{{- define "cert-manager-values" }}

localCA:
  enabled: true

cert-manager:
  {{- if not .Values.global.highAvailable }}
  strategy:
    type: Recreate
  {{- end }}

  {{- if eq .Values.global.platform "aws" }}
  # map everything to the control-plane
  nodeSelector:
    node-role.kubernetes.io/control-plane: ""
  tolerations:
  - key: node-role.kubernetes.io/control-plane
    effect: NoSchedule

  webhook:
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""

  cainjector:
    tolerations:
    - key: node-role.kubernetes.io/control-plane
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/control-plane: ""

  {{ with index .Values "cert-manager" "IamArn" }}
  extraEnv:
  - name: AWS_ROLE_ARN
    value: "{{ . }}"
  - name: AWS_WEB_IDENTITY_TOKEN_FILE
    value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
  - name: AWS_STS_REGIONAL_ENDPOINTS
    value: regional

  volumes:
  - name: aws-token
    projected:
      sources:
      - serviceAccountToken:
          path: token
          expirationSeconds: 86400
          audience: "sts.amazonaws.com"

  volumeMounts:
  - name: aws-token
    mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
    readOnly: true
  {{- end }}

  {{- end }}

  {{- if eq .Values.global.platform "gke" }}
  serviceAccount:
    annotations:
      iam.gke.io/gcp-service-account: "dns01-solver@{{ .Values.global.gcp.projectId }}.iam.gserviceaccount.com"
  {{- end }}

  prometheus:
    servicemonitor:
      enabled: {{ $.Values.metrics.enabled }}

{{- with index .Values "cert-manager" "clusterIssuer" }}
clusterIssuer:
  {{- . | toYaml | nindent 2 }}
{{- end }}

{{- end }}

{{- define "cert-manager-argo" }}
{{- end }}

{{ include "kubezero-app.app" . }}