---
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  selfSigned: {}

---

# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ include "dnsimple-webhook.rootCACertificate" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}
  duration: 43800h # 5y
  issuerRef:
    name: {{ include "dnsimple-webhook.selfSignedIssuer" . }}
  commonName: "ca.dnsimple-webhook.cert-manager"
  isCA: true

---

# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  ca:
    secretName: {{ include "dnsimple-webhook.rootCACertificate" . }}

---

# Finally, generate a serving certificate for the webhook to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ include "dnsimple-webhook.servingCertificate" . }}
  namespace: {{ .Release.Namespace | quote }}
  labels:
    app: {{ include "dnsimple-webhook.name" . }}
    chart: {{ include "dnsimple-webhook.chart" . }}
    release: {{ .Release.Name }}
    heritage: {{ .Release.Service }}
spec:
  secretName: {{ include "dnsimple-webhook.servingCertificate" . }}
  duration: 8760h # 1y
  issuerRef:
    name: {{ include "dnsimple-webhook.rootCAIssuer" . }}
  dnsNames:
    - {{ include "dnsimple-webhook.fullname" . }}
    - {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}
    - {{ include "dnsimple-webhook.fullname" . }}.{{ .Release.Namespace }}.svc