apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
---
# NOTE: Do NOT define cert-manager ServiceAccounts here!
# The ServiceAccounts (cert-manager, cert-manager-cainjector, cert-manager-webhook)
# are created by the upstream cert-manager installation (kubernetes_restart.sh).
# Redefining them here would strip their RBAC bindings and break authentication.
---
# Self-signed ClusterIssuer for bootstrapping the CA certificate chain
# This issuer is used to create the root CA certificate which then
# becomes the issuer for all other certificates in the cluster
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
# Cert-manager installation using Helm repository
# This will be installed via kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
# The actual installation will be done via command line, this file documents the resources