apiVersion: batch/v1 kind: CronJob metadata: name: hubble-generate-certs namespace: kube-system labels: k8s-app: hubble-generate-certs app.kubernetes.io/name: hubble-generate-certs app.kubernetes.io/part-of: cilium spec: schedule: "0 0 1 */4 *" concurrencyPolicy: Forbid jobTemplate: spec: template: metadata: labels: k8s-app: hubble-generate-certs spec: securityContext: seccompProfile: type: RuntimeDefault containers: - name: certgen image: "quay.io/cilium/certgen:v0.2.4@sha256:de7b97b1d19a34b674d0c4bc1da4db999f04ae355923a9a994ac3a81e1a1b5ff" imagePullPolicy: IfNotPresent securityContext: capabilities: drop: - ALL allowPrivilegeEscalation: false command: - "/usr/bin/cilium-certgen" args: - "--ca-generate=true" - "--ca-reuse-secret" - "--ca-secret-namespace=kube-system" - "--ca-secret-name=cilium-ca" - "--ca-common-name=Cilium CA" env: - name: CILIUM_CERTGEN_CONFIG value: | certs: - name: hubble-server-certs namespace: kube-system commonName: "*.default.hubble-grpc.cilium.io" hosts: - "*.default.hubble-grpc.cilium.io" usage: - signing - key encipherment - server auth - client auth validity: 8760h - name: hubble-relay-client-certs namespace: kube-system commonName: "*.hubble-relay.cilium.io" hosts: - "*.hubble-relay.cilium.io" usage: - signing - key encipherment - client auth validity: 8760h hostNetwork: false serviceAccount: "hubble-generate-certs" serviceAccountName: "hubble-generate-certs" automountServiceAccountToken: true restartPolicy: OnFailure affinity: ttlSecondsAfterFinished: 1800