{{- if and .Values.api7.enabled .Values.api7.tls.enabled .Values.api7.tls.certManager.enabled }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ include "api7ee.fullname" . }}-tls
  labels:
    {{- include "api7ee.labels" . | nindent 4 }}
spec:
  secretName: {{ .Values.api7.tls.secretName | default (printf "%s-tls" (include "api7ee.fullname" .)) }}
  issuerRef:
    name: {{ .Values.api7.tls.certManager.issuer }}
    kind: {{ .Values.api7.tls.certManager.issuerKind | default "ClusterIssuer" }}
  commonName: {{ first .Values.api7.hosts }}
  dnsNames:
    {{- range .Values.api7.hosts }}
    - {{ . | quote }}
    {{- end }}
  privateKey:
    algorithm: {{ .Values.api7.tls.privateKey.algorithm | default "RSA" }}
    encoding: PKCS1
    size: {{ .Values.api7.tls.privateKey.size | default 2048 }}
    rotationPolicy: {{ .Values.api7.tls.privateKey.rotationPolicy | default "Always" }}
  usages:
    - digital signature
    - key encipherment
    - server auth
    - client auth
  duration: {{ .Values.api7.tls.duration | default "2160h" }}
  renewBefore: {{ .Values.api7.tls.renewBefore | default "720h" }}
{{- end }}