apiVersion: v1
kind: Secret
type: kubernetes.io/tls
metadata:
  name: {{ template "vault.name" . }}-ca
  namespace: {{ .Release.Namespace }}
  labels:
    app: {{ template "vault.name" . }}
    chart: {{ template "vault.chart" . }}
    heritage: {{ .Release.Service }}
    release: {{ .Release.Name }}
  annotations:
    "helm.sh/hook": "pre-install"
    "helm.sh/hook-delete-policy": "before-hook-creation"
data:
{{ ( include "vault.gen-certs" . ) | indent 2 }}
---
apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: ca-issuer
  namespace: {{ .Release.Namespace }}
spec:
  ca:
    secretName: {{ template "vault.name" . }}-ca
---
apiVersion: cert-manager.io/v1alpha2
kind: Certificate
metadata:
  name: vault-server-tls
  namespace: {{ .Release.Namespace }}
spec:
  # Secret names are always required.
  secretName: vault-server-tls
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  organization:
  - stx
  isCA: false
  keySize: 2048
  keyAlgorithm: rsa
  keyEncoding: pkcs1
  usages:
    - server auth
    - client auth
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
  - sva-{{ template "vault.name" . }}
  - '*.sva-{{ template "vault.name" . }}-internal'
  - '*.{{ .Release.Namespace }}.pod.cluster.local'
  - sva-{{ template "vault.name" . }}.{{ .Release.Namespace }}
  - sva-{{ template "vault.name" . }}.{{ .Release.Namespace }}.svc
  - sva-{{ template "vault.name" . }}.{{ .Release.Namespace }}.svc.cluster.local
  ipAddresses:
  - 127.0.0.1
  # Issuer references are always required.
  issuerRef:
    name: ca-issuer
    # We can reference ClusterIssuers by changing the kind here.
    # The default value is Issuer (i.e. a locally namespaced Issuer)
    kind: Issuer
    # This is optional since cert-manager will default to this value however
    # if you are using an external issuer, change this to that issuer group.
    group: cert-manager.io