{{/* Make sure all variables are set properly */}} {{- include "k8s-ycl.init" . -}} --- # Create a selfsigned Issuer, in order to create a root CA certificate for # signing webhook serving certificates apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "k8s-ycl.selfSignedIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} spec: selfSigned: {} --- # Generate a CA Certificate used to sign certificates for the webhook apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "k8s-ycl.rootCACertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} spec: secretName: {{ include "k8s-ycl.rootCACertificate" . }} duration: 43800h # 5y issuerRef: name: {{ include "k8s-ycl.selfSignedIssuer" . }} kind: Issuer commonName: "ca.k8s-ycl.cert-manager" isCA: true --- # Create an Issuer that uses the above generated CA certificate to issue certs apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: {{ include "k8s-ycl.rootCAIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} spec: ca: secretName: {{ include "k8s-ycl.rootCACertificate" . }} --- # Finally, generate a serving certificate for the webhook to use apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: {{ include "k8s-ycl.servingCertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: {{- include "bjw-s.common.lib.metadata.allLabels" . | nindent 4 }} spec: secretName: {{ include "k8s-ycl.servingCertificate" . }} duration: 8760h # 1y issuerRef: name: {{ include "k8s-ycl.rootCAIssuer" . }} kind: Issuer dnsNames: - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook.{{ .Release.Namespace }} - {{ include "bjw-s.common.lib.chart.names.fullname" . }}-webhook.{{ .Release.Namespace }}.svc