feat: refactor cert-manager issuer for better default

Default all the services to use the 'understack-cluster-issuer' which is
documented as the issuer that needs to be provided to create HTTPS
entries for everything. This removes the amount of configuration that
needs to be done per deployment.

Author: cardoe

apps/appsets/components.yaml

@@ -50,9 +50,6 @@ spec:
                               - op: replace
                                 path: /spec/tls/0/hosts/0
                                 value: dex.{{index .metadata.annotations "dns_zone" }}
-                              - op: replace
-                                path: '/metadata/annotations/cert-manager.io~1cluster-issuer'
-                                value: 'understack-cluster-issuer'
                     - repoURL: '{{index .metadata.annotations "uc_deploy_git_url"}}'
                       targetRevision: '{{index .metadata.annotations "uc_deploy_ref"}}'
                       ref: deploy
@@ -85,9 +82,6 @@ spec:
                         releaseName: nautobot
                         valuesObject:
                           ingress:
-                            annotations:
-                              cert-manager.io/cluster-issuer: 'understack-cluster-issuer'
-                              nginx.ingress.kubernetes.io/backend-protocol: HTTPS
                             hostname: 'nautobot.{{index .metadata.annotations "dns_zone" }}'
                         valueFiles:
                           - $understack/components/nautobot/nautobot-values.yaml
@@ -158,9 +152,6 @@ spec:
                             - op: replace
                               path: /spec/tls/0/hosts/0
                               value: workflows.{{index .metadata.annotations "dns_zone" }}
-                            - op: replace
-                              path: '/metadata/annotations/cert-manager.io~1cluster-issuer'
-                              value: 'understack-cluster-issuer'
                 - component: argo-events
                   skipComponent: '{{has "argo-events" ((default "[]" (index .metadata.annotations "uc_skip_components") | fromJson))}}'
                   sources:

components/argo/ingress.yaml

@@ -3,7 +3,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   annotations:
-    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    cert-manager.io/cluster-issuer: understack-cluster-issuer
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
     nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
   name: argo-workflows

components/dex/ingress.yaml

@@ -3,7 +3,7 @@ kind: Ingress
 metadata:
   name: dex
   annotations:
-    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    cert-manager.io/cluster-issuer: understack-cluster-issuer
     nginx.ingress.kubernetes.io/backend-protocol: HTTP
 spec:
   ingressClassName: nginx

components/glance/aio-values.yaml

@@ -17,12 +17,25 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: glance-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 network:
   # configure OpenStack Helm to use Undercloud's ingress
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 # Glance storage backend
 # we'll switch to radosgw in the future

components/horizon/aio-values.yaml

@@ -14,11 +14,27 @@ conf:
         allowed_hosts:
           - '*'
 
+endpoints:
+  dashboard:
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: keystone-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
+
 network:
   # configure OpenStack Helm to use Undercloud's ingress
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  dashboard:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 # (nicholas.kuechler) updating the jobs list to remove the 'horizon-db-init' job.
 dependencies:

components/ironic/aio-values.yaml

@@ -82,6 +82,13 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: ironic-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 network:
   api:
@@ -92,6 +99,8 @@ network:
         cluster: "nginx-openstack"
       annotations:
         nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
     external_policy_local: false
     node_port:
       enabled: false

components/keystone/aio-values.yaml

@@ -98,6 +98,12 @@ network:
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  api:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 dependencies:
   static:
@@ -317,6 +323,13 @@ endpoints:
     port:
       api:
         public: 443
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: keystone-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 manifests:
   job_credential_cleanup: false

components/nautobot/nautobot-values.yaml

@@ -66,5 +66,5 @@ ingress:
   tls: true
   secretName: "nautobot-ingress-tls"
   annotations:
-    cert-manager.io/cluster-issuer: selfsigned-cluster-issuer
+    cert-manager.io/cluster-issuer: understack-cluster-issuer
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS

components/neutron/aio-values.yaml

@@ -17,6 +17,13 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: neutron-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 
 network:
@@ -28,6 +35,12 @@ network:
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  server:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 conf:
   plugins:

components/nova/aio-values.yaml

@@ -24,6 +24,13 @@ endpoints:
         public: 443
     scheme:
       public: https
+    host_fqdn_override:
+      public:
+        tls:
+          secretName: nova-tls-public
+          issuerRef:
+            name: understack-cluster-issuer
+            kind: ClusterIssuer
 
 network:
   # we're using ironic and actual switches
@@ -34,6 +41,12 @@ network:
   # instead of expecting the ingress controller provided
   # by OpenStack Helm
   use_external_ingress_controller: true
+  osapi:
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/rewrite-target: /
+        # set our default issuer
+        cert-manager.io/cluster-issuer: understack-cluster-issuer
 
 conf:
   ceph: