diff --git a/argo/apps/kustomization.yaml b/argo/apps/kustomization.yaml index 8df3126..46175ff 100644 --- a/argo/apps/kustomization.yaml +++ b/argo/apps/kustomization.yaml @@ -1,2 +1,3 @@ resources: - uptime-karma.yaml + - ntfy.yaml diff --git a/argo/apps/ntfy.yaml b/argo/apps/ntfy.yaml new file mode 100644 index 0000000..17a08f5 --- /dev/null +++ b/argo/apps/ntfy.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: ntfy + namespace: argocd +spec: + project: default # Or your specific Argo CD project + source: + repoURL: https://git.james-mellors.com/mello/Monitoring.git # Sealed Secrets chart repository + targetRevision: main # Specify the desired chart version (Check for the latest stable version!) + path: helm/ntfy + + destination: + server: https://kubernetes.default.svc + namespace: monitoring + syncPolicy: + automated: # Optional: Enable automatic sync + prune: true + selfHeal: true + \ No newline at end of file diff --git a/helm/ntfy/.helmignore b/helm/ntfy/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/helm/ntfy/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/helm/ntfy/Chart.yaml b/helm/ntfy/Chart.yaml new file mode 100644 index 0000000..a771ce2 --- /dev/null +++ b/helm/ntfy/Chart.yaml @@ -0,0 +1,20 @@ +apiVersion: v2 +name: ntfy +description: A self-hosted HTTP based pub sub notification service. +icon: https://raw.githubusercontent.com/binwiederhier/ntfy/main/docs/static/img/ntfy.png +type: application + +home: https://github.com/sarab97/helm-chart +sources: + - https://github.com/binwiederhier/ntfy + +maintainers: + - name: Sarab Singh + +keywords: + - pubsub + - notification + +version: 0.1.7 + +appVersion: "v2.6.2" diff --git a/helm/ntfy/README.md b/helm/ntfy/README.md new file mode 100644 index 0000000..c65556c --- /dev/null +++ b/helm/ntfy/README.md @@ -0,0 +1,28 @@ +# ntfy + +> A Helm chart for Kubernetes + +* +* + +## Usage + +Helm must be installed and setup to your kubernetes cluster to use the charts. Refer to Helm's [documentation](https://helm.sh/docs) to get started. Once Helm has been set up correctly, add the repo as follows: + +```sh +helm repo add sarab97 https://charts.sarabsingh.com +``` + +If you had already added this repo earlier, run `helm repo update` to retrieve the latest versions of the packages. + +To install this chart simply run the following command: + +```sh +helm install ntfy sarab97/ntfy +``` + +To uninstall this chart simply run the following command: + +```sh +helm delete ntfy +``` diff --git a/helm/ntfy/templates/_helpers.tpl b/helm/ntfy/templates/_helpers.tpl new file mode 100644 index 0000000..6904d88 --- /dev/null +++ b/helm/ntfy/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "ntfy.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "ntfy.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "ntfy.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "ntfy.labels" -}} +helm.sh/chart: {{ include "ntfy.chart" . }} +{{ include "ntfy.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "ntfy.selectorLabels" -}} +app.kubernetes.io/name: {{ include "ntfy.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "ntfy.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "ntfy.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/helm/ntfy/templates/certificate.yaml b/helm/ntfy/templates/certificate.yaml new file mode 100644 index 0000000..96825a8 --- /dev/null +++ b/helm/ntfy/templates/certificate.yaml @@ -0,0 +1,76 @@ +{{- /* ================================================================== */ -}} +{{- /* Cert-Manager Certificate Configuration for ntfy */ -}} +{{- /* ================================================================== */ -}} +{{- /* + Creates a Certificate resource for cert-manager. + Prerequisites: + - cert-manager installed in the cluster. + - An Issuer or ClusterIssuer (referenced in values.yaml) exists. + - ingress.enabled = true + - certManager.enabled = true + - At least one entry in ingress.tls with secretName and hosts. +*/}} +{{- if and .Values.ingress.enabled .Values.certManager.enabled .Values.ingress.tls }} +{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}} +{{- $issuerName := .Values.certManager.issuer.name -}} +{{- $issuerKind := .Values.certManager.issuer.kind -}} +{{- if not $issuerName }} + {{- fail "ERROR: certManager.enabled is true but certManager.issuer.name is not set!" }} +{{- end }} +{{- if not $issuerKind }} + {{- fail "ERROR: certManager.enabled is true but certManager.issuer.kind is not set!" }} +{{- end }} + +{{- /* Loop through each TLS entry defined in ingress.tls */}} +{{- range .Values.ingress.tls }} +{{- $secretName := .secretName }} +{{- $hosts := .hosts }} +{{- if not $secretName }} + {{- fail "ERROR: certManager.enabled is true but ingress.tls contains an entry without a 'secretName'." }} +{{- end }} +{{- if not $hosts }} + {{- fail (printf "ERROR: certManager.enabled is true but ingress.tls entry for secret '%s' contains no 'hosts'." $secretName) }} +{{- end }} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + # Name the Certificate resource (often same as secretName) + name: {{ $secretName }} + namespace: {{ $namespace }} + labels: + {{- include "ntfy.labels" $ | nindent 4 }} + {{- with $.Values.certManager.certificate.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $.Values.certManager.certificate.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + # secretName: Where cert-manager stores the Secret. MUST match Gateway's credentialName. + secretName: {{ $secretName }} + + # issuerRef: Points to the Issuer/ClusterIssuer defined in values.yaml + issuerRef: + name: {{ $issuerName }} + kind: {{ $issuerKind }} + # group: cert-manager.io # Usually implicit + + # dnsNames: Domains the certificate will be valid for. + dnsNames: + {{- range $hosts }} + - {{ . | quote }} + {{- end }} + + # Optional: Set Common Name (CN) + {{- $firstHost := first $hosts -}} + {{- if $firstHost }} + commonName: {{ $firstHost | quote }} + {{- end }} + + # Optional: Add other spec fields like duration, renewBefore etc. + # duration: 2160h # 90d + # renewBefore: 360h # 15d +{{- end }} {{/* end range .Values.ingress.tls */}} +{{- end }} {{/* end if certManager.enabled */}} \ No newline at end of file diff --git a/helm/ntfy/templates/configmap.yaml b/helm/ntfy/templates/configmap.yaml new file mode 100644 index 0000000..9e01164 --- /dev/null +++ b/helm/ntfy/templates/configmap.yaml @@ -0,0 +1,12 @@ +{{- if .Values.config.enabled -}} +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ template "ntfy.name" . }} +data: + server.yml: | + {{- range $key, $value := .Values.config.data }} + {{ $key }}: {{ $value }} + {{- end }} + +{{- end }} diff --git a/helm/ntfy/templates/deployment.yaml b/helm/ntfy/templates/deployment.yaml new file mode 100644 index 0000000..0ed5e7d --- /dev/null +++ b/helm/ntfy/templates/deployment.yaml @@ -0,0 +1,87 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "ntfy.fullname" . }} + labels: + {{- include "ntfy.labels" . | nindent 4 }} +spec: + {{- if not .Values.autoscaling.enabled }} + replicas: {{ .Values.replicaCount }} + {{- end }} + selector: + matchLabels: + {{- include "ntfy.selectorLabels" . | nindent 6 }} + template: + metadata: + {{- with .Values.podAnnotations }} + annotations: + {{- toYaml . | nindent 8 }} + {{- end }} + labels: + {{- include "ntfy.selectorLabels" . | nindent 8 }} + spec: + {{- with .Values.imagePullSecrets }} + imagePullSecrets: + {{- toYaml . | nindent 8 }} + {{- end }} + serviceAccountName: {{ include "ntfy.serviceAccountName" . }} + securityContext: + {{- toYaml .Values.podSecurityContext | nindent 8 }} + containers: + - name: {{ .Chart.Name }} + securityContext: + {{- toYaml .Values.securityContext | nindent 12 }} + image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + args: ["serve"] + volumeMounts: + - mountPath: /var/cache/ntfy + name: {{ template "ntfy.name" . }} + {{- if .Values.config.enabled }} + - mountPath: /etc/ntfy/server.yml + name: {{ template "ntfy.name" . }}-conf + subPath: server.yml + readOnly: true + {{- end }} + ports: + - name: http + containerPort: {{ .Values.service.port }} + protocol: TCP + - name: metrics + containerPort: 9090 + protocol: TCP + livenessProbe: + httpGet: + path: /v1/health + port: 80 + readinessProbe: + httpGet: + path: /v1/health + port: 80 + resources: + {{- toYaml .Values.resources | nindent 12 }} + volumes: + {{- if .Values.config.enabled }} + - name: {{ template "ntfy.name" . }}-conf + configMap: + name: {{ template "ntfy.name" . }} + {{- end }} + - name: {{ template "ntfy.name" . }} +{{- if .Values.persistence.enabled }} + persistentVolumeClaim: + claimName: {{ template "ntfy.fullname" . }} +{{- else }} + emptyDir: {} +{{- end -}} + {{- with .Values.nodeSelector }} + nodeSelector: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.affinity }} + affinity: + {{- toYaml . | nindent 8 }} + {{- end }} + {{- with .Values.tolerations }} + tolerations: + {{- toYaml . | nindent 8 }} + {{- end }} diff --git a/helm/ntfy/templates/hpa.yaml b/helm/ntfy/templates/hpa.yaml new file mode 100644 index 0000000..994a13e --- /dev/null +++ b/helm/ntfy/templates/hpa.yaml @@ -0,0 +1,32 @@ +{{- if .Values.autoscaling.enabled }} +apiVersion: autoscaling/v2 +kind: HorizontalPodAutoscaler +metadata: + name: {{ include "ntfy.fullname" . }} + labels: + {{- include "ntfy.labels" . | nindent 4 }} +spec: + scaleTargetRef: + apiVersion: apps/v1 + kind: Deployment + name: {{ include "ntfy.fullname" . }} + minReplicas: {{ .Values.autoscaling.minReplicas }} + maxReplicas: {{ .Values.autoscaling.maxReplicas }} + metrics: + {{- if .Values.autoscaling.targetCPUUtilizationPercentage }} + - type: Resource + resource: + name: cpu + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }} + {{- end }} + {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }} + - type: Resource + resource: + name: memory + target: + type: Utilization + averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }} + {{- end }} +{{- end }} diff --git a/helm/ntfy/templates/ingress.yaml b/helm/ntfy/templates/ingress.yaml new file mode 100644 index 0000000..98563e6 --- /dev/null +++ b/helm/ntfy/templates/ingress.yaml @@ -0,0 +1,129 @@ +{{- /* ================================================================== */ -}} +{{- /* Istio Gateway Configuration for ntfy */ -}} +{{- /* ================================================================== */ -}} +{{- if .Values.ingress.enabled -}} +{{- $fullName := include "ntfy.fullname" . -}} +{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}} +{{- $gatewayName := $fullName -}} {{/* Using the same name for simplicity */}} + +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: {{ $gatewayName }} + namespace: {{ $namespace }} + labels: + {{- include "ntfy.labels" . | nindent 4 }} + {{- /* Add extra labels specific to Istio Gateway if needed */}} + {{- with .Values.istio.gateway.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- /* Annotations from K8s Ingress often don't apply directly */}} + {{- /* Add Istio specific annotations if required */}} + {{- with .Values.istio.gateway.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + # Selector targets the Istio ingress gateway pods. + # Adjust if your Istio installation uses different labels. + selector: + {{- .Values.istio.gateway.selector | default (dict "istio" "ingressgateway") | toYaml | nindent 4 }} + servers: + # HTTP Server entry (Port 80) + - port: + number: 80 + name: http-{{ $fullName }} # Name must be unique per Gateway + protocol: HTTP + # Listen on hosts defined in ingress rules + hosts: + {{- range .Values.ingress.hosts }} + - {{ .host | quote }} + {{- end }} + {{- /* Optional: Add HTTP->HTTPS redirect if TLS is enabled */}} + {{- if and .Values.ingress.tls .Values.istio.gateway.httpRedirect }} + tls: + httpsRedirect: true + {{- end }} + + {{- /* HTTPS Server entry (Port 443) - Only if TLS is configured */}} + {{- if .Values.ingress.tls }} + - port: + number: 443 + name: https-{{ $fullName }} # Name must be unique per Gateway + protocol: HTTPS + # Use hosts defined in the TLS section + hosts: + {{- range .Values.ingress.tls }} + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + {{- end }} + tls: + mode: SIMPLE # Terminate TLS at the gateway + # Reference secrets from the TLS config. Secrets must be in the same namespace as the Gateway. + # This simple example uses the *first* secret found if multiple are defined in values.yaml. + # For multiple certs on the same port, consider multiple server blocks or advanced SNI. + {{- range .Values.ingress.tls }} + credentialName: {{ .secretName }} + {{- break }} {{/* Use only the first secret defined */}} + {{- end }} + {{- end }} +--- +{{- /* ================================================================== */ -}} +{{- /* Istio VirtualService Configuration for ntfy */ -}} +{{- /* ================================================================== */ -}} +{{- $fullName := include "ntfy.fullname" . -}} +{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}} +{{- $svcPort := .Values.service.port -}} +{{- $gatewayName := $fullName -}} {{/* Must match the Gateway name defined above */}} + +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: {{ $fullName }} + namespace: {{ $namespace }} + labels: + {{- include "ntfy.labels" . | nindent 4 }} + {{- /* Add extra labels specific to Istio VirtualService if needed */}} + {{- with .Values.istio.virtualService.extraLabels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with .Values.istio.virtualService.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + # Apply rules to traffic coming through the specified gateway(s) + gateways: + - {{ $gatewayName }} + # Apply rules for requests targeting the specified host(s) + hosts: + {{- range .Values.ingress.hosts }} + - {{ .host | quote }} + {{- end }} + http: + {{- /* Create a route rule for each host/path combination from the ingress spec */}} + {{- range .Values.ingress.hosts }} + {{- range .paths }} + - match: + - uri: + # Map pathType from Ingress to Istio URI match types + {{- if eq .pathType "Prefix" }} + prefix: {{ .path }} + {{- else if eq .pathType "Exact" }} + exact: {{ .path }} + {{- else }} + # Default or fallback, usually Prefix is safest assumption for ImplementationSpecific + prefix: {{ .path }} + {{- end }} + # Define where to route the traffic + route: + - destination: + # Route to the internal Kubernetes Service + host: {{ $fullName }} # The name of the ntfy Kubernetes Service + port: + number: {{ $svcPort }} # The port the ntfy Service listens on + {{- /* Add other Istio features like rewrite, headers, retries, timeouts here if needed */}} + {{- end }} {{- /* end range .paths */}} + {{- end }} {{- /* end range .Values.ingress.hosts */}} +{{- end }} {{/* End if .Values.ingress.enabled */}} \ No newline at end of file diff --git a/helm/ntfy/templates/pvc.yaml b/helm/ntfy/templates/pvc.yaml new file mode 100644 index 0000000..98dbd2b --- /dev/null +++ b/helm/ntfy/templates/pvc.yaml @@ -0,0 +1,14 @@ +{{- if .Values.persistence.enabled -}} +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: {{ include "ntfy.fullname" . }} + labels: + {{- include "ntfy.labels" . | nindent 4 }} +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: {{ .Values.persistence.size }} +{{- end }} diff --git a/helm/ntfy/templates/service.yaml b/helm/ntfy/templates/service.yaml new file mode 100644 index 0000000..2aa3dbe --- /dev/null +++ b/helm/ntfy/templates/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: {{ include "ntfy.fullname" . }} + labels: + {{- include "ntfy.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "ntfy.selectorLabels" . | nindent 4 }} diff --git a/helm/ntfy/templates/serviceaccount.yaml b/helm/ntfy/templates/serviceaccount.yaml new file mode 100644 index 0000000..d0a8689 --- /dev/null +++ b/helm/ntfy/templates/serviceaccount.yaml @@ -0,0 +1,12 @@ +{{- if .Values.serviceAccount.create -}} +apiVersion: v1 +kind: ServiceAccount +metadata: + name: {{ include "ntfy.serviceAccountName" . }} + labels: + {{- include "ntfy.labels" . | nindent 4 }} + {{- with .Values.serviceAccount.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} diff --git a/helm/ntfy/templates/tests/test-connection.yaml b/helm/ntfy/templates/tests/test-connection.yaml new file mode 100644 index 0000000..5970b5a --- /dev/null +++ b/helm/ntfy/templates/tests/test-connection.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Pod +metadata: + name: "{{ include "ntfy.fullname" . }}-test-connection" + labels: + {{- include "ntfy.labels" . | nindent 4 }} + annotations: + "helm.sh/hook": test +spec: + containers: + - name: wget + image: busybox + command: ['wget'] + args: ['{{ include "ntfy.fullname" . }}:{{ .Values.service.port }}'] + restartPolicy: Never diff --git a/helm/ntfy/values.yaml b/helm/ntfy/values.yaml new file mode 100644 index 0000000..990422b --- /dev/null +++ b/helm/ntfy/values.yaml @@ -0,0 +1,132 @@ +# Default values for ntfy. +# This is a YAML-formatted file. +# Declare variables to be passed into your templates. + +replicaCount: 1 + +image: + repository: binwiederhier/ntfy + pullPolicy: IfNotPresent + # Overrides the image tag whose default is the chart appVersion. + tag: "v2.11.0" + +imagePullSecrets: [] +nameOverride: "" +fullnameOverride: "" + +serviceAccount: + # Specifies whether a service account should be created + create: true + # Annotations to add to the service account + annotations: {} + # The name of the service account to use. + # If not set and create is true, a name is generated using the fullname template + name: "" + +podAnnotations: {} + +podSecurityContext: {} + # fsGroup: 2000 + +securityContext: {} + # capabilities: + # drop: + # - ALL + # readOnlyRootFilesystem: true + # runAsNonRoot: true + # runAsUser: 1000 + +service: + type: ClusterIP + port: 80 + +ingress: + enabled: true + className: "" + annotations: {} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + hosts: + - host: ntfy.james-mellors.com + paths: + - path: / + pathType: ImplementationSpecific + tls: + - secretName: ntfy-tls + hosts: + - ntfy.james-mellors.com + +resources: {} + # We usually recommend not to specify default resources and to leave this as a conscious + # choice for the user. This also increases chances charts run on environments with little + # resources, such as Minikube. If you do want to specify resources, uncomment the following + # lines, adjust them as necessary, and remove the curly braces after 'resources:'. + # limits: + # cpu: 100m + # memory: 128Mi + # requests: + # cpu: 100m + # memory: 128Mi + +autoscaling: + enabled: false + minReplicas: 1 + maxReplicas: 100 + targetCPUUtilizationPercentage: 80 + # targetMemoryUtilizationPercentage: 80 + + +config: + enabled: true + data: + base-url: "https://ntfy.james-mellors.com" + auth-file: "/var/cache/ntfy/user.db" + auth-default-access: "deny-all" + cache-file: "/var/cache/ntfy/cache.db" + attachment-cache-dir: "/var/cache/ntfy/attachments" + behind-proxy: true + + +nodeSelector: {} + +tolerations: [] + +affinity: {} + +persistence: + enabled: false + size: 200Mi + +istio: + gateway: + # -- Extra labels for the Istio Gateway + extraLabels: {} + # -- Extra annotations for the Istio Gateway + annotations: {} + # -- Selector for the Istio Ingress Gateway pods + selector: + istio: ingressgateway + # -- Enable automatic HTTP to HTTPS redirection on Gateway + httpRedirect: true + virtualService: + # -- Extra labels for the Istio VirtualService + extraLabels: {} + # -- Extra annotations for the Istio VirtualService + annotations: {} + +# -- Cert-Manager Configuration +certManager: + # -- Enable automatic Certificate creation via cert-manager + enabled: true # Set to true to create Certificate resource + + # -- Reference to the cert-manager Issuer or ClusterIssuer + issuer: + # -- Name of the Issuer or ClusterIssuer (REQUIRED if enabled) + name: "letsencrypt-cloudflare" # e.g., "letsencrypt-prod" + # -- Kind of the issuer (Issuer or ClusterIssuer) (REQUIRED if enabled) + kind: ClusterIssuer # Or "Issuer" + + # -- Optional: Add extra labels/annotations to the Certificate resource + certificate: + extraLabels: {} + annotations: {}