Make it possible to provide a custom issuer for the certificate

bianchi2 · bianchi2 · commit 2f77ec179ee6 · 2025-07-03T07:53:33.000+10:00
diff --git a/helm/aws-load-balancer-controller/templates/webhook.yaml b/helm/aws-load-balancer-controller/templates/webhook.yaml
@@ -235,7 +235,7 @@ spec:
   - {{ template "aws-load-balancer-controller.webhookService" . }}.{{ .Release.Namespace }}.svc.{{ .Values.cluster.dnsDomain }}
   issuerRef:
     kind: Issuer
-    name: {{ template "aws-load-balancer-controller.namePrefix" . }}-selfsigned-issuer
+    name: {{ default (printf "%s-selfsigned-issuer" (include "aws-load-balancer-controller.namePrefix" .)) .Values.certManager.existingIssuerName }}
   secretName: {{ template "aws-load-balancer-controller.webhookCertSecret" . }}
   {{- with .Values.certManager -}}
   {{ if .duration }}
@@ -246,6 +246,7 @@ spec:
   {{- end }}
   {{- end }}
 ---
+{{- if not $.Values.certManager.existingIssuerName }}
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
@@ -256,3 +257,4 @@ metadata:
 spec:
   selfSigned: {}
 {{- end }}
+{{- end }}
diff --git a/helm/aws-load-balancer-controller/values.yaml b/helm/aws-load-balancer-controller/values.yaml
@@ -119,6 +119,9 @@ enableCertManager: false
 certManager:
   duration:
   renewBefore:
+  # name of the existing issuer to use for certificate requests
+  # when set, the controller will not create a self-signed issuer
+  existingIssuerName:
 
 # The name of the Kubernetes cluster. A non-empty value is required
 clusterName:
