apiVersion: v1 kind: Service metadata: labels: {app: autocert} name: autocert namespace: step spec: type: ClusterIP ports: - port: 443 targetPort: 4443 selector: {app: autocert} --- apiVersion: v1 kind: ConfigMap metadata: name: autocert-config namespace: step data: config.yaml: | logFormat: json # or text caUrl: https://ca.step.svc.cluster.local certLifetime: 24h renewer: name: autocert-renewer image: smallstep/autocert-renewer:0.8.3 resources: {requests: {cpu: 10m, memory: 20Mi}} imagePullPolicy: IfNotPresent volumeMounts: - name: certs mountPath: /var/run/autocert.step.sm bootstrapper: name: autocert-bootstrapper image: smallstep/autocert-bootstrapper:0.8.3 resources: {requests: {cpu: 10m, memory: 20Mi}} imagePullPolicy: IfNotPresent volumeMounts: - name: certs mountPath: /var/run/autocert.step.sm certsVolume: name: certs emptyDir: {} --- apiVersion: apps/v1 kind: Deployment metadata: name: autocert namespace: step labels: {app: autocert} spec: replicas: 1 selector: {matchLabels: {app: autocert}} template: metadata: {labels: {app: autocert}} spec: containers: - name: autocert image: smallstep/autocert-controller:0.8.3 resources: {requests: {cpu: 100m, memory: 20Mi}} env: - name: PROVISIONER_NAME value: autocert - name: NAMESPACE valueFrom: fieldRef: fieldPath: metadata.namespace volumeMounts: - name: config mountPath: /home/step/.step/config readOnly: true - name: certs mountPath: /home/step/.step/certs readOnly: true - name: autocert-password mountPath: /home/step/password readOnly: true - name: autocert-config mountPath: /home/step/autocert readOnly: true securityContext: runAsUser: 1000 allowPrivilegeEscalation: false livenessProbe: httpGet: path: /healthz port: 4443 scheme: HTTPS readinessProbe: httpGet: path: /healthz port: 4443 scheme: HTTPS volumes: - name: config configMap: {name: config} - name: certs configMap: {name: certs} - name: autocert-password secret: {secretName: autocert-password} - name: autocert-config configMap: {name: autocert-config}