kedacore · JorTurFer · Jan 30, 2024 · Sep 27, 2023 · Sep 27, 2023 · Sep 27, 2023
@@ -64,8 +64,15 @@ their default values.
 | `asciiArt` | bool | `true` | Capability to turn on/off ASCII art in Helm installation notes |
 | `certificates.autoGenerated` | bool | `true` | Enables the self generation for KEDA TLS certificates inside KEDA operator |
 | `certificates.certManager.caSecretName` | string | `"kedaorg-ca"` | Secret name where the CA is stored (generatedby cert-manager or user given) |
+| `certificates.certManager.duration` | string | `"8760h0m0s"` | Certificate duration |
 | `certificates.certManager.enabled` | bool | `false` | Enables Cert-manager for certificate management |
 | `certificates.certManager.generateCA` | bool | `true` | Generates a self-signed CA with Cert-manager. If generateCA is false, the secret with the CA has to be annotated with `cert-manager.io/allow-direct-injection: "true"` |
+| `certificates.certManager.issuer` | object | `{"generate":true,"group":"cert-manager.io","kind":"ClusterIssuer","name":"foo-org-ca"}` | Reference to custom Issuer. If issuer.generate is false, then issuer.group, issuer.kind and issuer.name are required |
+| `certificates.certManager.issuer.generate` | bool | `true` | Generates an Issuer resource with Cert-manager |
+| `certificates.certManager.issuer.group` | string | `"cert-manager.io"` | Custom Issuer group. Required when generate: false |
+| `certificates.certManager.issuer.kind` | string | `"ClusterIssuer"` | Custom Issuer kind. Required when generate: false |
+| `certificates.certManager.issuer.name` | string | `"foo-org-ca"` | Custom Issuer name. Required when generate: false |
+| `certificates.certManager.renewBefore` | string | `"5840h0m0s"` | Certificate renewal time before expiration |
 | `certificates.certManager.secretTemplate` | object | `{}` | Add labels/annotations to secrets created by Certificate resources [docs](https://cert-manager.io/docs/usage/certificate/#creating-certificate-resources) |
 | `certificates.mountPath` | string | `"/certs"` | Path where KEDA TLS certificates are mounted |
 | `certificates.secretName` | string | `"kedaorg-certs"` | Secret name to be mounted with KEDA TLS certificates |

@@ -1,4 +1,4 @@
-{{- if .Values.certificates.certManager.enabled }}
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.issuer.generate }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -11,4 +11,4 @@ metadata:
 spec:
   ca:
     secretName: {{ .Values.certificates.certManager.caSecretName }}
-{{- end }}
+{{- end }}
@@ -25,10 +25,22 @@ spec:
   privateKey:
     algorithm: RSA
     size: 2048
-  duration: 8760h0m0s # 1 year
-  renewBefore: 5840h0m0s # 8 months
+  duration: {{ .Values.certificates.certManager.duration }}
+  renewBefore: {{ .Values.certificates.certManager.renewBefore }}
   issuerRef:
+    {{- if .Values.certificates.certManager.issuer.generate }}
     name: {{ .Values.operator.name }}-issuer
     kind: Issuer
     group: cert-manager.io
+    {{- else }}
+    {{- if .Values.certificates.certManager.issuer.name }}
+    name: {{ .Values.certificates.certManager.issuer.name }}
+    {{- end }}
+    {{- if .Values.certificates.certManager.issuer.kind }}
+    kind: {{ .Values.certificates.certManager.issuer.kind }}
+    {{- end }}
+    {{- if .Values.certificates.certManager.issuer.group }}
+    group: {{ .Values.certificates.certManager.issuer.group }}
+    {{- end }}
+    {{- end }}
 {{- end }}
@@ -1,4 +1,4 @@
-{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }}
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

@@ -1,4 +1,4 @@
-{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA }}
+{{- if and .Values.certificates.certManager.enabled .Values.certificates.certManager.generateCA .Values.certificates.certManager.issuer.generate }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -10,4 +10,4 @@ metadata:
   namespace: {{ .Release.Namespace }}
 spec:
   selfSigned: {}
-{{- end }}
+{{- end }}
@@ -4,10 +4,10 @@ metadata:
   {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }}
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
     cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- end }}
     {{- if .Values.additionalAnnotations }}

@@ -5,10 +5,10 @@ metadata:
   {{- if or .Values.certificates.certManager.enabled .Values.additionalAnnotations }}
   annotations:
     {{- if .Values.certificates.certManager.enabled }}
-    {{- if .Values.certificates.certManager.generateCA }}
-    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-ca
-    {{- else }}
+    {{- if and (not .Values.certificates.certManager.generateCA) .Values.certificates.certManager.issuer.generate }}
     cert-manager.io/inject-ca-from-secret: {{ .Release.Namespace }}/{{ .Values.certificates.certManager.caSecretName }}
+    {{- else }}
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ .Values.operator.name }}-tls-certificates
     {{- end }}
     {{- end }}
     {{- if .Values.additionalAnnotations }}

@@ -738,6 +738,10 @@ certificates:
   certManager:
     # -- Enables Cert-manager for certificate management
     enabled: false
+    # -- Certificate duration
+    duration: 8760h0m0s # 1 year
+    # -- Certificate renewal time before expiration
+    renewBefore: 5840h0m0s # 8 months
     # -- Generates a self-signed CA with Cert-manager.
     # If generateCA is false, the secret with the CA
     # has to be annotated with `cert-manager.io/allow-direct-injection: "true"`
@@ -752,6 +756,16 @@ certificates:
       #   my-secret-annotation-2: "bar"
       # labels:
       #   my-secret-label: foo
+    # -- Reference to custom Issuer.
+    issuer:
+      # -- Generates an Issuer resource with Cert-manager
+      generate: true
+      # -- Custom Issuer name. Required when generate: false
+      name: foo-org-ca
+      # -- Custom Issuer kind. Required when generate: false
+      kind: ClusterIssuer
+      # -- Custom Issuer group. Required when generate: false
+      group: cert-manager.io
 
 permissions:
   metricServer: