{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled -}}
{{- if not .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef -}}
# Create a selfsigned Issuer, in order to create a root CA certificate for
# signing webhook serving certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
  namespace: {{ template "kube-prometheus-stack.namespace" . }}
spec:
  selfSigned: {}
---
# Generate a CA Certificate used to sign certificates for the webhook
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
  namespace: {{ template "kube-prometheus-stack.namespace" . }}
spec:
  secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
  duration: 43800h0m0s # 5y
  issuerRef:
    name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
  commonName: "ca.webhook.kube-prometheus-stack"
  isCA: true
---
# Create an Issuer that uses the above generated CA certificate to issue certs
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
  namespace: {{ template "kube-prometheus-stack.namespace" . }}
spec:
  ca:
    secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
{{- end }}
---
# generate a serving certificate for the apiservices to use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ template "kube-prometheus-stack.fullname" . }}-admission
  namespace: {{ template "kube-prometheus-stack.namespace" . }}
spec:
  secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
  duration: 8760h0m0s # 1y
  issuerRef:
    {{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }}
    {{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }}
    {{- else }}
    name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
    {{- end }}
  dnsNames:
  - {{ template "kube-prometheus-stack.operator.fullname" . }}
  - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}
  - {{ template "kube-prometheus-stack.operator.fullname" . }}.{{ template "kube-prometheus-stack.namespace" . }}.svc
{{- end -}}