diff --git a/.prettierrc.yaml b/.prettierrc.yaml
new file mode 100644
index 0000000..ead7a6d
--- /dev/null
+++ b/.prettierrc.yaml
@@ -0,0 +1,4 @@
+# Since our schema.yaml is quite big, we want to use a good linter:
+#  npm i -g prettier
+#  prettier --write schema.yaml
+printWidth: 9999
diff --git a/README.md b/README.md
index 5510272..53e7159 100644
--- a/README.md
+++ b/README.md
@@ -1,66 +1,161 @@
 
 # jsp-gcm
-=======
 
-# deployer
+**Content:**
 
-## Update upstream cert-manager chart version
+- [Installing and manually testing the deployer](#installing-and-manually-testing-the-deployer)
+- [Testing and releasing the deployer using Google Cloud Build](#testing-and-releasing-the-deployer-using-google-cloud-build)
+- [Updating the upstream cert-manager chart version](#updating-the-upstream-cert-manager-chart-version)
 
-From
-[building-deployer-helm.md](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/building-deployer-helm.md),
-bump the version of the cert-manager chart in requirements.yaml. Then:
+## Installing and manually testing the deployer
+
+In order to have the google-cas-issuer working, we need to enable [workload
+identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity).
+Let's create a cluster that has the workload identity enabled:
 
 ```sh
-helm repo add jetstack https://charts.jetstack.io
-helm dependency build chart/jetstacksecure-mp
+gcloud container clusters create foo --region us-east1 --num-nodes=1 --preemptible \
+  --workload-pool=$(gcloud config get-value project | tr ':' '/').svc.id.goog
 ```
 
-=======
-## Test
+Re-publish the images to the project:
 
 ```sh
 export REGISTRY=gcr.io/$(gcloud config get-value project | tr ':' '/')
 export APP_NAME=jetstack-secure
-
 docker pull quay.io/jetstack/cert-manager-controller:v1.1.0
 docker pull quay.io/jetstack/cert-manager-cainjector:v1.1.0
 docker pull quay.io/jetstack/cert-manager-webhook:v1.1.0
-docker tag quay.io/jetstack/cert-manager-controller:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-controller:v1.1.0
-docker tag quay.io/jetstack/cert-manager-cainjector:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-cainjector:v1.1.0
-docker tag quay.io/jetstack/cert-manager-webhook:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-webhook:v1.1.0
-docker push $REGISTRY/$APP_NAME/cert-manager-controller:v1.1.0
-docker push $REGISTRY/$APP_NAME/cert-manager-cainjector:v1.1.0
-docker push $REGISTRY/$APP_NAME/cert-manager-webhook:v1.1.0
+docker pull quay.io/jetstack/cert-manager-google-cas-issuer:0.1.0
+docker tag quay.io/jetstack/cert-manager-controller:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-controller:1.1.0
+docker tag quay.io/jetstack/cert-manager-cainjector:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-cainjector:1.1.0
+docker tag quay.io/jetstack/cert-manager-webhook:v1.1.0 $REGISTRY/$APP_NAME/cert-manager-webhook:1.1.0
+docker tag quay.io/jetstack/cert-manager-google-cas-issuer:latest $REGISTRY/$APP_NAME/cert-manager-google-cas-issuer:0.1.0
+docker push $REGISTRY/$APP_NAME/cert-manager-controller:1.1.0
+docker push $REGISTRY/$APP_NAME/cert-manager-cainjector:1.1.0
+docker push $REGISTRY/$APP_NAME/cert-manager-webhook:1.1.0
+docker push $REGISTRY/$APP_NAME/cert-manager-google-cas-issuer:0.1.0
+```
 
+> Note: although cert-manager's tags are of the form "v1.1.0", we chose to
+> use tags of the form "1.1.0" for the Google Marketplace for the sake of
+> consistency.
 
-# Install mpdev:
-docker run gcr.io/cloud-marketplace-tools/k8s/dev cat /scripts/dev > /tmp/mpdev && install /tmp/mpdev ~/bin
+Then, build and push the deployer image:
 
-kubectl create namespace test
+```sh
 docker build --tag $REGISTRY/$APP_NAME/deployer .
 docker push $REGISTRY/$APP_NAME/deployer
-mpdev install --deployer=$REGISTRY/$APP_NAME/deployer --parameters='{"name": "test", "namespace": "test"}'
 ```
 
-## Google Cloud Build
+Finally, use `mpdev` to install jetstack-secure to the `test-ns` namespace:
+
+```sh
+# If you don't have it already, install mpdev:
+docker run gcr.io/cloud-marketplace-tools/k8s/dev cat /scripts/dev > /tmp/mpdev && install /tmp/mpdev ~/bin
+
+kubectl create ns test-ns
+kubectl apply -f https://raw.githubusercontent.com/GoogleCloudPlatform/marketplace-k8s-app-tools/master/crd/app-crd.yaml
+mpdev install --deployer=$REGISTRY/$APP_NAME/deployer --parameters='{"name": "test-ns", "namespace": "test"}'
+```
+
+Now, we need to have access to a CAS root. To create a "root" certificate
+authority as well as an intermediate certificate authority ("subordinate")
+in your current Google project, run:
+
+```sh
+gcloud config set privateca/location us-east1
+gcloud beta privateca roots create my-ca --subject="CN=root,O=my-ca"
+gcloud beta privateca subordinates create my-sub-ca  --issuer=my-ca --location us-east1 --subject="CN=intermediate,O=my-ca,OU=my-sub-ca"
+```
+
+> It is recommended to create subordinate CAs for signing leaf
+> certificates. See the [official
+> documentation](https://cloud.google.com/certificate-authority-service/docs/creating-certificate-authorities).
 
-You can deploy the Google Market Place images and the deployer to
-`gcr.io/<PROJECT>/cert-manager` using `gcloud builds` as follows:
+At this point, the Kubernetes service account created by `mpdev` still does
+not have sufficient privileges in order to access the Google CAS API. We
+have to "bind" the Kubernetes service account with a new GCP service
+account that will have access to the CAS API.
 
 ```sh
-export GKE_CLUSTER_NAME=foo
-export GKE_CLUSTER_LOCATION=us-east1
-gcloud container clusters create $GKE_CLUSTER_NAME --region $GKE_CLUSTER_LOCATION --num-nodes=1 --preemptible
+gcloud iam service-accounts create sa-google-cas-issuer
+gcloud beta privateca subordinates add-iam-policy-binding my-sub-ca \
+  --role=roles/privateca.certificateRequester \
+  --member=serviceAccount:sa-google-cas-issuer@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com
+gcloud iam service-accounts add-iam-policy-binding sa-google-cas-issuer@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com \
+  --role roles/iam.workloadIdentityUser \
+  --member "serviceAccount:$(gcloud config get-value project | tr ':' '/').svc.id.goog[test-ns/test-google-cas-issuer-serviceaccount-name]"
+kubectl annotate serviceaccount -n test-ns test-google-cas-issuer-serviceaccount-name \
+  iam.gke.io/gcp-service-account=sa-google-cas-issuer@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com
+```
 
-gcloud builds submit  --timeout 1800s --config cloudbuild.yaml \
-  --substitutions _CLUSTER_NAME=$GKE_CLUSTER_NAME,_CLUSTER_LOCATION=$GKE_CLUSTER_LOCATION
+You can now create an issuer and a certificate:
+
+```sh
+cat <<EOF | tee /dev/stderr | kubectl apply -f -
+apiVersion: cas-issuer.jetstack.io/v1alpha1
+kind: GoogleCASIssuer
+metadata:
+  name: googlecasissuer
+spec:
+  project: $(gcloud config get-value project | tr ':' '/')
+  location: $(gcloud config get-value privateca/location | tr ':' '/')
+  certificateAuthorityID: my-sub-ca
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: demo-certificate
+spec:
+  secretName: demo-cert-tls
+  commonName: cert-manager.io.demo
+  dnsNames:
+    - cert-manager.io
+    - jetstack.io
+  duration: 24h
+  renewBefore: 8h
+  issuerRef:
+    group: cas-issuer.jetstack.io
+    kind: GoogleCASIssuer
+    name: googlecasissuer
+EOF
 ```
 
-This will also verify the application using the [Google Cloud Marketplace verification tool](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/c5899a928a2ac8d5022463c82823284a9e63b177/scripts/verify).
+You can check that the certificate has been issued with:
+
+```sh
+% kubectl describe cert demo-certificate
+Events:
+  Type    Reason     Age   From          Message
+  ----    ------     ----  ----          -------
+  Normal  Issuing    20s   cert-manager  Issuing certificate as Secret was previously issued by GoogleCASIssuer.cas-issuer.jetstack.io/googlecasissuer-sample
+  Normal  Reused     20s   cert-manager  Reusing private key stored in existing Secret resource "demo-cert-tls"
+  Normal  Requested  20s   cert-manager  Created new CertificateRequest resource "demo-certificate-v2rwr"
+  Normal  Issuing    20s   cert-manager  The certificate has been successfully issued
+```
+
+## Testing and releasing the deployer using Google Cloud Build
+
+We use `gcloud builds` in order to automate the release process. Cloud
+Build re-publishes the cert-manager images to your project and builds,
+tests and pushs the deployer image.
 
 Requirements before running `gcloud builds`:
 
-1. Go to [IAM and Admin > Permissions for
+1. You need a GKE cluster with
+   [workload-identity](https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity)
+   enabled. You can either update your existing cluster or create a new
+   cluster with workload identity enabled with this command:
+
+   ```sh
+   export GKE_CLUSTER_NAME=foo
+   export GKE_CLUSTER_LOCATION=us-east1
+   gcloud container clusters create $GKE_CLUSTER_NAME --region $GKE_CLUSTER_LOCATION --num-nodes=1 --preemptible \
+     --workload-pool=$(gcloud config get-value project | tr ':' '/').svc.id.goog
+   ```
+
+2. Go to [IAM and Admin > Permissions for
    project](https://console.cloud.google.com/iam-admin/iam) and configure
    the `0123456789@cloudbuild.gserviceaccount.com` service account with the
    following roles so that it has permission to deploy RBAC configuration
@@ -68,9 +163,30 @@ Requirements before running `gcloud builds`:
    - `Cloud Build Service Agent`
    - `Kubernetes Engine Admin`
    - `Storage Object Admin`
-2. Create a bucket that has the same name as your project. To create it,
+
+3. Create a bucket that has the same name as your project. To create it,
    run:
 
    ```sh
    gsutil mb gs://$(gcloud config get-value project | tr ':' '/')
    ```
+
+Then, you can trigger a build:
+
+```sh
+gcloud builds submit --timeout 1800s --config cloudbuild.yaml \
+  --substitutions _CLUSTER_NAME=$GKE_CLUSTER_NAME,_CLUSTER_LOCATION=$GKE_CLUSTER_LOCATION
+```
+
+This will also verify the application using the [Google Cloud Marketplace verification tool](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/c5899a928a2ac8d5022463c82823284a9e63b177/scripts/verify).
+
+## Updating the upstream cert-manager chart version
+
+From
+[building-deployer-helm.md](https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/building-deployer-helm.md),
+bump the version of the cert-manager chart in requirements.yaml. Then:
+
+```sh
+helm repo add jetstack https://charts.jetstack.io
+helm dependency build chart/jetstacksecure-mp
+```
diff --git a/chart/jetstacksecure-mp/Chart.yaml b/chart/jetstacksecure-mp/Chart.yaml
index 2fde0f5..7d1d424 100644
--- a/chart/jetstacksecure-mp/Chart.yaml
+++ b/chart/jetstacksecure-mp/Chart.yaml
@@ -1,4 +1,12 @@
 apiVersion: v2
 engine: gotpl
 name: jetstacksecure-mp
-version: 1.1.0
+version: 1.0.0
+dependencies:
+  - name: cert-manager
+    version: 1.1.0
+    appVersion: v1.1.0
+    repository: https://charts.jetstack.io
+  - name: google-cas-issuer
+    appVersion: 0.1.0
+    repository: ./charts/google-cas-issuer
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/Chart.yaml b/chart/jetstacksecure-mp/charts/google-cas-issuer/Chart.yaml
new file mode 100644
index 0000000..72e5f82
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/Chart.yaml
@@ -0,0 +1,17 @@
+apiVersion: "v2"
+name: "google-cas-issuer"
+version: "1.0.0"
+kubeVersion: ">= 1.16.0"
+description: "Install the cert-manager Google CAS issuer"
+type: "application"
+keywords:
+  - "google-cas"
+  - "google-private-ca"
+home: "https://github.com/jetstack/google-cas-issuer"
+sources:
+  - "https://github.com/jetstack/google-cas-issuer"
+maintainers:
+  - name: "Jetstack Ltd"
+    email: "hello@jetstack.io"
+    url: "https://www.jetstack.io/"
+appVersion: "0.1.0"
\ No newline at end of file
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/NOTES.txt b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/NOTES.txt
new file mode 100644
index 0000000..4fa8018
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/NOTES.txt
@@ -0,0 +1,61 @@
+The Google CAS issuer for cert-manager is now installed.
+
+To finish the installation, please follow these steps:
+
+
+1. Make sure your cluster has the "workload identity" feature turned on. If\
+   you are not sure, you can try enabling it with:
+
+   gcloud container clusters update CLUSTER_NAME --workload-pool=$(gcloud config get-value project | tr ':' '/').svc.id.goog
+
+2. Make sure to have a Google CAS root or subordinate CA created. For example,
+   you can create one with:
+
+   gcloud config set privateca/location us-east1
+   gcloud beta privateca roots create my-ca --subject="CN=my-ca,O=my-org"
+
+3. Create a GCP service account and bind it to the Kubernetes service account
+   that was deployed in this Helm release:
+
+   gcloud iam service-accounts create sa-google-cas-issuer
+   gcloud beta privateca subordinates add-iam-policy-binding my-ca \
+     --role=roles/privateca.certificateRequester \
+     --member=serviceAccount:sa-google-cas-issuer@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com
+   gcloud iam service-accounts add-iam-policy-binding sa-google-cas-issuer@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com \
+     --role roles/iam.workloadIdentityUser \
+     --member "serviceAccount:$(gcloud config get-value project | tr ':' '/').svc.id.goog[{{ .Release.Namespace }}/{{ .Values.serviceAccount.name }}]"
+   kubectl annotate serviceaccount -n {{ .Release.Namespace }} {{ .Values.serviceAccount.name }} \
+     iam.gke.io/gcp-service-account=sa-google-cas-issuer@$(gcloud config get-value project | tr ':' '/').iam.gserviceaccount.com
+
+4. Finally, you can create your GoogleCASIssuer and a Certificate:
+
+   cat <<EOF | tee /dev/stderr | kubectl apply -f -
+   apiVersion: cas-issuer.jetstack.io/v1alpha1
+   kind: GoogleCASIssuer
+   metadata:
+     name: googlecasissuer
+   spec:
+     project: $(gcloud config get-value project | tr ':' '/')
+     location: $(gcloud config get-value privateca/location | tr ':' '/')
+     certificateAuthorityID: my-ca
+   ---
+   apiVersion: cert-manager.io/v1
+   kind: Certificate
+   metadata:
+     name: demo-certificate
+   spec:
+     secretName: demo-cert-tls
+     commonName: cert-manager.io.demo
+     dnsNames:
+       - cert-manager.io
+     duration: 24h
+     renewBefore: 8h
+     issuerRef:
+       group: cas-issuer.jetstack.io
+       kind: GoogleCASIssuer
+       name: googlecasissuer
+   EOF
+
+5. Finally, check that the Certificate has been issued properly:
+
+   kubectl describe demo-certificate
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/_helpers.tpl b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/_helpers.tpl
new file mode 100644
index 0000000..97abef7
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/_helpers.tpl
@@ -0,0 +1,63 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "google-cas-issuer.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "google-cas-issuer.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "google-cas-issuer.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "google-cas-issuer.labels" -}}
+helm.sh/chart: {{ include "google-cas-issuer.chart" . }}
+{{ include "google-cas-issuer.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "google-cas-issuer.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "google-cas-issuer.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+app.kubernetes.io/component: "controller"
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "google-cas-issuer.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "google-cas-issuer.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/crds.yaml b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/crds.yaml
new file mode 100644
index 0000000..3cdca17
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/crds.yaml
@@ -0,0 +1,246 @@
+{{ if .Values.installCRDs }}
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.2
+  name: googlecasclusterissuers.cas-issuer.jetstack.io
+  labels:
+    {{- include "google-cas-issuer.labels" . | nindent 4 }}
+spec:
+  group: cas-issuer.jetstack.io
+  names:
+    kind: GoogleCASClusterIssuer
+    listKind: GoogleCASClusterIssuerList
+    plural: googlecasclusterissuers
+    singular: googlecasclusterissuer
+  scope: Cluster
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: GoogleCASClusterIssuer is the Schema for the googlecasclusterissuers
+        API
+      properties:
+        apiVersion:
+          description: "APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+          type: string
+        kind:
+          description: "Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: GoogleCASIssuerSpec defines the desired state of GoogleCASIssuer
+          properties:
+            certificateAuthorityID:
+              description: CertificateAuthorityID is The ID of the Google Private
+                certificate authority that will sign certificates
+              type: string
+            credentials:
+              description: Credentials is a reference to a Kubernetes Secret Key that
+                contains Google Service Account Credentials
+              properties:
+                key:
+                  description: The key of the entry in the Secret resource's `data`
+                    field to be used. Some instances of this field may be defaulted,
+                    in others it may be required.
+                  type: string
+                name:
+                  description: "Name of the resource being referred to. More info:
+                    https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
+                  type: string
+              required:
+                - name
+              type: object
+            location:
+              description: Location is the Google Cloud Project Location
+              type: string
+            project:
+              description: Project is the Google Cloud Project ID
+              type: string
+          type: object
+        status:
+          description: GoogleCASIssuerStatus defines the observed state of GoogleCASIssuer
+          properties:
+            conditions:
+              items:
+                description: IssuerCondition contains condition information for a
+                  CAS Issuer.
+                properties:
+                  lastTransitionTime:
+                    description: LastTransitionTime is the timestamp corresponding
+                      to the last status change of this condition.
+                    format: date-time
+                    type: string
+                  message:
+                    description: Message is a human readable description of the details
+                      of the last transition, complementing reason.
+                    type: string
+                  reason:
+                    description: Reason is a brief machine readable explanation for
+                      the condition's last transition.
+                    type: string
+                  status:
+                    allOf:
+                      - enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                      - enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                    description: Status of the condition, one of ('True', 'False',
+                      'Unknown').
+                    type: string
+                  type:
+                    description: Type of the condition, currently ('Ready').
+                    enum:
+                      - Ready
+                    type: string
+                required:
+                  - status
+                  - type
+                type: object
+              type: array
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+---
+apiVersion: apiextensions.k8s.io/v1beta1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.2.2
+  name: googlecasissuers.cas-issuer.jetstack.io
+  labels:
+    {{- include "google-cas-issuer.labels" . | nindent 4 }}
+spec:
+  group: cas-issuer.jetstack.io
+  names:
+    kind: GoogleCASIssuer
+    listKind: GoogleCASIssuerList
+    plural: googlecasissuers
+    singular: googlecasissuer
+  scope: ""
+  subresources:
+    status: {}
+  validation:
+    openAPIV3Schema:
+      description: GoogleCASIssuer is the Schema for the googlecasissuers API
+      properties:
+        apiVersion:
+          description: "APIVersion defines the versioned schema of this representation
+            of an object. Servers should convert recognized schemas to the latest
+            internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources"
+          type: string
+        kind:
+          description: "Kind is a string value representing the REST resource this
+            object represents. Servers may infer this from the endpoint the client
+            submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds"
+          type: string
+        metadata:
+          type: object
+        spec:
+          description: GoogleCASIssuerSpec defines the desired state of GoogleCASIssuer
+          properties:
+            certificateAuthorityID:
+              description: CertificateAuthorityID is The ID of the Google Private
+                certificate authority that will sign certificates
+              type: string
+            credentials:
+              description: Credentials is a reference to a Kubernetes Secret Key that
+                contains Google Service Account Credentials
+              properties:
+                key:
+                  description: The key of the entry in the Secret resource's `data`
+                    field to be used. Some instances of this field may be defaulted,
+                    in others it may be required.
+                  type: string
+                name:
+                  description: "Name of the resource being referred to. More info:
+                    https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names"
+                  type: string
+              required:
+                - name
+              type: object
+            location:
+              description: Location is the Google Cloud Project Location
+              type: string
+            project:
+              description: Project is the Google Cloud Project ID
+              type: string
+          type: object
+        status:
+          description: GoogleCASIssuerStatus defines the observed state of GoogleCASIssuer
+          properties:
+            conditions:
+              items:
+                description: IssuerCondition contains condition information for a
+                  CAS Issuer.
+                properties:
+                  lastTransitionTime:
+                    description: LastTransitionTime is the timestamp corresponding
+                      to the last status change of this condition.
+                    format: date-time
+                    type: string
+                  message:
+                    description: Message is a human readable description of the details
+                      of the last transition, complementing reason.
+                    type: string
+                  reason:
+                    description: Reason is a brief machine readable explanation for
+                      the condition's last transition.
+                    type: string
+                  status:
+                    allOf:
+                      - enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                      - enum:
+                          - "True"
+                          - "False"
+                          - Unknown
+                    description: Status of the condition, one of ('True', 'False',
+                      'Unknown').
+                    type: string
+                  type:
+                    description: Type of the condition, currently ('Ready').
+                    enum:
+                      - Ready
+                    type: string
+                required:
+                  - status
+                  - type
+                type: object
+              type: array
+          type: object
+      type: object
+  version: v1alpha1
+  versions:
+    - name: v1alpha1
+      served: true
+      storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []
+{{ end }}
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/deployment.yaml b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/deployment.yaml
new file mode 100644
index 0000000..08a4c91
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/deployment.yaml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "google-cas-issuer.fullname" . }}
+  labels:
+    {{- include "google-cas-issuer.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "google-cas-issuer.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      annotations:
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: "true"
+        prometheus.io/port: "9402"
+      labels:
+        {{- include "google-cas-issuer.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "google-cas-issuer.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+          - --enable-leader-election
+          - --cluster-resource-namespace={{ .Values.secretsNamespace }}
+          - --metrics-addr=:9402
+          ports:
+            - name: metrics
+              containerPort: 9402
+              protocol: TCP
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/service.yaml b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/service.yaml
new file mode 100644
index 0000000..605ca71
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/service.yaml
@@ -0,0 +1,17 @@
+{{- if .Values.prometheus.enabled }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "google-cas-issuer.fullname" . }}
+  namespace: {{ .Release.Namespace | quote }}
+  labels:
+    {{- include "google-cas-issuer.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - protocol: TCP
+      port: 9402
+      targetPort: 9402
+  selector:
+    {{- include "google-cas-issuer.selectorLabels" . | nindent 4 }}
+{{- end }}
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/serviceaccount.yaml b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/serviceaccount.yaml
new file mode 100644
index 0000000..c66c474
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "google-cas-issuer.serviceAccountName" . }}
+  labels:
+    {{- include "google-cas-issuer.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/chart/jetstacksecure-mp/charts/google-cas-issuer/values.yaml b/chart/jetstacksecure-mp/charts/google-cas-issuer/values.yaml
new file mode 100644
index 0000000..6405d5a
--- /dev/null
+++ b/chart/jetstacksecure-mp/charts/google-cas-issuer/values.yaml
@@ -0,0 +1,33 @@
+installCRDs: false
+
+# The namespace for secrets in which cluster-scoped resources are found. (default "cert-manager")
+secretsNamespace: cert-manager
+serviceAccount:
+  create: false
+  name: google-cas-issuer
+  annotations: {}
+
+image:
+  tag: 0.1.0
+  repository: quay.io/jetstack/cert-manager-google-cas-issuer
+  pullPolicy: IfNotPresent
+
+replicaCount: 1
+
+imagePullSecrets: {}
+securityContext: {}
+podSecurityContext: {}
+
+resources:
+  {}
+  # requests:
+  #   cpu: 10m
+  #   memory: 32Mi
+
+nodeSelector: {}
+affinity: {}
+tolerations: {}
+
+prometheus:
+  # Enables the creation of the ClusterIP service.
+  enabled: true
diff --git a/chart/jetstacksecure-mp/requirements.yaml b/chart/jetstacksecure-mp/requirements.yaml
deleted file mode 100644
index eb153ce..0000000
--- a/chart/jetstacksecure-mp/requirements.yaml
+++ /dev/null
@@ -1,4 +0,0 @@
-dependencies:
-  - name: cert-manager
-    version: 1.1.0
-    repository: https://charts.jetstack.io
diff --git a/chart/jetstacksecure-mp/templates/application.yaml b/chart/jetstacksecure-mp/templates/application.yaml
index 8e9dfc1..3a3a082 100644
--- a/chart/jetstacksecure-mp/templates/application.yaml
+++ b/chart/jetstacksecure-mp/templates/application.yaml
@@ -8,11 +8,11 @@ metadata:
   labels:
     app.kubernetes.io/name: "{{ .Release.Name }}"
   annotations:
-    marketplace.cloud.google.com/deploy-info: '{"partner_id": "partner", "product_id": "jetstack-secure-platform", "partner_name": "Jetstack"}'
+    marketplace.cloud.google.com/deploy-info: '{"partner_id": "partner", "product_id": "jetstack-secure", "partner_name": "Jetstack"}'
 spec:
   descriptor:
     type: Jetstack Secure Platform
-    version: "1.1.0"
+    version: "1.0.0"
   selector:
     matchLabels:
       app.kubernetes.io/name: "{{ .Release.Name }}"
diff --git a/chart/jetstacksecure-mp/values.yaml b/chart/jetstacksecure-mp/values.yaml
index 03e46d4..6f3058f 100644
--- a/chart/jetstacksecure-mp/values.yaml
+++ b/chart/jetstacksecure-mp/values.yaml
@@ -17,3 +17,8 @@ cert-manager:
   cainjector:
     serviceAccount:
       create: false # see note (1)
+
+google-cas-issuer:
+  installCRDs: true
+  serviceAccount:
+    create: false # see note (1)
diff --git a/cloudbuild.yaml b/cloudbuild.yaml
index b381dc3..f63b1bc 100644
--- a/cloudbuild.yaml
+++ b/cloudbuild.yaml
@@ -3,8 +3,34 @@ substitutions:
   _CLUSTER_NAME: cluster-1
   _CLUSTER_LOCATION: europe-west2-b
   _SOLUTION_NAME: cert-manager
+  _APP_VERSION: 1.0.0
   _CERT_MANAGER_VERSION: 1.1.0
+  _CAS_ISSUER_VERSION: 0.1.0
 steps:
+  - id: pull-cas-issuer
+    name: gcr.io/cloud-builders/docker
+    args:
+      - pull
+      - quay.io/jetstack/cert-manager-google-cas-issuer:${_CAS_ISSUER_VERSION}
+    waitFor: ["-"]
+
+  - id: tag-cas-issuer
+    name: gcr.io/cloud-builders/docker
+    args:
+      - tag
+      - quay.io/jetstack/cert-manager-google-cas-issuer:${_CAS_ISSUER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-google-cas-issuer:${_APP_VERSION}
+    waitFor:
+      - pull-cas-issuer
+
+  - id: push-cas-issuer
+    name: gcr.io/cloud-builders/docker
+    args:
+      - push
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-google-cas-issuer:${_APP_VERSION}
+    waitFor:
+      - tag-cas-issuer
+
   - id: pull-controller
     name: gcr.io/cloud-builders/docker
     args:
@@ -31,7 +57,7 @@ steps:
     args:
       - tag
       - quay.io/jetstack/cert-manager-controller:v${_CERT_MANAGER_VERSION}
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_CERT_MANAGER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_APP_VERSION}
     waitFor:
       - pull-controller
 
@@ -40,7 +66,7 @@ steps:
     args:
       - tag
       - quay.io/jetstack/cert-manager-cainjector:v${_CERT_MANAGER_VERSION}
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_CERT_MANAGER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_APP_VERSION}
     waitFor:
       - pull-cainjector
 
@@ -49,24 +75,15 @@ steps:
     args:
       - tag
       - quay.io/jetstack/cert-manager-webhook:v${_CERT_MANAGER_VERSION}
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_CERT_MANAGER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_APP_VERSION}
     waitFor:
       - pull-webhook
 
-  - id: build-deployer
-    name: gcr.io/cloud-builders/docker
-    args:
-      - build
-      - --tag
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
-      - "."
-    waitFor: ["-"]
-
   - id: push-controller
     name: gcr.io/cloud-builders/docker
     args:
       - push
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_CERT_MANAGER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_APP_VERSION}
     waitFor:
       - tag-controller
 
@@ -74,7 +91,7 @@ steps:
     name: gcr.io/cloud-builders/docker
     args:
       - push
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_CERT_MANAGER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_APP_VERSION}
     waitFor:
       - tag-cainjector
 
@@ -82,15 +99,24 @@ steps:
     name: gcr.io/cloud-builders/docker
     args:
       - push
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_CERT_MANAGER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_APP_VERSION}
     waitFor:
       - tag-webhook
 
+  - id: build-deployer
+    name: gcr.io/cloud-builders/docker
+    args:
+      - build
+      - --tag
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_APP_VERSION}
+      - "."
+    waitFor: ["-"]
+
   - id: push-deployer
     name: gcr.io/cloud-builders/docker
     args:
       - push
-      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
+      - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_APP_VERSION}
     waitFor:
       - build-deployer
 
@@ -127,8 +153,8 @@ steps:
       - sh
       - -c
       - |
-        cat /scripts/dev > "/workspace/cmpt"
-        chmod +x /workspace/cmpt
+        cat /scripts/dev > "/workspace/mpdev"
+        chmod +x /workspace/mpdev
     waitFor: ["-"]
 
   - id: check-cloud-marketplace-tools
@@ -140,7 +166,7 @@ steps:
       # https://cloud.google.com/cloud-build/docs/overview#build_configuration_and_build_steps
       - "EXTRA_DOCKER_PARAMS=--net cloudbuild"
     args:
-      - ./cmpt
+      - ./mpdev
       - doctor
     waitFor:
       - gcloud-credentials
@@ -156,15 +182,16 @@ steps:
       # https://cloud.google.com/cloud-build/docs/overview#build_configuration_and_build_steps
       - "EXTRA_DOCKER_PARAMS=--net cloudbuild"
     args:
-      - ./cmpt
+      - ./mpdev
       - verify
-      - --deployer=gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
+      - --deployer=gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_APP_VERSION}
     waitFor:
       - check-cloud-marketplace-tools
       - push-deployer
       - push-controller
       - push-cainjector
       - push-webhook
+      - push-cas-issuer
 
   - id: publish
     name: gcr.io/cloud-marketplace-tools/k8s/dev
@@ -173,15 +200,16 @@ steps:
       - "GCLOUD_CONFIG=/workspace/.config/gcloud"
       - "EXTRA_DOCKER_PARAMS=--net cloudbuild"
     args:
-      - ./cmpt
+      - ./mpdev
       - publish
       - --gcs_repo=gs://$PROJECT_ID
-      - --deployer_image=gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
+      - --deployer_image=gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_APP_VERSION}
     waitFor:
       - verify
 
 images:
-  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_CERT_MANAGER_VERSION}
-  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_CERT_MANAGER_VERSION}
-  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_CERT_MANAGER_VERSION}
-  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_CERT_MANAGER_VERSION}
+  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-controller:${_APP_VERSION}
+  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-cainjector:${_APP_VERSION}
+  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-webhook:${_APP_VERSION}
+  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/cert-manager-google-cas-issuer:${_APP_VERSION}
+  - gcr.io/$PROJECT_ID/${_SOLUTION_NAME}/deployer:${_APP_VERSION}
diff --git a/schema.yaml b/schema.yaml
index 6f639f6..4742674 100644
--- a/schema.yaml
+++ b/schema.yaml
@@ -8,7 +8,7 @@ x-google-marketplace:
 
   # The release version is required in the schema and MUST match the
   # release tag on the the deployer.
-  publishedVersion: "1.1.0"
+  publishedVersion: "1.0.0"
   publishedVersionMetadata:
     releaseNote: >-
       Initial release.
@@ -33,15 +33,23 @@ x-google-marketplace:
         cert-manager.image.tag:
           type: TAG
     cert-manager-webhook:
-      cert-manager.webhook.image.repository:
-        type: REPO_WITH_REGISTRY
-      cert-manager.webhook.image.tag:
-        type: TAG
+      properties:
+        cert-manager.webhook.image.repository:
+          type: REPO_WITH_REGISTRY
+        cert-manager.webhook.image.tag:
+          type: TAG
     cert-manager-cainjector:
-      cert-manager.cainjector.image.repository:
-        type: REPO_WITH_REGISTRY
-      cert-manager.cainjector.image.tag:
-        type: TAG
+      properties:
+        cert-manager.cainjector.image.repository:
+          type: REPO_WITH_REGISTRY
+        cert-manager.cainjector.image.tag:
+          type: TAG
+    cert-manager-google-cas-issuer:
+      properties:
+        google-cas-issuer.image.repository:
+          type: REPO_WITH_REGISTRY
+        google-cas-issuer.image.tag:
+          type: TAG
 
   # Allow the deployer to create CRDs and webhook configurations
   # See https://github.com/GoogleCloudPlatform/marketplace-k8s-app-tools/blob/master/docs/schema.md#deployerserviceaccount
@@ -50,15 +58,15 @@ x-google-marketplace:
     description: >
       Creates app resources, including the MyAppCustomResource CRD.
     roles:
-    - type: ClusterRole
-      rulesType: CUSTOM
-      rules:
-      - apiGroups: ['apiextensions.k8s.io']
-        resources: ['customresourcedefinitions']
-        verbs: ['*']
-      - apiGroups: ["admissionregistration.k8s.io"]
-        resources: ["*"]
-        verbs: ["*"]
+      - type: ClusterRole
+        rulesType: CUSTOM
+        rules:
+          - apiGroups: ["apiextensions.k8s.io"]
+            resources: ["customresourcedefinitions"]
+            verbs: ["*"]
+          - apiGroups: ["admissionregistration.k8s.io"]
+            resources: ["*"]
+            verbs: ["*"]
 
   # Other fields, like clusterConstraints, can be included here.
 
@@ -79,123 +87,124 @@ properties:
       serviceAccount:
         description: Service account used by cert-manager Controller Deployment
         roles:
-        - type: ClusterRole
-          rulesType: CUSTOM
-          rules:
-            # Issuer controller role
-            - apiGroups: ["cert-manager.io"]
-              resources: ["issuers", "issuers/status"]
-              verbs: ["update"]
-            - apiGroups: ["cert-manager.io"]
-              resources: ["issuers"]
-              verbs: ["get", "list", "watch", "create", "delete"]
-            - apiGroups: [""]
-              resources: ["secrets"]
-              verbs: ["get", "list", "watch", "create", "update", "delete"]
-            - apiGroups: [""]
-              resources: ["events"]
-              verbs: ["create", "patch"]
-            # ClusterIssuer controller role
-            - apiGroups: ["cert-manager.io"]
-              resources: ["clusterissuers", "clusterissuers/status"]
-              verbs: ["update"]
-            - apiGroups: ["cert-manager.io"]
-              resources: ["clusterissuers"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: [""]
-              resources: ["secrets"]
-              verbs: ["get", "list", "watch", "create", "update", "delete"]
-            - apiGroups: [""]
-              resources: ["events"]
-              verbs: ["create", "patch"]
-            # Certificates controller role
-            - apiGroups: ["cert-manager.io"]
-              resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
-              verbs: ["update"]
-            - apiGroups: ["cert-manager.io"]
-              resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
-              verbs: ["get", "list", "watch", "create", "delete"]
-            - apiGroups: ["cert-manager.io"]
-              resources: ["certificates/finalizers", "certificaterequests/finalizers"]
-              verbs: ["update"]
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["orders"]
-              verbs: ["create", "delete", "get", "list", "watch"]
-            - apiGroups: [""]
-              resources: ["secrets"]
-              verbs: ["get", "list", "watch", "create", "update", "delete"]
-            - apiGroups: [""]
-              resources: ["events"]
-              verbs: ["create", "patch"]
-            # Orders controller role
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["orders", "orders/status"]
-              verbs: ["update"]
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["orders", "challenges"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: ["cert-manager.io"]
-              resources: ["clusterissuers", "issuers"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["challenges"]
-              verbs: ["create", "delete"]
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["orders/finalizers"]
-              verbs: ["update"]
-            - apiGroups: [""]
-              resources: ["secrets"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: [""]
-              resources: ["events"]
-              verbs: ["create", "patch"]
-            # Challenges controller role
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["challenges", "challenges/status"]
-              verbs: ["update"]
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["challenges"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: ["cert-manager.io"]
-              resources: ["issuers", "clusterissuers"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: [""]
-              resources: ["secrets"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: [""]
-              resources: ["events"]
-              verbs: ["create", "patch"]
-            - apiGroups: [""]
-              resources: ["pods", "services"]
-              verbs: ["get", "list", "watch", "create", "delete"]
-            - apiGroups: ["extensions"]
-              resources: ["ingresses"]
-              verbs: ["get", "list", "watch", "create", "delete", "update"]
-            - apiGroups: ["acme.cert-manager.io"]
-              resources: ["challenges/finalizers"]
-              verbs: ["update"]
-            - apiGroups: [""]
-              resources: ["secrets"]
-              verbs: ["get", "list", "watch"]
-            # ingress-shim controller role
-            - apiGroups: ["cert-manager.io"]
-              resources: ["certificates", "certificaterequests"]
-              verbs: ["create", "update", "delete"]
-            - apiGroups: ["cert-manager.io"]
-              resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: ["extensions"]
-              resources: ["ingresses"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: ["extensions"]
-              resources: ["ingresses/finalizers"]
-              verbs: ["update"]
-            - apiGroups: [""]
-              resources: ["events"]
-              verbs: ["create", "patch"]
-            - apiGroups: [""]
-              resources: ["configmaps"]
-              verbs: ["get", "create", "update", "patch"]
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              # Issuer controller role
+              - apiGroups: ["cert-manager.io"]
+                resources: ["issuers", "issuers/status"]
+                verbs: ["update"]
+              - apiGroups: ["cert-manager.io"]
+                resources: ["issuers"]
+                verbs: ["get", "list", "watch", "create", "delete"]
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list", "watch", "create", "update", "delete"]
+              - apiGroups: [""]
+                resources: ["events"]
+                verbs: ["create", "patch"]
+              # ClusterIssuer controller role
+              - apiGroups: ["cert-manager.io"]
+                resources: ["clusterissuers", "clusterissuers/status"]
+                verbs: ["update"]
+              - apiGroups: ["cert-manager.io"]
+                resources: ["clusterissuers"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list", "watch", "create", "update", "delete"]
+              - apiGroups: [""]
+                resources: ["events"]
+                verbs: ["create", "patch"]
+              # Certificates controller role
+              - apiGroups: ["cert-manager.io"]
+                resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
+                verbs: ["update"]
+              - apiGroups: ["cert-manager.io"]
+                resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+                verbs: ["get", "list", "watch", "create", "delete"]
+              - apiGroups: ["cert-manager.io"]
+                resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+                verbs: ["update"]
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["orders"]
+                verbs: ["create", "delete", "get", "list", "watch"]
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list", "watch", "create", "update", "delete"]
+              - apiGroups: [""]
+                resources: ["events"]
+                verbs: ["create", "patch"]
+              # Orders controller role
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["orders", "orders/status"]
+                verbs: ["update"]
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["orders", "challenges"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: ["cert-manager.io"]
+                resources: ["clusterissuers", "issuers"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["challenges"]
+                verbs: ["create", "delete"]
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["orders/finalizers"]
+                verbs: ["update"]
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: [""]
+                resources: ["events"]
+                verbs: ["create", "patch"]
+              # Challenges controller role
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["challenges", "challenges/status"]
+                verbs: ["update"]
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["challenges"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: ["cert-manager.io"]
+                resources: ["issuers", "clusterissuers"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: [""]
+                resources: ["events"]
+                verbs: ["create", "patch"]
+              - apiGroups: [""]
+                resources: ["pods", "services"]
+                verbs: ["get", "list", "watch", "create", "delete"]
+              - apiGroups: ["extensions"]
+                resources: ["ingresses"]
+                verbs: ["get", "list", "watch", "create", "delete", "update"]
+              - apiGroups: ["acme.cert-manager.io"]
+                resources: ["challenges/finalizers"]
+                verbs: ["update"]
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list", "watch"]
+              # ingress-shim controller role
+              - apiGroups: ["cert-manager.io"]
+                resources: ["certificates", "certificaterequests"]
+                verbs: ["create", "update", "delete"]
+              - apiGroups: ["cert-manager.io"]
+                resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: ["extensions"]
+                resources: ["ingresses"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: ["extensions"]
+                resources: ["ingresses/finalizers"]
+                verbs: ["update"]
+              - apiGroups: [""]
+                resources: ["events"]
+                verbs: ["create", "patch"]
+              - apiGroups: [""]
+                resources: ["configmaps"]
+                verbs: ["get", "create", "update", "patch"]
+
   cert-manager.webhook.serviceAccount.name:
     type: string
     x-google-marketplace:
@@ -203,14 +212,13 @@ properties:
       serviceAccount:
         description: Service account used by cert-manager Webhook Deployment
         roles:
-        - type: Role
-          rulesType: CUSTOM
-          rules:
-            - apiGroups: [""]
-              resources:
-              - secrets
-              verbs:
-              - get, list, update, patch, create
+          - type: Role
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: [""]
+                resources: [secrets]
+                verbs: [get, list, update, patch, create]
+
   cert-manager.cainjector.serviceAccount.name:
     type: string
     x-google-marketplace:
@@ -218,31 +226,82 @@ properties:
       serviceAccount:
         description: Service account used by cert-manager CA Injector Deployment
         roles:
-        - type: ClusterRole
-          rulesType: CUSTOM
-          rules:
-            - apiGroups: ["cert-manager.io"]
-              resources: ["certificates"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: [""]
-              resources: ["secrets"]
-              verbs: ["get", "list", "watch"]
-            - apiGroups: [""]
-              resources: ["events"]
-              verbs: ["get", "create", "update", "patch"]
-            - apiGroups: ["admissionregistration.k8s.io"]
-              resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
-              verbs: ["get", "list", "watch", "update"]
-            - apiGroups: ["apiregistration.k8s.io"]
-              resources: ["apiservices"]
-              verbs: ["get", "list", "watch", "update"]
-            - apiGroups: ["apiextensions.k8s.io"]
-              resources: ["customresourcedefinitions"]
-              verbs: ["get", "list", "watch", "update"]
-            - apiGroups: [""]
-              resources: ["configmaps"]
-              verbs: ["get", "create", "update", "patch"]
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: ["cert-manager.io"]
+                resources: ["certificates"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: [""]
+                resources: ["secrets"]
+                verbs: ["get", "list", "watch"]
+              - apiGroups: [""]
+                resources: ["events"]
+                verbs: ["get", "create", "update", "patch"]
+              - apiGroups: ["admissionregistration.k8s.io"]
+                resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+                verbs: ["get", "list", "watch", "update"]
+              - apiGroups: ["apiregistration.k8s.io"]
+                resources: ["apiservices"]
+                verbs: ["get", "list", "watch", "update"]
+              - apiGroups: ["apiextensions.k8s.io"]
+                resources: ["customresourcedefinitions"]
+                verbs: ["get", "list", "watch", "update"]
+              - apiGroups: [""]
+                resources: ["configmaps"]
+                verbs: ["get", "create", "update", "patch"]
+
+  google-cas-issuer.serviceAccount.name:
+    type: string
+    x-google-marketplace:
+      type: SERVICE_ACCOUNT
+      serviceAccount:
+        description: Service account used by google-cas-issuer
+        roles:
+          - type: Role
+            rulesType: CUSTOM
+            rules:
+              # Leader election roles.
+              - apiGroups: [""]
+                resources: [configmaps]
+                verbs: [get, list, watch, create, update, patch, delete]
+              - apiGroups: [""]
+                resources: [configmaps/status]
+                verbs: [get, update, patch]
+              - apiGroups: [""]
+                resources: [events]
+                verbs: [create]
+              - apiGroups: [coordination.k8s.io]
+                resources: [leases]
+                verbs: [create, get, list, update]
+          - type: ClusterRole
+            rulesType: CUSTOM
+            rules:
+              - apiGroups: [""]
+                resources: [events]
+                verbs: [create, patch]
+              - apiGroups: [""]
+                resources: [secrets]
+                verbs: [get, list, watch]
+              - apiGroups: [cas-issuer.jetstack.io]
+                resources: [googlecasclusterissuers]
+                verbs: [create, delete, get, list, patch, update, watch]
+              - apiGroups: [cas-issuer.jetstack.io]
+                resources: [googlecasclusterissuers/status]
+                verbs: [get, patch, update]
+              - apiGroups: [cas-issuer.jetstack.io]
+                resources: [googlecasissuers]
+                verbs: [create, delete, get, list, patch, update, watch]
+              - apiGroups: [cas-issuer.jetstack.io]
+                resources: [googlecasissuers/status]
+                verbs: [get, patch, update]
+              - apiGroups: [cert-manager.io]
+                resources: [certificaterequests]
+                verbs: [get, list, update, watch]
+              - apiGroups: [cert-manager.io]
+                resources: [certificaterequests/status]
+                verbs: [get, patch, update]
 
 required:
-- name
-- namespace
+  - name
+  - namespace