# Copyright 2023 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # The self-signed root CA certificate. # Ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: root-ca # https://cert-manager.io/docs/configuration/#cluster-resource-namespace namespace: cert-manager labels: app.kubernetes.io/component: cert-manager spec: subject: organizations: - Example LLC commonName: root-ca duration: 8760h # 365d, see https://pkg.go.dev/time#ParseDuration renewBefore: 720h # 30d dnsNames: - root-ca uris: # https://github.com/spiffe/spiffe/blob/27b59b81ba8c56885ac5d4be73b35b9b3305fd7a/standards/X509-SVID.md#32-signing-certificates - spiffe://grpc-xds.example.com # kpt-set: spiffe://${project-id}.svc.id.goog secretName: root-ca-certificate issuerRef: name: selfsigned kind: Issuer group: cert-manager.io isCA: true usages: # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.KeyUsage # https://cloud.google.com/certificate-authority-service/docs/certificate-profile#root-unconstrained # https://github.com/spiffe/spiffe/blob/27b59b81ba8c56885ac5d4be73b35b9b3305fd7a/standards/X509-SVID.md#43-key-usage - cert sign - crl sign privateKey: algorithm: ECDSA encoding: PKCS8 rotationPolicy: Always size: 256