--- apiVersion: v1 kind: Namespace metadata: name: gateway-cert-operator-system --- apiVersion: v1 kind: ServiceAccount metadata: name: gateway-cert-operator namespace: gateway-cert-operator-system --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: name: gateway-cert-operator rules: # Watch and read Certificates - apiGroups: ["cert-manager.io"] resources: ["certificates"] verbs: ["get", "list", "watch"] # Read and patch Gateways - apiGroups: ["gateway.networking.k8s.io"] resources: ["gateways"] verbs: ["get", "list", "watch", "patch"] # Emit events - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: gateway-cert-operator roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: gateway-cert-operator subjects: - kind: ServiceAccount name: gateway-cert-operator namespace: gateway-cert-operator-system --- apiVersion: apps/v1 kind: Deployment metadata: name: gateway-cert-operator namespace: gateway-cert-operator-system labels: app.kubernetes.io/name: gateway-cert-operator spec: replicas: 1 selector: matchLabels: app.kubernetes.io/name: gateway-cert-operator template: metadata: labels: app.kubernetes.io/name: gateway-cert-operator spec: serviceAccountName: gateway-cert-operator securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault containers: - name: manager image: gateway-cert-operator:latest args: - --metrics-bind-address=:8080 - --health-probe-bind-address=:8081 ports: - name: metrics containerPort: 8080 protocol: TCP - name: healthz containerPort: 8081 protocol: TCP livenessProbe: httpGet: path: /healthz port: healthz initialDelaySeconds: 5 periodSeconds: 10 readinessProbe: httpGet: path: /readyz port: healthz initialDelaySeconds: 5 periodSeconds: 10 resources: limits: cpu: 100m memory: 64Mi requests: cpu: 50m memory: 32Mi securityContext: allowPrivilegeEscalation: false readOnlyRootFilesystem: true capabilities: drop: ["ALL"]