From cb0376360bf3a7e1adee2d392ab562bf7dd7bb9f Mon Sep 17 00:00:00 2001
From: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
Date: Mon, 15 May 2023 23:48:47 +0200
Subject: [PATCH] chore: Simplify cert-manager certs and support existingIssuer

Signed-off-by: Marco Kilchhofer <mkilchhofer@users.noreply.github.com>
---
 keda/README.md                                |  5 +++--
 .../40-cert-manager-self-issuer.yaml          | 11 ----------
 keda/templates/41-cert-manager-self-ca.yaml   | 22 -------------------
 .../42-cert-manager-keda-issuer.yaml          |  5 ++---
 .../43-cert-manager-keda-tls-certificate.yaml |  5 +++++
 keda/templates/metrics-server/apiservice.yaml |  6 +----
 .../webhooks/validatingconfiguration.yaml     |  6 +----
 keda/values.yaml                              |  9 ++++----
 8 files changed, 17 insertions(+), 52 deletions(-)
 delete mode 100644 keda/templates/40-cert-manager-self-issuer.yaml
 delete mode 100644 keda/templates/41-cert-manager-self-ca.yaml

diff --git a/keda/README.md b/keda/README.md
index 50a8e69e..6ac751c2 100644
--- a/keda/README.md
+++ b/keda/README.md
@@ -215,8 +215,9 @@ their default values.
 | `certificates.secretName`                                  | Secret name to be mounted with KEDA TLS certificates | `kedaorg-certs` |
 | `certificates.mountPath`                                   | Path where KEDA TLS certificates are mounted | `/certs` |
 | `certificates.certManager.enabled`                         | Enables Cert-manager for certificate management | `false` |
-| `certificates.certManager.generateCA`                      | Generates a self-signed CA with Cert-manager | `true` |
-| `certificates.certManager.caSecretName`                    | Secret name where the CA is stored (generatedby cert-manager or user given) | `kedaorg-ca` |
+| `certificates.certManager.existingIssuer.enabled`          | Use an existing cert-manager issuer | `false` |
+| `certificates.certManager.existingIssuer.kind`             | Kind of the existing cert-manager issuer | `ClusterIssuer` |
+| `certificates.certManager.existingIssuer.name`             | Name of the existing cert-manager issuer | `""` |
 | `certificates.certManager.secretTemplate`                  | [Labels or annotations to add to the secret generated](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) by cert-manager | `{}` |
 
 
diff --git a/keda/templates/40-cert-manager-self-issuer.yaml b/keda/templates/40-cert-manager-self-issuer.yaml
deleted file mode 100644
index 708bedcc..00000000
--- a/keda/templates/40-cert-manager-self-issuer.yaml
+++ /dev/null
@@ -1,11 +0,0 @@
-{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }}
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  annotations:
-    {{- toYaml .Values.additionalAnnotations | nindent 4 }}
-  name: {{ .Values.operator.name }}-selfsigned-issuer
-  namespace: {{ .Release.Namespace }}
-spec:
-  selfSigned: {}
-{{- end }}
\ No newline at end of file
diff --git a/keda/templates/41-cert-manager-self-ca.yaml b/keda/templates/41-cert-manager-self-ca.yaml
deleted file mode 100644
index 7bde59bc..00000000
--- a/keda/templates/41-cert-manager-self-ca.yaml
+++ /dev/null
@@ -1,22 +0,0 @@
-{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }}
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: {{ .Values.operator.name }}-ca
-  namespace: {{ .Release.Namespace }}
-spec:
-  isCA: true
-  commonName: {{ .Values.operator.name }}
-  secretName: {{ .Values.certificates.certManager.caSecretName }}
-  secretTemplate:
-    {{- toYaml .Values.certificates.certManager.secretTemplate | nindent 4 }}
-  privateKey:
-    algorithm: RSA
-    size: 2048
-  duration: 8760h0m0s # 1 year
-  renewBefore: 5840h0m0s # 8 months
-  issuerRef:
-    name: {{ .Values.operator.name }}-selfsigned-issuer
-    kind: Issuer
-    group: cert-manager.io
-{{- end }}
\ No newline at end of file
diff --git a/keda/templates/42-cert-manager-keda-issuer.yaml b/keda/templates/42-cert-manager-keda-issuer.yaml
index 54bb1d80..1145b6ad 100644
--- a/keda/templates/42-cert-manager-keda-issuer.yaml
+++ b/keda/templates/42-cert-manager-keda-issuer.yaml
@@ -7,6 +7,5 @@ metadata:
   name: {{ .Values.operator.name }}-issuer
   namespace: {{ .Release.Namespace }}
 spec:
-  ca:
-    secretName: {{ .Values.certificates.certManager.caSecretName }}
-{{- end }}
\ No newline at end of file
+  selfSigned: {}
+{{- end }}
diff --git a/keda/templates/43-cert-manager-keda-tls-certificate.yaml b/keda/templates/43-cert-manager-keda-tls-certificate.yaml
index 8b4e210f..419f819d 100644
--- a/keda/templates/43-cert-manager-keda-tls-certificate.yaml
+++ b/keda/templates/43-cert-manager-keda-tls-certificate.yaml
@@ -28,7 +28,12 @@ spec:
   duration: 8760h0m0s # 1 year
   renewBefore: 5840h0m0s # 8 months
   issuerRef:
+    {{- if .Values.certificates.certManager.existingIssuer.enabled }}
+    name: {{ .Values.certificates.certManager.existingIssuer.name }}
+    kind: {{ .Values.certificates.certManager.existingIssuer.kind }}
+    {{- else }}
     name: {{ .Values.operator.name }}-issuer
     kind: Issuer
+    {{- end }}
     group: cert-manager.io
 {{- end }}
diff --git a/keda/templates/metrics-server/apiservice.yaml b/keda/templates/metrics-server/apiservice.yaml
index 1d5b03c8..8d55cc7c 100644
--- a/keda/templates/metrics-server/apiservice.yaml
+++ b/keda/templates/metrics-server/apiservice.yaml
@@ -3,11 +3,7 @@ kind: APIService
 metadata:
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
-    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
-    {{- end }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- if .Values.additionalAnnotations }}
     {{- toYaml .Values.additionalAnnotations | nindent 4 }}
diff --git a/keda/templates/webhooks/validatingconfiguration.yaml b/keda/templates/webhooks/validatingconfiguration.yaml
index 75274495..c44beac4 100644
--- a/keda/templates/webhooks/validatingconfiguration.yaml
+++ b/keda/templates/webhooks/validatingconfiguration.yaml
@@ -4,11 +4,7 @@ kind: ValidatingWebhookConfiguration
 metadata:
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
-    cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
-    {{- end }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- if .Values.additionalAnnotations }}
     {{- toYaml .Values.additionalAnnotations | nindent 4 }}
diff --git a/keda/values.yaml b/keda/values.yaml
index 4e96febb..afc3ee73 100644
--- a/keda/values.yaml
+++ b/keda/values.yaml
@@ -451,10 +451,6 @@ certificates:
   mountPath: /certs
   certManager:
     enabled: false
-    # If generateCA is false, the secret with the CA
-    # has to be annotated with 'cert-manager.io/allow-direct-injection: "true"'
-    generateCA: true
-    caSecretName: "kedaorg-ca"
     # Add labels/annotations to secrets created by Certificate resources
     secretTemplate: {}
       # annotations:
@@ -462,6 +458,11 @@ certificates:
       #   my-secret-annotation-2: "bar"
       # labels:
       #   my-secret-label: foo
+    # Use an existing cert-manager issuer.
+    existingIssuer:
+      enabled: false
+      kind: ClusterIssuer
+      name: ""
 
 permissions:
   metricServer: