apiVersion: batch/v1 kind: CronJob metadata: name: hubble-generate-certs namespace: kube-system labels: k8s-app: hubble-generate-certs app.kubernetes.io/name: hubble-generate-certs app.kubernetes.io/part-of: cilium spec: schedule: "0 0 1 */4 *" successfulJobsHistoryLimit: 3 failedJobsHistoryLimit: 1 concurrencyPolicy: Forbid jobTemplate: spec: template: metadata: labels: k8s-app: hubble-generate-certs spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: certgen image: "quay.io/cilium/certgen:v0.3.2@sha256:19921f48ee7e2295ea4dca955878a6cd8d70e6d4219d08f688e866ece9d95d4d" imagePullPolicy: IfNotPresent securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false command: - "/usr/bin/cilium-certgen" args: - "--ca-generate=true" - "--ca-reuse-secret" - "--ca-secret-namespace=kube-system" - "--ca-secret-name=cilium-ca" - "--ca-common-name=Cilium CA" env: - name: CILIUM_CERTGEN_CONFIG value: | certs: - name: hubble-server-certs namespace: kube-system commonName: "*.default.hubble-grpc.cilium.io" hosts: - "*.default.hubble-grpc.cilium.io" usage: - signing - key encipherment - server auth - client auth validity: 8760h - name: hubble-relay-client-certs namespace: kube-system commonName: "*.hubble-relay.cilium.io" hosts: - "*.hubble-relay.cilium.io" usage: - signing - key encipherment - client auth validity: 8760h hostNetwork: false serviceAccountName: "hubble-generate-certs" automountServiceAccountToken: true restartPolicy: OnFailure