install/02-autocert.yaml

apiVersion: v1
kind: Service
metadata:
  labels: {app: autocert}
  name: autocert
  namespace: step
spec:
  type: ClusterIP
  ports:
  - port: 443
    targetPort: 4443
  selector: {app: autocert}

---

apiVersion: v1
kind: ConfigMap
metadata:
  name: autocert-config
  namespace: step
data:
  config.yaml: |
    logFormat: json # or text
    restrictCertificatesToNamespace: false
    clusterDomain: cluster.local
    caUrl: https://ca.step.svc.cluster.local
    certLifetime: 24h
    renewer:
      name: autocert-renewer
      image: cr.step.sm/smallstep/autocert-renewer:0.17.0
      resources: {requests: {cpu: 10m, memory: 20Mi}}
      imagePullPolicy: IfNotPresent
      volumeMounts:
      - name: certs
        mountPath: /var/run/autocert.step.sm
    bootstrapper:
      name: autocert-bootstrapper
      image: cr.step.sm/smallstep/autocert-bootstrapper:0.17.0
      resources: {requests: {cpu: 10m, memory: 20Mi}}
      imagePullPolicy: IfNotPresent
      volumeMounts:
      - name: certs
        mountPath: /var/run/autocert.step.sm
    certsVolume:
      name: certs
      emptyDir: {}

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: autocert
  namespace: step
  labels: {app: autocert}
spec:
  replicas: 1
  selector: {matchLabels: {app: autocert}}
  template:
    metadata: {labels: {app: autocert}}
    spec:
      containers:
      - name: autocert
        image: cr.step.sm/smallstep/autocert-controller:0.17.0
        resources: {requests: {cpu: 100m, memory: 20Mi}}
        env:
        - name: PROVISIONER_NAME
          value: autocert
        - name: NAMESPACE
          valueFrom:
            fieldRef:
              fieldPath: metadata.namespace
        volumeMounts:
        - name: config
          mountPath: /home/step/config
          readOnly: true
        - name: certs
          mountPath: /home/step/certs
          readOnly: true
        - name: autocert-password
          mountPath: /home/step/password
          readOnly: true
        - name: autocert-config
          mountPath: /home/step/autocert
          readOnly: true
        securityContext:
          runAsUser: 1000
          allowPrivilegeEscalation: false
        livenessProbe:
          httpGet:
            path: /healthz
            port: 4443
            scheme: HTTPS
        readinessProbe:
          httpGet:
            path: /healthz
            port: 4443
            scheme: HTTPS
      volumes:
      - name: config
        configMap: {name: config}
      - name: certs
        configMap: {name: certs}
      - name: autocert-password
        secret: {secretName: autocert-password}
      - name: autocert-config
        configMap: {name: autocert-config}