{{- if and .Values.global.enableSecurity (not .Values.certificates.externalCertificates.enabled)}}
apiVersion: cert-manager.io/v1{{ if .Values.global.certificates.alphacrds }}alpha1{{ end }}
kind: Certificate
metadata:
  name: {{ template "seaweedfs.name" . }}-master-cert
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ template "seaweedfs.name" . }}
    helm.sh/chart: {{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/component: master
spec:
  secretName: {{ template "seaweedfs.name" . }}-master-cert
  issuerRef:
    name: {{ template "seaweedfs.name" . }}-ca-issuer
    kind: Issuer
  commonName: {{ .Values.certificates.commonName }}
  subject:
    organizations:
    - "SeaweedFS CA"
  dnsNames:
    - '*.{{ .Release.Namespace }}'
    - '*.{{ .Release.Namespace }}.svc'
    - '*.{{ .Release.Namespace }}.svc.cluster.local'
    - '*.{{ template "seaweedfs.name" . }}-master'
    - '*.{{ template "seaweedfs.name" . }}-master.{{ .Release.Namespace }}'
    - '*.{{ template "seaweedfs.name" . }}-master.{{ .Release.Namespace }}.svc'
    - '*.{{ template "seaweedfs.name" . }}-master.{{ .Release.Namespace }}.svc.cluster.local'
{{- if .Values.certificates.ipAddresses }}
  ipAddresses:
    {{- range .Values.certificates.ipAddresses }}
    - {{ . }}
    {{- end }}
{{- end }}
  privateKey:
    algorithm: {{ .Values.certificates.keyAlgorithm }}
    size: {{ .Values.certificates.keySize }}
  duration: {{ .Values.certificates.duration }}
  renewBefore: {{ .Values.certificates.renewBefore }}
{{- end }}