projectcapsule · oliverbaehler · Apr 13, 2026 · Apr 7, 2026
diff --git a/charts/capsule-proxy/README.md b/charts/capsule-proxy/README.md
@@ -212,6 +212,8 @@ You can manage the certificate with the help of [cert-manager](https://cert-mana
 | certManager.generateCertificates | bool | `true` | Set if the cert manager will generate SSL certificates (self-signed or CA-signed) |
 | certManager.issuer.kind | string | `"Issuer"` | Set if the cert manager will generate either self-signed or CA signed SSL certificates. Its value will be either Issuer or ClusterIssuer |
 | certManager.issuer.name | string | `""` | Set the name of the ClusterIssuer if issuer kind is ClusterIssuer and if cert manager will generate CA signed SSL certificates |
+| certManager.secretTemplate.ca | object | `{}` | Labels and annotations added to the self-signed CA certificate secret |
+| certManager.secretTemplate.certificate | object | `{}` | Labels and annotations added to the certificate secret |
 
 ### Webhook Parameters
 

diff --git a/charts/capsule-proxy/templates/certmanager.yaml b/charts/capsule-proxy/templates/certmanager.yaml
@@ -18,6 +18,10 @@ spec:
   isCA: true
   commonName: {{ include "capsule-proxy.fullname" . }}-selfsigned-ca
   secretName: {{ include "capsule-proxy.caSecretName" . }}
+  {{- if .Values.certManager.secretTemplate.ca }}
+  secretTemplate:
+    {{- toYaml .Values.certManager.secretTemplate.ca | nindent 4 }}
+  {{- end }}
   privateKey:
     algorithm: ECDSA
     size: 256
@@ -76,6 +80,10 @@ spec:
     kind: {{ .Values.certManager.issuer.kind }}
     name: {{ include "capsule-proxy.certManager.issuerName" . }}
   secretName: {{ include "capsule-proxy.fullname" . }}
+  {{- if .Values.certManager.secretTemplate.certificate }}
+  secretTemplate:
+    {{- toYaml .Values.certManager.secretTemplate.certificate | nindent 4 }}
+  {{- end }}
   subject:
     organizations:
       - projectcapsule.dev

diff --git a/charts/capsule-proxy/values.schema.json b/charts/capsule-proxy/values.schema.json
@@ -113,6 +113,19 @@
                             "type": "string"
                         }
                     }
+                },
+                "secretTemplate": {
+                    "type": "object",
+                    "properties": {
+                        "ca": {
+                            "description": "Labels and annotations added to the self-signed CA certificate secret",
+                            "type": "object"
+                        },
+                        "certificate": {
+                            "description": "Labels and annotations added to the certificate secret",
+                            "type": "object"
+                        }
+                    }
                 }
             }
         },

diff --git a/charts/capsule-proxy/values.yaml b/charts/capsule-proxy/values.yaml
@@ -329,6 +329,21 @@ certManager:
       privateKey:
         rotationPolicy: 'Always'
       # renewBefore: '24h'
+  secretTemplate:
+    # -- Labels and annotations added to the self-signed CA certificate secret
+    ca: {}
+      # annotations:
+      #   my-secret-annotation-1: "foo"
+      #   my-secret-annotation-2: "bar"
+      # labels:
+      #   my-secret-label: foo
+    # -- Labels and annotations added to the certificate secret
+    certificate: {}
+      # annotations:
+      #   my-secret-annotation-1: "foo"
+      #   my-secret-annotation-2: "bar"
+      # labels:
+      #   my-secret-label: foo
 
 webhooks:
   # -- Enable the usage of mutating and validating webhooks