1. Proposed title of this feature request

Mechanism to manage OCP North-South IPsec certificates, in host NSS DB, by syncing them from CRs to host

2. What is the nature and description of the request?

Customer wants to be able to utilize cert-mgr to manage N-S IPsec certs. They are already using cert-mgr for many other needs and are struggling to manage N-S IPsec certs by other means (jobs/ MachineConfig/ other)

by manage we mean: generate, rotate, revoke, alerts, etc.

N-S IPsec uses libreswan on the RHCOS node. Libreswan reads the cers from an on disk file (NSS DB).
We would like to suggest a new optional component, as part of cert-mgr d/s packages, that will sync certs CRs created by cert-mgr from cluster to relevant hosts NSS DB, creating a seamless experience for customers where they manage all their certificates in the same way

3. Why does the customer need this? (List the business requirements here)

The existing solution is cumbersome and error prone, basically we moved the problem of managing the certs off are hands and onto the customer. and are missing a proper cloud-native, declarative, solution.

Customers are used to and know how to work with cert-mgr,
Integration with cert-mgr will enable:

• ease of use
• less downtime (if comparing to MC which incur reboot of each node)
• unified mgmt for all certs
• less error prone
• re use the existing cert-mgr declerative API for N-S IPsec

4. List any affected packages or components.

• OCP ovn-k
• cert-mgr
• libreswan
• nmstate