tmp/freeipa.p12 -passin file:/etc/pki/pki-tomcat/alias/pwdfile.txt -nocerts -noenc | openssl rsa -text -noout | awk -F'[^0-9]+' '{ print $2; exit }'`
 
-    oc apply -f - <<EOF
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-      name: openstack
-    ---
-    apiVersion: cert-manager.io/v1
-    kind: Issuer
-    metadata:
-      name: selfsigned-issuer
-      namespace: openstack
-    spec:
-      selfSigned: {}
-    ---
-    apiVersion: cert-manager.io/v1
-    kind: Certificate
-    metadata:
-      name: rootca-internal
-      namespace: openstack
-    spec:
-      isCA: true
-      commonName: rootca-internal
-      secretName: rootca-internal
-      privateKey:
-        algorithm: RSA
-        size: $KEY_LENGTH
-      issuerRef:
-        name: selfsigned-issuer
-    EOF
+    oc create secret generic rootca-internal
 
-    oc wait --for=condition=ready --timeout=60s -n openstack certificate rootca-internal
-    
     oc patch secret rootca-internal -n openstack -p="{\"data\":{\"ca.crt\": \"`$IPA_SSH openssl pkcs12 -in /tmp/freeipa.p12 -passin file:/etc/pki/pki-tomcat/alias/pwdfile.txt -nokeys | openssl x509 | base64 -w 0`\"}}"
 
     oc patch secret rootca-internal -n openstack -p="{\"data\":{\"tls.crt\": \"`$IPA_SSH openssl pkcs12 -in /tmp/freeipa.p12 -passin file:/etc/pki/pki-tomcat/alias/pwdfile.txt -nokeys | openssl x509 | base64 -w 0`\"}}"
 
     oc patch secret rootca-internal -n openstack -p="{\"data\":{\"tls.key\": \"`$IPA_SSH openssl pkcs12 -in /tmp/freeipa.p12 -passin file:/etc/pki/pki-tomcat/alias/pwdfile.txt -nocerts -noenc | openssl rsa | base64 -w 0`\"}}"
 
     oc apply -f - <<EOF
-    apiVersion: v1
-    kind: Namespace
-    metadata:
-      name: openstack
-    ---
     apiVersion: cert-manager.io/v1
     kind: Issuer
     metadata:
       name: rootca-internal
       namespace: openstack
+      labels:
+        osp-rootca-issuer-public: ""
+        osp-rootca-issuer-internal: ""
+        osp-rootca-issuer-ovn: ""
     spec:
       ca:
         secretName: rootca-internal