---
# Namespace to hold the CA

apiVersion: v1
kind: Namespace
metadata:
  name: certificate-authority

---
# The cluster issuer is used to create the CA certificate

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}

---
# The Root CA certificate

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: root-ca
  namespace: certificate-authority
spec:
  isCA: true
  commonName: Root CA
  secretName: root-ca-secret
  privateKey:
    algorithm: ECDSA
    size: 521
  issuerRef:
    name: selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io

---
# CA Issuer that will sign certs using the root CA

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: ca-selfsigned-issuer
  namespace: certificate-authority
spec:
  ca:
    secretName: root-ca-secret