{{ if .Values.linkerd.enabled }} --- apiVersion: v1 kind: Namespace metadata: labels: linkerd.io/control-plane-ns: linkerd linkerd.io/is-control-plane: 'true' config.linkerd.io/admission-webhooks: disabled annotations: linkerd.io/inject: disabled argocd.argoproj.io/sync-wave: "-1" name: linkerd --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: linkerd-trust-anchor namespace: linkerd spec: ca: secretName: linkerd-trust-anchor --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: linkerd-identity-issuer namespace: linkerd spec: revisionHistoryLimit: 5 secretName: linkerd-identity-issuer duration: 48h0m0s renewBefore: 25h0m0s issuerRef: name: linkerd-trust-anchor kind: Issuer dnsNames: - identity.linkerd.cluster.local isCA: true privateKey: algorithm: ECDSA usages: - cert sign - crl sign - server auth - client auth --- apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: webhook-issuer namespace: linkerd spec: ca: secretName: webhook-issuer-tls --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: linkerd-policy-validator namespace: linkerd spec: revisionHistoryLimit: 5 secretName: linkerd-policy-validator-k8s-tls duration: 24h0m0s renewBefore: 1h0m0s issuerRef: name: webhook-issuer kind: Issuer commonName: linkerd-policy-validator.linkerd.svc dnsNames: - linkerd-policy-validator.linkerd.svc privateKey: algorithm: ECDSA encoding: PKCS8 usages: - server auth --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: linkerd-proxy-injector namespace: linkerd spec: revisionHistoryLimit: 5 secretName: linkerd-proxy-injector-k8s-tls duration: 24h0m0s renewBefore: 1h0m0s issuerRef: name: webhook-issuer kind: Issuer commonName: linkerd-proxy-injector.linkerd.svc dnsNames: - linkerd-proxy-injector.linkerd.svc privateKey: algorithm: ECDSA usages: - server auth --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: linkerd-sp-validator namespace: linkerd spec: revisionHistoryLimit: 5 secretName: linkerd-sp-validator-k8s-tls duration: 24h0m0s renewBefore: 1h0m0s issuerRef: name: webhook-issuer kind: Issuer commonName: linkerd-sp-validator.linkerd.svc dnsNames: - linkerd-sp-validator.linkerd.svc privateKey: algorithm: ECDSA usages: - server auth --- {{ if .Values.linkerd.viz.enabled }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: webhook-issuer namespace: linkerd-viz spec: ca: secretName: webhook-issuer-tls # ignore if not using the viz extension apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: tap namespace: linkerd-viz spec: revisionHistoryLimit: 5 secretName: tap-k8s-tls duration: 24h0m0s renewBefore: 1h0m0s issuerRef: name: webhook-issuer kind: Issuer commonName: tap.linkerd-viz.svc dnsNames: - tap.linkerd-viz.svc isCA: false privateKey: algorithm: ECDSA usages: - server auth --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: linkerd-tap-injector namespace: linkerd-viz spec: revisionHistoryLimit: 5 secretName: tap-injector-k8s-tls duration: 24h0m0s renewBefore: 1h0m0s issuerRef: name: webhook-issuer kind: Issuer commonName: tap-injector.linkerd-viz.svc dnsNames: - tap-injector.linkerd-viz.svc privateKey: algorithm: ECDSA usages: - server auth --- {{ end }} {{ if .Values.linkerd.jaeger.enabled }} apiVersion: cert-manager.io/v1 kind: Issuer metadata: name: webhook-issuer namespace: linkerd-jaeger spec: ca: secretName: webhook-issuer-tls --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: jaeger-injector namespace: linkerd-jaeger spec: revisionHistoryLimit: 5 secretName: jaeger-injector-k8s-tls duration: 24h0m0s renewBefore: 1h0m0s issuerRef: name: webhook-issuer kind: Issuer commonName: jaeger-injector.linkerd-jaeger.svc dnsNames: - jaeger-injector.linkerd-jaeger.svc privateKey: algorithm: ECDSA usages: - server auth {{ end }} {{ end }}