--- # Create a selfsigned Issuer, in order to create a root CA certificate for # signing webhook serving certificates apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: name: {{ include "example-webhook.selfSignedIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "example-webhook.name" . }} chart: {{ include "example-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: selfSigned: {} --- # Generate a CA Certificate used to sign certificates for the webhook apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: {{ include "example-webhook.rootCACertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "example-webhook.name" . }} chart: {{ include "example-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: secretName: {{ include "example-webhook.rootCACertificate" . }} duration: 43800h # 5y issuerRef: name: {{ include "example-webhook.selfSignedIssuer" . }} commonName: "ca.example-webhook.cert-manager" isCA: true --- # Create an Issuer that uses the above generated CA certificate to issue certs apiVersion: certmanager.k8s.io/v1alpha1 kind: Issuer metadata: name: {{ include "example-webhook.rootCAIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "example-webhook.name" . }} chart: {{ include "example-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: ca: secretName: {{ include "example-webhook.rootCACertificate" . }} --- # Finally, generate a serving certificate for the webhook to use apiVersion: certmanager.k8s.io/v1alpha1 kind: Certificate metadata: name: {{ include "example-webhook.servingCertificate" . }} namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "example-webhook.name" . }} chart: {{ include "example-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: secretName: {{ include "example-webhook.servingCertificate" . }} duration: 8760h # 1y issuerRef: name: {{ include "example-webhook.rootCAIssuer" . }} dnsNames: - {{ include "example-webhook.fullname" . }} - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }} - {{ include "example-webhook.fullname" . }}.{{ .Release.Namespace }}.svc {{- if .Values.clusterIssuer.enabled -}} --- apiVersion: certmanager.k8s.io/v1alpha1 kind: ClusterIssuer metadata: name: {{ include "example-webhook.clusterIssuer" . }} namespace: {{ .Release.Namespace | quote }} labels: app: {{ include "example-webhook.name" . }} chart: {{ include "example-webhook.chart" . }} release: {{ .Release.Name }} heritage: {{ .Release.Service }} spec: acme: {{- if .Values.clusterIssuer.staging }} server: https://acme-staging-v02.api.letsencrypt.org/directory {{- else }} server: https://acme-v02.api.letsencrypt.org/directory {{- end }} email: {{ .Values.clusterIssuer.email }} privateKeySecretRef: name: {{ include "example-webhook.fullname" . }}-letsencrypt solvers: - dns01: webhook: groupName: {{ .Values.groupName }} solverName: dnspod config: apiID: {{ required ".Values.secrets.apiID is required" .Values.secrets.apiID }} apiTokenSecretRef: key: api-token name: {{ include "example-webhook.fullname" . }}-secret {{- end -}}