{{- if .Values.localCA.enabled }}
{{- if .Values.localCA.selfsigning }}

# KubeZero / Local cluster CA
# The resources are serialized via waves in Argo
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: kubezero-selfsigning-issuer
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
  annotations:
    argocd.argoproj.io/sync-wave: "10"
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: kubezero-local-ca
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
  annotations:
    argocd.argoproj.io/sync-wave: "11"
spec:
  secretName: kubezero-ca-tls
  commonName: "kubezero-local-ca"
  isCA: true
  issuerRef:
    name: kubezero-selfsigning-issuer
    kind: ClusterIssuer
  usages:
  - "any"
---

{{ else }}
apiVersion: v1
kind: Secret
metadata:
  name: kubezero-ca-tls
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
data:
  tls.crt: {{ .Values.localCA.ca.crt | b64enc }}
  tls.key: {{ .Values.localCA.ca.key | b64enc }}
---
{{- end }}

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: kubezero-local-ca-issuer
  namespace: {{ .Release.Namespace }}
  labels:
{{ include "kubezero-lib.labels" . | indent 4 }}
  annotations:
    argocd.argoproj.io/sync-wave: "12"
spec:
  ca:
    secretName: kubezero-ca-tls
{{- end }}