---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ include "cert-manager-webhook-njalla.selfSignedIssuer" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "cert-manager-webhook-njalla.name" . }}
    chart: {{ include "cert-manager-webhook-njalla.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  selfSigned: {}

---

# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ include "cert-manager-webhook-njalla.rootCACertificate" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "cert-manager-webhook-njalla.name" . }}
    chart: {{ include "cert-manager-webhook-njalla.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  secretName: {{ include "cert-manager-webhook-njalla.rootCACertificate" . }}
  duration: 43800h # 5y
  issuerRef:
    name: {{ include "cert-manager-webhook-njalla.selfSignedIssuer" . }}
  commonName: "ca.cert-manager-webhook-njalla.cert-manager"
  isCA: true

---

# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ include "cert-manager-webhook-njalla.rootCAIssuer" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "cert-manager-webhook-njalla.name" . }}
    chart: {{ include "cert-manager-webhook-njalla.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  ca:
    secretName: {{ include "cert-manager-webhook-njalla.rootCACertificate" . }}

---

# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ include "cert-manager-webhook-njalla.servingCertificate" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "cert-manager-webhook-njalla.name" . }}
    chart: {{ include "cert-manager-webhook-njalla.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  secretName: {{ include "cert-manager-webhook-njalla.servingCertificate" . }}
  duration: 8760h # 1y
  issuerRef:
    name: {{ include "cert-manager-webhook-njalla.rootCAIssuer" . }}
  dnsNames:
  - {{ include "cert-manager-webhook-njalla.fullname" . }}
  - {{ include "cert-manager-webhook-njalla.fullname" . }}.{{ .Release.Namespace }}
  - {{ include "cert-manager-webhook-njalla.fullname" . }}.{{ .Release.Namespace }}.svc