# Self-signed Issuer for webhook TLS.
# For production, replace with a ClusterIssuer backed by a real CA.
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
# cert-manager Certificate for the webhook TLS.
# The resulting Secret (gitlab-sizer-webhook-tls) is mounted into the webhook pod.
# cert-manager also injects the CA into the MutatingWebhookConfiguration via the
# cert-manager.io/inject-ca-from annotation.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: gitlab-sizer-webhook-cert
spec:
  secretName: gitlab-sizer-webhook-tls
  issuerRef:
    name: selfsigned-issuer
    kind: Issuer
  dnsNames:
    - gitlab-sizer-webhook.ci-sizer.svc
    - gitlab-sizer-webhook.ci-sizer.svc.cluster.local
  duration: 8760h
  renewBefore: 720h