# CA chain configuration for Cert-Manager
# TODO: sign the internal K3s Root CA using Cert-Manager Root CA or a dedicated local CA - see https://docs.k3s.io/cli/certificate#certificate-authority-ca-certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: cert-manager
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: cert-manager
spec:
  isCA: true
  commonName: root-ca
  subject:
    organizations:
      - HVP
    organizationalUnits:
      - Infrastructure
  secretName: root-ca-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  duration: 87600h # 3650d
  renewBefore: 3600h # 150d
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: root-ca-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: root-ca-secret
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: sub-ca
  namespace: cert-manager
spec:
  isCA: true
  commonName: sub-ca
  subject:
    organizations:
      - HVP
    organizationalUnits:
      - Infrastructure
  secretName: sub-ca-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  duration: 8760h # 365d
  renewBefore: 720h # 30d
  issuerRef:
    name: root-ca-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: sub-ca-cluster-issuer
  namespace: cert-manager
spec:
  ca:
    secretName: sub-ca-secret