{{- if ne .Values.ingress.tls.source "letsEncrypt" -}}
{{- if and (not (.Capabilities.APIVersions.Has "cert-manager.io/v1beta1")) (not (.Capabilities.APIVersions.Has "cert-manager.io/v1alpha2")) (not (.Capabilities.APIVersions.Has "certmanager.k8s.io/v1alpha1")) (not (.Capabilities.APIVersions.Has "cert-manager.io/v1")) }}
{{- $ca := genCA "self-signed-ca" 3650 -}}
{{- $cert := genSignedCert "ks-apiserver" nil (list "ks-apiserver" (printf "%s.%s" "ks-apiserver" .Release.Namespace) (printf "%s.%s.%s" "ks-apiserver" .Release.Namespace "svc")) 3650 $ca -}}
{{- if .Values.internalTLS }}
apiVersion: v1
kind: Secret
metadata:
  name: ks-apiserver-tls-certs
  namespace: {{ .Release.Namespace }}
type: Opaque
data:
  ca.crt: {{  b64enc $ca.Cert }}
  tls.crt: {{ b64enc $cert.Cert }}
  tls.key: {{ b64enc $cert.Key }}
{{- end }}

---
{{- $consolecert := genSignedCert "ks-console" nil (list "ks-console" (printf "%s.%s" "ks-console" .Release.Namespace) (printf "%s.%s.%s" "ks-console" .Release.Namespace "svc") .Values.portal.hostname) 3650 $ca -}}
{{- if .Values.internalTLS }}
apiVersion: v1
kind: Secret
metadata:
  name: ks-console-tls-certs
  namespace: {{ .Release.Namespace }}
type: Opaque
data:
  ca.crt: {{ b64enc $ca.Cert }}
  tls.crt: {{ b64enc $consolecert.Cert }}
  tls.key: {{ b64enc $consolecert.Key }}
{{- end }}

---
{{- $ingresscert := genSignedCert .Values.portal.hostname nil (list .Values.portal.hostname) 3650 $ca -}}
{{- if and ( .Values.ingress.enabled ) ( .Values.ingress.tls.enabled ) (eq .Values.ingress.tls.source "generation") }}
apiVersion: v1
kind: Secret
metadata:
  name: {{ .Values.ingress.tls.secretName }}
  namespace: {{ .Release.Namespace }}
type: Opaque
data:
  ca.crt: {{  b64enc $ca.Cert }}
  tls.crt: {{ b64enc $ingresscert.Cert }}
  tls.key: {{ b64enc $ingresscert.Key }}
{{- end }}
{{- end }}
{{- end }}