github.com/kubevela/workflow@v0.6.0/charts/vela-workflow/templates/admission-webhooks/certmanager.yaml (about) 1 {{- if and .Values.admissionWebhooks.certManager.enabled -}} 2 3 # The following manifests contain a self-signed issuer CR and a certificate CR. 4 # More document can be found at https://docs.cert-manager.io 5 apiVersion: cert-manager.io/v1 6 kind: Issuer 7 metadata: 8 name: {{ template "kubevela.fullname" . }}-self-signed-issuer 9 spec: 10 selfSigned: {} 11 12 --- 13 # Generate a CA Certificate used to sign certificates for the webhook 14 apiVersion: cert-manager.io/v1 15 kind: Certificate 16 metadata: 17 name: {{ template "kubevela.fullname" . }}-root-cert 18 spec: 19 secretName: {{ template "kubevela.fullname" . }}-root-cert 20 duration: 43800h # 5y 21 revisionHistoryLimit: {{ .Values.admissionWebhooks.certManager.revisionHistoryLimit }} 22 issuerRef: 23 name: {{ template "kubevela.fullname" . }}-self-signed-issuer 24 commonName: "ca.webhook.kubevela" 25 isCA: true 26 27 --- 28 # Create an Issuer that uses the above generated CA certificate to issue certs 29 apiVersion: cert-manager.io/v1 30 kind: Issuer 31 metadata: 32 name: {{ template "kubevela.fullname" . }}-root-issuer 33 namespace: {{ .Release.Namespace }} 34 spec: 35 ca: 36 secretName: {{ template "kubevela.fullname" . }}-root-cert 37 38 --- 39 # generate a serving certificate for the apiservices to use 40 apiVersion: cert-manager.io/v1 41 kind: Certificate 42 metadata: 43 name: {{ template "kubevela.fullname" . }}-admission 44 namespace: {{ .Release.Namespace }} 45 spec: 46 secretName: {{ template "kubevela.fullname" . }}-admission 47 duration: 8760h # 1y 48 revisionHistoryLimit: {{ .Values.admissionWebhooks.certManager.revisionHistoryLimit }} 49 issuerRef: 50 name: {{ template "kubevela.fullname" . }}-root-issuer 51 dnsNames: 52 - {{ template "kubevela.name" . }}-webhook.{{ .Release.Namespace }}.svc 53 - {{ template "kubevela.name" . }}-webhook.{{ .Release.Namespace }}.svc.cluster.local 54 55 {{- end }}