Skip to content

Instantly share code, notes, and snippets.

@jseiser

jseiser/web.yaml

Created June 20, 2025 15:47
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save jseiser/a331d0bd0ea205c1e9568e3d7613049d to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save jseiser/a331d0bd0ea205c1e9568e3d7613049d to your computer and use it in GitHub Desktop.
Download ZIP
Raw
web.yaml
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: linkerd-webhook-trust-root-issuer
namespace: cert-manager
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-webhook-trust-anchor
namespace: cert-manager
spec:
issuerRef:
kind: Issuer
name: linkerd-webhook-trust-root-issuer
secretName: linkerd-webhook-issuer-tls
isCA: true
commonName: webhook.linkerd.cluster.local
dnsNames:
- webhook.linkerd.cluster.local
duration: 87660h # 10 years
renewBefore: 4380h # 6 months
privateKey:
rotationPolicy: Always
algorithm: ECDSA
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: linkerd-webhook-issuer
namespace: cert-manager
spec:
ca:
secretName: linkerd-webhook-issuer-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-policy-validator
namespace: linkerd
spec:
secretName: linkerd-policy-validator-k8s-tls
duration: 72h
renewBefore: 24h
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-policy-validator.linkerd.svc
dnsNames:
- linkerd-policy-validator.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
encoding: PKCS8
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-proxy-injector
namespace: linkerd
spec:
secretName: linkerd-proxy-injector-k8s-tls
duration: 72h
renewBefore: 24h
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-proxy-injector.linkerd.svc
dnsNames:
- linkerd-proxy-injector.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: linkerd-sp-validator
namespace: linkerd
spec:
secretName: linkerd-sp-validator-k8s-tls
duration: 72h
renewBefore: 24h
issuerRef:
name: linkerd-webhook-issuer
kind: ClusterIssuer
commonName: linkerd-sp-validator.linkerd.svc
dnsNames:
- linkerd-sp-validator.linkerd.svc
isCA: false
privateKey:
algorithm: ECDSA
usages:
- server auth
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment