Use EnsureCert from lib-common

This is test. If it will work fine, should be merged with previous
commits

Signed-off-by: Slawek Kaplonski <skaplons@redhat.com>

Author: slawqo

go.mod

@@ -10,6 +10,7 @@ require (
 	github.com/onsi/ginkgo/v2 v2.28.2
 	github.com/onsi/gomega v1.39.1
 	github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260416122644-5476763a36b6
+	github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260417092244-81c71b39e981
 	github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260417092244-81c71b39e981
 	github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260417092244-81c71b39e981
 	github.com/openstack-k8s-operators/ovn-operator/api v0.0.0-20230418071801-b5843d9e05fb

go.sum

@@ -120,6 +120,8 @@ github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e h1:E1OdwSpqWuDPCedyU
 github.com/openshift/api v0.0.0-20250711200046-c86d80652a9e/go.mod h1:Shkl4HanLwDiiBzakv+con/aMGnVE2MAGvoKp5oyYUo=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260416122644-5476763a36b6 h1:117Gu9HCSu2tAp579WnCJ9QtnslH2qnPB8UFvn8ZpqE=
 github.com/openstack-k8s-operators/infra-operator/apis v0.6.1-0.20260416122644-5476763a36b6/go.mod h1:i7l8cihvFktd/LSuyvL2z6OcwauarQGoVhDMePL4VyI=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260417092244-81c71b39e981 h1:G0YU5B6AhXDy/46urlNjz6tMXmHGDdoslgucTIN3F30=
+github.com/openstack-k8s-operators/lib-common/modules/certmanager v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:GzD7Jc5o98ptJ97DSjhC0CQ6OiTP0PB/2qJqxYGcOH8=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260417092244-81c71b39e981 h1:v1viH0gmNb+AXMg/0GxDcj8VUTdjVLotfOIGrNyMxHk=
 github.com/openstack-k8s-operators/lib-common/modules/common v0.6.1-0.20260417092244-81c71b39e981/go.mod h1:I/VBXZLdjk8DUGsEbB+Ha72JBFYYntP7Pm2FpEto9K8=
 github.com/openstack-k8s-operators/lib-common/modules/test v0.6.1-0.20260417092244-81c71b39e981 h1:KAQ8T+Ri3JWgsyK1D6QybScMh6fpkYUUA+0ntnOiAl4=

internal/controller/ovncontroller_controller.go

@@ -39,6 +39,7 @@ import (
 
 	certmgrv1 "github.com/cert-manager/cert-manager/pkg/apis/certmanager/v1"
 	topologyv1 "github.com/openstack-k8s-operators/infra-operator/apis/topology/v1beta1"
+	certmanager "github.com/openstack-k8s-operators/lib-common/modules/certmanager"
 	"github.com/openstack-k8s-operators/lib-common/modules/common"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/condition"
 	"github.com/openstack-k8s-operators/lib-common/modules/common/configmap"
@@ -892,7 +893,13 @@ func (r *OVNControllerReconciler) reconcileNormal(ctx context.Context, instance
 			certName := ovncontroller.RbacCertName(nodeName)
 			nodeSystemIDs[nodeName] = systemID
 
-			certResult, certErr := ovncontroller.EnsureRbacCert(ctx, r.Client, r.Scheme, instance, certName, systemID, instance.Spec.OvnIssuerName, ovnServiceLabels)
+			_, certResult, certErr := certmanager.EnsureCert(ctx, helper, certmanager.CertificateRequest{
+				IssuerName: instance.Spec.OvnIssuerName,
+				CertName:   certName,
+				CommonName: &systemID,
+				Labels:     ovnServiceLabels,
+				Usages:     []certmgrv1.KeyUsage{certmgrv1.UsageClientAuth, certmgrv1.UsageDigitalSignature},
+			}, instance)
 			if certErr != nil {
 				return certResult, certErr
 			}

internal/ovncontroller/cert.go

@@ -92,7 +92,7 @@ func ConfigJob(
 		if systemID, ok := nodeSystemIDs[nodeName]; ok {
 			jobEnvVars["SYSTEM_ID"] = env.SetValue(systemID)
 
-			certSecretName := RbacCertName(nodeName)
+			certSecretName := RbacCertSecretName(nodeName)
 			volumes = append(volumes, corev1.Volume{
 				Name: "ovn-rbac-cert",
 				VolumeSource: corev1.VolumeSource{

internal/ovncontroller/configjob.go

@@ -36,6 +36,11 @@ func RbacCertName(nodeName string) string {
 	return fmt.Sprintf("ovn-controller-cert-%s", nodeName)
 }
 
+// RbacCertSecretName returns the Secret name created by cert-manager for a given node's RBAC certificate
+func RbacCertSecretName(nodeName string) string {
+	return "cert-" + RbacCertName(nodeName)
+}
+
 func getPhysicalNetworks(
 	instance *ovnv1.OVNController,
 ) string {

internal/ovncontroller/utils.go

@@ -37,6 +37,7 @@ import (
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	k8s_errors "k8s.io/apimachinery/pkg/api/errors"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/types"
 	"sigs.k8s.io/controller-runtime/pkg/client"
@@ -1185,6 +1186,21 @@ var _ = Describe("OVNController controller", func() {
 				Name:      OvnDbCertSecretName,
 				Namespace: namespace,
 			}))
+
+			issuer := &certmgrv1.Issuer{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      OvnIssuerName,
+					Namespace: namespace,
+				},
+				Spec: certmgrv1.IssuerSpec{
+					IssuerConfig: certmgrv1.IssuerConfig{
+						SelfSigned: &certmgrv1.SelfSignedIssuer{},
+					},
+				},
+			}
+			Expect(k8sClient.Create(ctx, issuer)).To(Succeed())
+			DeferCleanup(k8sClient.Delete, ctx, issuer)
+
 			dbs = CreateTLSOVNDBClusters(namespace, map[string][]string{}, 1)
 			DeferCleanup(DeleteOVNDBClusters, dbs)
 			northdName := CreateReadyOVNNorthd(namespace, GetDefaultOVNNorthdSpec())
@@ -1248,6 +1264,7 @@ var _ = Describe("OVNController controller", func() {
 
 			nodeName := daemonSetName.Name
 			certName := ovncontroller.RbacCertName(nodeName)
+			certSecretName := ovncontroller.RbacCertSecretName(nodeName)
 
 			// Wait for the Certificate CR to be created, then simulate
 			// cert-manager by creating the cert Secret
@@ -1256,7 +1273,7 @@ var _ = Describe("OVNController controller", func() {
 				Namespace: namespace,
 			})
 			DeferCleanup(k8sClient.Delete, ctx, th.CreateCertSecret(types.NamespacedName{
-				Name:      certName,
+				Name:      certSecretName,
 				Namespace: namespace,
 			}))
 
@@ -1296,7 +1313,7 @@ var _ = Describe("OVNController controller", func() {
 				// Check RBAC cert volume references the cert secret
 				hasRbacVolume := false
 				for _, v := range job.Spec.Template.Spec.Volumes {
-					if v.Name == "ovn-rbac-cert" && v.Secret != nil && v.Secret.SecretName == certName {
+					if v.Name == "ovn-rbac-cert" && v.Secret != nil && v.Secret.SecretName == certSecretName {
 						hasRbacVolume = true
 					}
 				}