Align cert-manager with the design document

staging/cert-manager-setup/README.md

@@ -6,7 +6,9 @@ TLS certificates from various issuing sources.
 `cert-manager` will ensure certificates are valid and up to date periodically, and attempt
 to renew certificates at an appropriate time before expiry.
 
-In addition to installing `cert-manager`, `cert-manager-setup` provides the capability to specify a `ClusterIssuer` in the `values.yaml` file which will be applied directly after the `cert-manager` installation has completed.
+`cert-manager-setup` deploys the cert-manager
+
+In addition to installing `cert-manager`, `cert-manager-setup` provides the capability to specify a `ClusterIssuer` in the `values.yaml` file which will be applied directly after the `cert-manager` installation has completed. In order for this to happen, `cert-manager-setup` sets up an `Issuer` in the `cert-manager` namespace. It then creates an intermediate certificate from the secret `kubernetes-root-ca` which must already contain ideally the Kubernetes root CA. The `ClusterIssuer` then uses the intermediate certificate derived from the Kubernetes root CA.
 
 # Supported values format
 

staging/cert-manager-setup/templates/clusterrolebinding.yaml

@@ -2,10 +2,10 @@ apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
   name: read-apiservices-rolebinding
-  namespace: kubeaddons
+  namespace: cert-manager
 subjects:
 - kind: ServiceAccount
-  namespace: kubeaddons
+  namespace: cert-manager
   name: default
 roleRef:
   kind: ClusterRole

staging/cert-manager-setup/templates/issuers.yaml

@@ -0,0 +1,42 @@
+{{ if .Values.clusterissuer }}
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Issuer
+metadata:
+  name: kubernetes-root-issuer
+  namespace: cert-manager
+  annotations:
+    "helm.sh/hook": "post-install"
+    "helm.sh/hook-weight": "-4"
+spec:
+  ca:
+    secretName: kubernetes-root-ca
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: Certificate
+metadata:
+  name: kubernetes-intermediate-ca
+  annotations:
+    "helm.sh/hook": "post-install"
+    "helm.sh/hook-weight": "-3"
+spec:
+  isCA: true
+  commonName: cert-manager
+  secretName: kubernetes-intermediate-ca
+  issuerRef:
+    name: kubernetes-root-issuer
+    kind: Issuer
+    # These are the default usages for reference
+    usages: 
+    - "digital signature"
+    - "key encipherment"
+---
+apiVersion: certmanager.k8s.io/v1alpha1
+kind: ClusterIssuer
+metadata:
+  name: {{ required "clusterissuer must have a name" .Values.clusterissuer.name }}
+  annotations:
+    "helm.sh/hook": "post-install"
+    "helm.sh/hook-weight": "-2"
+spec:
+{{ required "clusterissuer must have a spec" .Values.clusterissuer.spec | toYaml | indent 4 }}
+{{ end }}