56 lines
2.3 KiB
YAML
56 lines
2.3 KiB
YAML
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.enabled -}}
|
|
{{- if not .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef -}}
|
|
# Create a selfsigned Issuer, in order to create a root CA certificate for
|
|
# signing webhook serving certificates
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
|
|
namespace: {{ template "kube-prometheus-stack.namespace" . }}
|
|
spec:
|
|
selfSigned: {}
|
|
---
|
|
# Generate a CA Certificate used to sign certificates for the webhook
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
|
|
namespace: {{ template "kube-prometheus-stack.namespace" . }}
|
|
spec:
|
|
secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
|
|
duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.rootCert.duration | default "43800h0m0s" | quote }}
|
|
issuerRef:
|
|
name: {{ template "kube-prometheus-stack.fullname" . }}-self-signed-issuer
|
|
commonName: "ca.webhook.kube-prometheus-stack"
|
|
isCA: true
|
|
---
|
|
# Create an Issuer that uses the above generated CA certificate to issue certs
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
|
|
namespace: {{ template "kube-prometheus-stack.namespace" . }}
|
|
spec:
|
|
ca:
|
|
secretName: {{ template "kube-prometheus-stack.fullname" . }}-root-cert
|
|
{{- end }}
|
|
---
|
|
# generate a server certificate for the apiservices to use
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: {{ template "kube-prometheus-stack.fullname" . }}-admission
|
|
namespace: {{ template "kube-prometheus-stack.namespace" . }}
|
|
spec:
|
|
secretName: {{ template "kube-prometheus-stack.fullname" . }}-admission
|
|
duration: {{ .Values.prometheusOperator.admissionWebhooks.certManager.admissionCert.duration | default "8760h0m0s" | quote }}
|
|
issuerRef:
|
|
{{- if .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef }}
|
|
{{- toYaml .Values.prometheusOperator.admissionWebhooks.certManager.issuerRef | nindent 4 }}
|
|
{{- else }}
|
|
name: {{ template "kube-prometheus-stack.fullname" . }}-root-issuer
|
|
{{- end }}
|
|
dnsNames:
|
|
{{- include "kube-prometheus-stack.operator.admission-webhook.dnsNames" . | splitList "\n" | toYaml | nindent 4 }}
|
|
{{- end -}}
|