feat(helm): Ask cert-manager for EC keys by default

charts/ingress-nginx/README.md

@@ -237,8 +237,10 @@ As of version `1.26.0` of this chart, by simply not providing any clusterIP valu
 | controller.addHeaders | object | `{}` | Will add custom headers before sending response traffic to the client according to: https://kubernetes.github.io/ingress-nginx/user-guide/nginx-configuration/configmap/#add-headers |
 | controller.admissionWebhooks.annotations | object | `{}` |  |
 | controller.admissionWebhooks.certManager.admissionCert.duration | string | `""` |  |
+| controller.admissionWebhooks.certManager.admissionCert.extraConfig | object | `{"privateKey":{"algorithm":"ECDSA","size":256}}` | Extra configuration for the admission webhook certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can. |
 | controller.admissionWebhooks.certManager.enabled | bool | `false` |  |
 | controller.admissionWebhooks.certManager.rootCert.duration | string | `""` |  |
+| controller.admissionWebhooks.certManager.rootCert.extraConfig | object | `{"privateKey":{"algorithm":"ECDSA","size":256}}` | Extra configuration for the admission webhook CA certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can. |
 | controller.admissionWebhooks.certificate | string | `"/usr/local/certificates/cert"` |  |
 | controller.admissionWebhooks.createSecretJob.resources | object | `{}` |  |
 | controller.admissionWebhooks.createSecretJob.securityContext.allowPrivilegeEscalation | bool | `false` |  |

charts/ingress-nginx/templates/admission-webhooks/cert-manager.yaml

@@ -26,6 +26,9 @@ spec:
   subject:
     organizations:
       - ingress-nginx
+  {{- with .Values.controller.admissionWebhooks.certManager.rootCert.extraConfig }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
 ---
 # Create an Issuer that uses the above generated CA certificate to issue certs
 apiVersion: cert-manager.io/v1
@@ -60,4 +63,7 @@ spec:
   subject:
     organizations:
       - ingress-nginx-admission
+  {{- with .Values.controller.admissionWebhooks.certManager.admissionCert.extraConfig }}
+  {{- toYaml . | nindent 2 }}
+  {{- end }}
 {{- end -}}

charts/ingress-nginx/values.yaml

@@ -639,12 +639,23 @@ controller:
       rootCert:
         # default to be 5y
         duration: ""
+        # -- Extra configuration for the admission webhook CA certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can.
+        extraConfig:
+          privateKey:
+            algorithm: ECDSA
+            size: 256
+
       admissionCert:
         # default to be 1y
         duration: ""
         # issuerRef:
         #   name: "issuer"
         #   kind: "ClusterIssuer"
+        # -- Extra configuration for the admission webhook certificate. Can contain anything a cert-manager's [`CertificateSpec`](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec) can.
+        extraConfig:
+          privateKey:
+            algorithm: ECDSA
+            size: 256
   metrics:
     port: 10254
     portName: metrics