---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ instance_name }}-selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ instance_name }}-ca-cert
spec:
  # Secret names are always required.
  secretName: {{ instance_name }}-ca-cert
  duration: 87600h # 10y
  renewBefore: 360h # 15d
  isCA: true
  privateKey:
    size: 2048
    algorithm: RSA
    encoding: PKCS1
  commonName: cacert
  # At least one of a DNS Name, URI, or IP address is required.
  dnsNames:
  - caroot
  # Issuer references are always required.
  issuerRef:
    name: {{ instance_name }}-selfsigned-issuer
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: {{ instance_name }}-ca-issuer
spec:
  ca:
    secretName: {{ instance_name }}-ca-cert