---
# Self-signed ClusterIssuer for internal TLS certificates
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: pixelfed-selfsigned-issuer
  namespace: pixelfed-application
spec:
  selfSigned: {}
---
# CA Certificate for internal use
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pixelfed-ca-cert
  namespace: pixelfed-application
spec:
  secretName: pixelfed-ca-secret
  commonName: "Pixelfed Internal CA"
  isCA: true
  issuerRef:
    name: pixelfed-selfsigned-issuer
    kind: Issuer
    group: cert-manager.io
---
# CA Issuer using the generated CA
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: pixelfed-ca-issuer
  namespace: pixelfed-application
spec:
  ca:
    secretName: pixelfed-ca-secret
---
# Internal TLS Certificate for pixelfed backend
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pixelfed-internal-tls
  namespace: pixelfed-application
spec:
  secretName: pixelfed-internal-tls-secret
  commonName: pixelfed.keyboardvagabond.com
  dnsNames:
  - pixelfed.keyboardvagabond.com
  - pixelfed-web.pixelfed-application.svc.cluster.local
  - pixelfed-web
  - localhost
  issuerRef:
    name: pixelfed-ca-issuer
    kind: Issuer
    group: cert-manager.io