feat(tls): Change Issuer to ClusterIssuer

ClusterIssuer does not belong to a single namespace (unlike Issuer) and can be referenced by Certificate resources from multiple different namespaces. When internal TLS is added to multiple namespaces, same ClusterIssuer can be used instead of one Issuer per namespace. Depends-on: https://review.opendev.org/c/openstack/openstack-helm-infra/+/766359 Change-Id: I6585d5a8c2ccb507a5c99784c0190502b55a5bcf
2026-01-08 00:21:30 +00:00 · 2020-12-09 22:51:44 +00:00
parent 0a1d6aeb94
commit 43e75eaa83
17 changed files with 29 additions and 17 deletions
--- a/tools/scripts/tls/cert-manager.sh
+++ b/tools/scripts/tls/cert-manager.sh
@@ -2,7 +2,7 @@

 set -eux

-: ${CERT_MANAGER_VERSION:="v0.15.0"}
+: ${CERT_MANAGER_VERSION:="v1.1.0"}

 cert_path="/etc/openstack-helm"
 ca_cert_root="$cert_path/certs/ca"
@@ -126,14 +126,12 @@ helm repo update
 helm install --name cert-manager --namespace cert-manager \
  --version ${CERT_MANAGER_VERSION} jetstack/cert-manager \
  --set installCRDs=true \
-  --set featureGates=ExperimentalCertificateControllers=true \
  --set extraArgs[0]="--enable-certificate-owner-ref=true"

 # helm 3 command
 # helm install cert-manager jetstack/cert-manager --namespace cert-manager \
 #   --version ${CERT_MANAGER_VERSION} \
 #   --set installCRDs=true \
-#.  --set featureGates=ExperimentalCertificateControllers=true \
 #   --set extraArgs[0]="--enable-certificate-owner-ref=true"

 helm repo remove jetstack
@@ -147,16 +145,15 @@ apiVersion: v1
 kind: Secret
 metadata:
  name: ca-key-pair
-  namespace: openstack
+  namespace: cert-manager
 data:
  tls.crt: $crt
  tls.key: $key
 ---
-apiVersion: cert-manager.io/v1alpha3
-kind: Issuer
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
 metadata:
  name: ca-issuer
-  namespace: openstack
 spec:
  ca:
    secretName: ca-key-pair