SAP · isindir · Jan 19, 2026
diff --git a/chart/templates/webhook.yaml b/chart/templates/webhook.yaml
@@ -1,6 +1,47 @@
 {{- $caCert := "" }}
 {{- if .Values.webhook.certManager.enabled }}
 {{- if not .Values.webhook.certManager.issuerName }}
+{{- if .Values.webhook.certManager.longLivedCa.enabled }}
+{{- /* Two-tier certificate chain: self-signed issuer -> CA cert -> webhook cert */ -}}
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "image-mapper.fullname" . }}-selfsigned
+  labels:
+    {{- include "image-mapper.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "image-mapper.fullname" . }}-ca
+  labels:
+    {{- include "image-mapper.labels" . | nindent 4 }}
+spec:
+  commonName: {{ include "image-mapper.fullname" . }}-ca
+  secretName: {{ include "image-mapper.fullname" . }}-ca-tls
+  duration: {{ .Values.webhook.certManager.longLivedCa.duration }}
+  {{- with .Values.webhook.certManager.longLivedCa.renewBefore }}
+  renewBefore: {{ . }}
+  {{- end }}
+  isCA: true
+  issuerRef:
+    name: {{ include "image-mapper.fullname" . }}-selfsigned
+    kind: Issuer
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "image-mapper.fullname" . }}-ca
+  labels:
+    {{- include "image-mapper.labels" . | nindent 4 }}
+spec:
+  ca:
+    secretName: {{ include "image-mapper.fullname" . }}-ca-tls
+{{- else }}
+{{- /* Single-tier certificate chain (backwards compatible): self-signed issuer -> webhook cert */ -}}
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
@@ -11,6 +52,7 @@ metadata:
 spec:
   selfSigned: {}
 {{- end }}
+{{- end }}
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
@@ -33,10 +75,27 @@ spec:
     kind: {{ . }}
     {{- end }}
     name: {{ .Values.webhook.certManager.issuerName }}
+    {{- else if .Values.webhook.certManager.longLivedCa.enabled }}
+    name: {{ include "image-mapper.fullname" . }}-ca
+    kind: Issuer
     {{- else }}
     name: {{ include "image-mapper.fullname" . }}
+    kind: Issuer
     {{- end }}
   secretName: {{ include "image-mapper.fullname" . }}-tls-managed
+  {{/* TODO: uncomment this, once labels and annotations PR #25 is merged
+  {{- if or (and .Values.secretLabels (keys .Values.secretLabels)) (and .Values.secretAnnotations (keys .Values.secretAnnotations)) }}
+  secretTemplate:
+    {{- with .Values.secretAnnotations }}
+    annotations:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    {{- with .Values.secretLabels }}
+    labels:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+  {{- end }}
+  */}}
 {{- else }}
 ---
 apiVersion: v1
@@ -45,6 +104,15 @@ metadata:
   name: {{ include "image-mapper.fullname" . }}-tls
   labels:
     {{- include "image-mapper.labels" . | nindent 4 }}
+  {{/* TODO: uncomment this, once labels and annotations PR #25 is merged
+    {{- with .Values.secretLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+  {{- with .Values.secretAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  */}}
 type: Opaque
 data:
   {{- $data := (lookup "v1" "Secret" .Release.Namespace (printf "%s-tls" (include "image-mapper.fullname" .))).data }}

diff --git a/chart/values.yaml b/chart/values.yaml
@@ -73,6 +73,16 @@ webhook:
     issuerKind: ""
     # -- Issuer name (only relevant if enabled is true; if unset, a self-signed issuer is used)
     issuerName: ""
+    # -- Enable long-lived CA certificate chain (only relevant if enabled is true and issuerName is empty)
+    # -- When enabled, creates a two-tier certificate chain: self-signed CA -> webhook certificate
+    # -- This prevents webhook pod restarts on certificate renewal since the CA remains stable
+    longLivedCa:
+      # -- Whether to use a long-lived CA certificate
+      enabled: false
+      # -- Duration of the CA certificate (default: 87600h = 10 years)
+      duration: "87600h0m0s"
+      # -- Renewal time for CA certificate (default: 720h = 1 month before expiry)
+      renewBefore: "720h0m0s"
   objectSelector:
     # -- Object selector matchLabels, used by webhook
     matchLabels: {}