---
# Self-signed CA for metrics server (for internal cluster communication)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: metrics-server-selfsigned-issuer
spec:
  selfSigned: {}
---
# CA Certificate for metrics server
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: metrics-server-ca
  namespace: metrics-server-system
spec:
  secretName: metrics-server-ca-secret
  commonName: "metrics-server-ca"
  isCA: true
  issuerRef:
    name: metrics-server-selfsigned-issuer
    kind: ClusterIssuer
---
# CA Issuer using the generated CA
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: metrics-server-ca-issuer
  namespace: metrics-server-system
spec:
  ca:
    secretName: metrics-server-ca-secret
---
# TLS Certificate for metrics server
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: metrics-server-certs
  namespace: metrics-server-system
spec:
  secretName: metrics-server-certs
  issuerRef:
    name: metrics-server-ca-issuer
    kind: Issuer
  commonName: metrics-server
  dnsNames:
  - metrics-server
  - metrics-server.metrics-server-system
  - metrics-server.metrics-server-system.svc
  - metrics-server.metrics-server-system.svc.cluster.local