apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: epinio
  namespace: {{ .Release.Namespace }}
spec:
  dnsNames:
  - epinio.{{ .Values.global.domain }}
  issuerRef:
    kind: ClusterIssuer
    name: {{ default .Values.global.tlsIssuer .Values.global.customTlsIssuer | quote }}
  secretName: epinio-tls

{{- if .Values.minio.enabled }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: minio-cert
  namespace: {{ .Release.Namespace }}
spec:
  dnsNames:
  - {{ include "epinio.minio-hostname" . }}
  issuerRef:
    kind: ClusterIssuer
    # We always trust the CA for minio so we can always use selfsigned certs
    # Because Letsencrypt doesn't create certs for non public domains
    name: epinio-ca
  secretName: minio-tls
  secretTemplate:
    annotations:
      kubed.appscode.com/sync: "kubed-s3-tls-from={{ .Release.Namespace }}"
{{- end }}

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: epinio-ca
  namespace: {{ .Values.certManagerNamespace }}
spec:
  commonName: epinio-ca
  isCA: true
  issuerRef:
    kind: ClusterIssuer
    name: selfsigned-issuer
  privateKey:
    algorithm: ECDSA
    size: 256
  secretName: epinio-ca-root