add ntfy application configuration to kustomization

argo/apps/kustomization.yaml

@@ -1,2 +1,3 @@
 resources:
   - uptime-karma.yaml
+  - ntfy.yaml

argo/apps/ntfy.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: ntfy
+  namespace: argocd
+spec:
+  project: default # Or your specific Argo CD project
+  source:
+    repoURL: https://git.james-mellors.com/mello/Monitoring.git # Sealed Secrets chart repository
+    targetRevision: main # Specify the desired chart version (Check for the latest stable version!)
+    path: helm/ntfy
+
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: monitoring
+  syncPolicy:
+    automated: # Optional: Enable automatic sync
+      prune: true
+      selfHeal: true
+    

helm/ntfy/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

helm/ntfy/Chart.yaml

@@ -0,0 +1,20 @@
+apiVersion: v2
+name: ntfy
+description: A self-hosted HTTP based pub sub notification service.
+icon: https://raw.githubusercontent.com/binwiederhier/ntfy/main/docs/static/img/ntfy.png
+type: application
+
+home: https://github.com/sarab97/helm-chart
+sources:
+  - https://github.com/binwiederhier/ntfy
+
+maintainers:
+  - name: Sarab Singh
+
+keywords:
+  - pubsub
+  - notification
+
+version: 0.1.7
+
+appVersion: "v2.6.2"

helm/ntfy/README.md

@@ -0,0 +1,28 @@
+# ntfy
+
+> A Helm chart for Kubernetes
+
+* <https://github.com/sarab97/helm-charts>
+* <https://github.com/binwiederhier/ntfy>
+
+## Usage
+
+Helm must be installed and setup to your kubernetes cluster to use the charts. Refer to Helm's [documentation](https://helm.sh/docs) to get started. Once Helm has been set up correctly, add the repo as follows:
+
+```sh
+helm repo add sarab97 https://charts.sarabsingh.com
+```
+
+If you had already added this repo earlier, run `helm repo update` to retrieve the latest versions of the packages.
+
+To install this chart simply run the following command:
+
+```sh
+helm install ntfy sarab97/ntfy
+```
+
+To uninstall this chart simply run the following command:
+
+```sh
+helm delete ntfy
+```

helm/ntfy/templates/_helpers.tpl

@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "ntfy.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "ntfy.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "ntfy.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "ntfy.labels" -}}
+helm.sh/chart: {{ include "ntfy.chart" . }}
+{{ include "ntfy.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "ntfy.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "ntfy.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "ntfy.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "ntfy.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}

helm/ntfy/templates/certificate.yaml

@@ -0,0 +1,76 @@
+{{- /* ================================================================== */ -}}
+{{- /* Cert-Manager Certificate Configuration for ntfy                    */ -}}
+{{- /* ================================================================== */ -}}
+{{- /*
+    Creates a Certificate resource for cert-manager.
+    Prerequisites:
+    - cert-manager installed in the cluster.
+    - An Issuer or ClusterIssuer (referenced in values.yaml) exists.
+    - ingress.enabled = true
+    - certManager.enabled = true
+    - At least one entry in ingress.tls with secretName and hosts.
+*/}}
+{{- if and .Values.ingress.enabled .Values.certManager.enabled .Values.ingress.tls }}
+{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}}
+{{- $issuerName := .Values.certManager.issuer.name -}}
+{{- $issuerKind := .Values.certManager.issuer.kind -}}
+{{- if not $issuerName }}
+  {{- fail "ERROR: certManager.enabled is true but certManager.issuer.name is not set!" }}
+{{- end }}
+{{- if not $issuerKind }}
+  {{- fail "ERROR: certManager.enabled is true but certManager.issuer.kind is not set!" }}
+{{- end }}
+
+{{- /* Loop through each TLS entry defined in ingress.tls */}}
+{{- range .Values.ingress.tls }}
+{{- $secretName := .secretName }}
+{{- $hosts := .hosts }}
+{{- if not $secretName }}
+  {{- fail "ERROR: certManager.enabled is true but ingress.tls contains an entry without a 'secretName'." }}
+{{- end }}
+{{- if not $hosts }}
+  {{- fail (printf "ERROR: certManager.enabled is true but ingress.tls entry for secret '%s' contains no 'hosts'." $secretName) }}
+{{- end }}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  # Name the Certificate resource (often same as secretName)
+  name: {{ $secretName }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "ntfy.labels" $ | nindent 4 }}
+    {{- with $.Values.certManager.certificate.extraLabels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with $.Values.certManager.certificate.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  # secretName: Where cert-manager stores the Secret. MUST match Gateway's credentialName.
+  secretName: {{ $secretName }}
+
+  # issuerRef: Points to the Issuer/ClusterIssuer defined in values.yaml
+  issuerRef:
+    name: {{ $issuerName }}
+    kind: {{ $issuerKind }}
+    # group: cert-manager.io # Usually implicit
+
+  # dnsNames: Domains the certificate will be valid for.
+  dnsNames:
+    {{- range $hosts }}
+    - {{ . | quote }}
+    {{- end }}
+
+  # Optional: Set Common Name (CN)
+  {{- $firstHost := first $hosts -}}
+  {{- if $firstHost }}
+  commonName: {{ $firstHost | quote }}
+  {{- end }}
+
+  # Optional: Add other spec fields like duration, renewBefore etc.
+  # duration: 2160h # 90d
+  # renewBefore: 360h # 15d
+{{- end }} {{/* end range .Values.ingress.tls */}}
+{{- end }} {{/* end if certManager.enabled */}}

helm/ntfy/templates/configmap.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.config.enabled -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ template "ntfy.name" . }}
+data:
+  server.yml: |
+    {{- range $key, $value := .Values.config.data }}
+      {{ $key }}: {{ $value }}
+    {{- end }}
+
+{{- end }}

helm/ntfy/templates/deployment.yaml

@@ -0,0 +1,87 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "ntfy.fullname" . }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+spec:
+  {{- if not .Values.autoscaling.enabled }}
+  replicas: {{ .Values.replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "ntfy.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "ntfy.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "ntfy.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args: ["serve"]
+          volumeMounts:
+            - mountPath: /var/cache/ntfy
+              name: {{ template "ntfy.name" . }}
+            {{- if .Values.config.enabled }}
+            - mountPath: /etc/ntfy/server.yml
+              name: {{ template "ntfy.name" . }}-conf
+              subPath: server.yml
+              readOnly: true
+            {{- end }}
+          ports:
+            - name: http
+              containerPort: {{ .Values.service.port }}
+              protocol: TCP
+            - name: metrics
+              containerPort: 9090
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /v1/health
+              port: 80
+          readinessProbe:
+            httpGet:
+              path: /v1/health
+              port: 80
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      volumes:
+        {{- if .Values.config.enabled }}
+        - name: {{ template "ntfy.name" . }}-conf
+          configMap:
+            name: {{ template "ntfy.name" . }}
+        {{- end }}
+        - name: {{ template "ntfy.name" . }}
+{{- if .Values.persistence.enabled }}
+          persistentVolumeClaim:
+            claimName: {{ template "ntfy.fullname" . }}
+{{- else }}
+          emptyDir: {}
+{{- end -}}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}

helm/ntfy/templates/hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "ntfy.fullname" . }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "ntfy.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

helm/ntfy/templates/ingress.yaml

@@ -0,0 +1,129 @@
+{{- /* ================================================================== */ -}}
+{{- /* Istio Gateway Configuration for ntfy                             */ -}}
+{{- /* ================================================================== */ -}}
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "ntfy.fullname" . -}}
+{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}}
+{{- $gatewayName := $fullName -}} {{/* Using the same name for simplicity */}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: Gateway
+metadata:
+  name: {{ $gatewayName }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+    {{- /* Add extra labels specific to Istio Gateway if needed */}}
+    {{- with .Values.istio.gateway.extraLabels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- /* Annotations from K8s Ingress often don't apply directly */}}
+  {{- /* Add Istio specific annotations if required */}}
+  {{- with .Values.istio.gateway.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  # Selector targets the Istio ingress gateway pods.
+  # Adjust if your Istio installation uses different labels.
+  selector:
+    {{- .Values.istio.gateway.selector | default (dict "istio" "ingressgateway") | toYaml | nindent 4 }}
+  servers:
+    # HTTP Server entry (Port 80)
+    - port:
+        number: 80
+        name: http-{{ $fullName }} # Name must be unique per Gateway
+        protocol: HTTP
+      # Listen on hosts defined in ingress rules
+      hosts:
+        {{- range .Values.ingress.hosts }}
+        - {{ .host | quote }}
+        {{- end }}
+      {{- /* Optional: Add HTTP->HTTPS redirect if TLS is enabled */}}
+      {{- if and .Values.ingress.tls .Values.istio.gateway.httpRedirect }}
+      tls:
+        httpsRedirect: true
+      {{- end }}
+
+    {{- /* HTTPS Server entry (Port 443) - Only if TLS is configured */}}
+    {{- if .Values.ingress.tls }}
+    - port:
+        number: 443
+        name: https-{{ $fullName }} # Name must be unique per Gateway
+        protocol: HTTPS
+      # Use hosts defined in the TLS section
+      hosts:
+        {{- range .Values.ingress.tls }}
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+        {{- end }}
+      tls:
+        mode: SIMPLE # Terminate TLS at the gateway
+        # Reference secrets from the TLS config. Secrets must be in the same namespace as the Gateway.
+        # This simple example uses the *first* secret found if multiple are defined in values.yaml.
+        # For multiple certs on the same port, consider multiple server blocks or advanced SNI.
+        {{- range .Values.ingress.tls }}
+        credentialName: {{ .secretName }}
+        {{- break }} {{/* Use only the first secret defined */}}
+        {{- end }}
+    {{- end }}
+---
+{{- /* ================================================================== */ -}}
+{{- /* Istio VirtualService Configuration for ntfy                        */ -}}
+{{- /* ================================================================== */ -}}
+{{- $fullName := include "ntfy.fullname" . -}}
+{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}}
+{{- $svcPort := .Values.service.port -}}
+{{- $gatewayName := $fullName -}} {{/* Must match the Gateway name defined above */}}
+
+apiVersion: networking.istio.io/v1beta1
+kind: VirtualService
+metadata:
+  name: {{ $fullName }}
+  namespace: {{ $namespace }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+    {{- /* Add extra labels specific to Istio VirtualService if needed */}}
+    {{- with .Values.istio.virtualService.extraLabels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.istio.virtualService.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  # Apply rules to traffic coming through the specified gateway(s)
+  gateways:
+  - {{ $gatewayName }}
+  # Apply rules for requests targeting the specified host(s)
+  hosts:
+    {{- range .Values.ingress.hosts }}
+    - {{ .host | quote }}
+    {{- end }}
+  http:
+    {{- /* Create a route rule for each host/path combination from the ingress spec */}}
+    {{- range .Values.ingress.hosts }}
+      {{- range .paths }}
+    - match:
+      - uri:
+          # Map pathType from Ingress to Istio URI match types
+          {{- if eq .pathType "Prefix" }}
+          prefix: {{ .path }}
+          {{- else if eq .pathType "Exact" }}
+          exact: {{ .path }}
+          {{- else }}
+          # Default or fallback, usually Prefix is safest assumption for ImplementationSpecific
+          prefix: {{ .path }}
+          {{- end }}
+      # Define where to route the traffic
+      route:
+      - destination:
+          # Route to the internal Kubernetes Service
+          host: {{ $fullName }} # The name of the ntfy Kubernetes Service
+          port:
+            number: {{ $svcPort }} # The port the ntfy Service listens on
+      {{- /* Add other Istio features like rewrite, headers, retries, timeouts here if needed */}}
+      {{- end }} {{- /* end range .paths */}}
+    {{- end }} {{- /* end range .Values.ingress.hosts */}}
+{{- end }} {{/* End if .Values.ingress.enabled */}}

helm/ntfy/templates/pvc.yaml

@@ -0,0 +1,14 @@
+{{- if .Values.persistence.enabled -}}
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: {{ include "ntfy.fullname" . }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .Values.persistence.size }}
+{{- end }}

helm/ntfy/templates/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "ntfy.fullname" . }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "ntfy.selectorLabels" . | nindent 4 }}

helm/ntfy/templates/serviceaccount.yaml

@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "ntfy.serviceAccountName" . }}
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}

helm/ntfy/templates/tests/test-connection.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "ntfy.fullname" . }}-test-connection"
+  labels:
+    {{- include "ntfy.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "ntfy.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never

helm/ntfy/values.yaml

@@ -0,0 +1,132 @@
+# Default values for ntfy.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: binwiederhier/ntfy
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: "v2.11.0"
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+ingress:
+  enabled: true
+  className: ""
+  annotations: {}
+    # kubernetes.io/ingress.class: nginx
+    # kubernetes.io/tls-acme: "true"
+  hosts:
+    - host: ntfy.james-mellors.com
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls: 
+   - secretName: ntfy-tls
+     hosts:
+       - ntfy.james-mellors.com
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+
+config:
+  enabled: true
+  data:
+    base-url: "https://ntfy.james-mellors.com"
+    auth-file: "/var/cache/ntfy/user.db"
+    auth-default-access: "deny-all"
+    cache-file: "/var/cache/ntfy/cache.db"
+    attachment-cache-dir: "/var/cache/ntfy/attachments"
+    behind-proxy: true
+
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
+
+persistence:
+  enabled: false
+  size: 200Mi
+
+istio:
+  gateway:
+    # -- Extra labels for the Istio Gateway
+    extraLabels: {}
+    # -- Extra annotations for the Istio Gateway
+    annotations: {}
+    # -- Selector for the Istio Ingress Gateway pods
+    selector:
+      istio: ingressgateway
+    # -- Enable automatic HTTP to HTTPS redirection on Gateway
+    httpRedirect: true
+  virtualService:
+    # -- Extra labels for the Istio VirtualService
+    extraLabels: {}
+    # -- Extra annotations for the Istio VirtualService
+    annotations: {}
+
+# -- Cert-Manager Configuration
+certManager:
+  # -- Enable automatic Certificate creation via cert-manager
+  enabled: true # Set to true to create Certificate resource
+
+  # -- Reference to the cert-manager Issuer or ClusterIssuer
+  issuer:
+    # -- Name of the Issuer or ClusterIssuer (REQUIRED if enabled)
+    name: "letsencrypt-cloudflare" # e.g., "letsencrypt-prod"
+    # -- Kind of the issuer (Issuer or ClusterIssuer) (REQUIRED if enabled)
+    kind: ClusterIssuer # Or "Issuer"
+
+  # -- Optional: Add extra labels/annotations to the Certificate resource
+  certificate:
+    extraLabels: {}
+    annotations: {}