# Copyright 2024 Google LLC # # Licensed under the Apache License, Version 2.0 (the "License"); # you may not use this file except in compliance with the License. # You may obtain a copy of the License at # # http://www.apache.org/licenses/LICENSE-2.0 # # Unless required by applicable law or agreed to in writing, software # distributed under the License is distributed on an "AS IS" BASIS, # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. # See the License for the specific language governing permissions and # limitations under the License. # Ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.Certificate apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: host namespace: host-certs # kpt-set: ${host-certs-namespace} labels: app.kubernetes.io/component: host-certs spec: commonName: host duration: 24h renewBefore: 8h dnsNames: - host - host.host-certs # kpt-set: host.${host-certs-namespace} uris: - spiffe://grpc-xds.example.com/ns/host-certs/sa/host # kpt-set: spiffe://${project-id}.svc.id.goog/ns/${host-certs-namespace}/sa/host secretName: host-certificate issuerRef: name: root-ca kind: ClusterIssuer group: cert-manager.io isCA: false usages: # https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.KeyUsage - digital signature - key encipherment - key agreement # https://cert-manager.io/docs/usage/certificate/#x509-key-usages-and-extended-key-usages - server auth # in case we want to run an xDS-enabled gRPC server on this pod - client auth privateKey: algorithm: ECDSA encoding: PKCS8 rotationPolicy: Always size: 256