apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: trust-manager-selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: zitadel-root-certificate
spec:
  isCA: true
  commonName: zitadel-root-certificate-ca
  secretName: zitadel-root-certificate-ca-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: trust-manager-selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: zitadel-ca-issuer
spec:
  ca:
    secretName: zitadel-root-certificate-ca-secret
---
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: in-cluster-trust-bundle
spec:
  sources:
  - useDefaultCAs: true
  - secret:
      name: "zitadel-root-certificate-ca-secret"
      key: "tls.crt"
  target:
    configMap:
      key: "trust-bundle.pem"
---
# Certificate for PostgreSQL
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: postgres-certificate
  namespace: default
spec:
  duration: 8760h # 1 year
  renewBefore: 720h # 30 days
  commonName: "db-postgresql"
  dnsNames:
    - "postgresql"
    - "db-postgresql"
    - "zitadel"
  secretName: postgres-cert
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - key encipherment
    - data encipherment
  issuerRef:
    name: zitadel-ca-issuer
    kind: Issuer

---
# Certificate for Zitadel
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: zitadel-certificate
  namespace: default
spec:
  duration: 8760h # 1 year
  renewBefore: 720h # 30 days
  commonName: "zitadel"
  dnsNames:
    - "postgresql"
    - "db-postgresql"
    - "zitadel"
  secretName: zitadel-cert
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048
  usages:
    - key encipherment
    - data encipherment
  issuerRef:
    name: zitadel-ca-issuer
    kind: Issuer