apiVersion: apps/v1
kind: Deployment
metadata:
  name: pod-identity-webhook
  namespace: default
spec:
  replicas: 1
  selector:
    matchLabels:
      app: pod-identity-webhook
  template:
    metadata:
      labels:
        app: pod-identity-webhook
    spec:
      serviceAccountName: pod-identity-webhook
      containers:
      - name: pod-identity-webhook
        image: IMAGE
        imagePullPolicy: Always
        command:
        - /webhook
        - --in-cluster=false
        - --namespace=default
        - --service-name=pod-identity-webhook
        - --annotation-prefix=eks.amazonaws.com
        - --token-audience=sts.amazonaws.com
        - --logtostderr
        volumeMounts:
        - name: cert
          mountPath: "/etc/webhook/certs"
          readOnly: true
      volumes:
      - name: cert
        secret:
          secretName: pod-identity-webhook-cert
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pod-identity-webhook
  namespace: default
spec:
  secretName: pod-identity-webhook-cert
  commonName: "pod-identity-webhook.default.svc"
  dnsNames:
  - "pod-identity-webhook"
  - "pod-identity-webhook.default"
  - "pod-identity-webhook.default.svc"
  - "pod-identity-webhook.default.svc.local"
  isCA: true
  duration: 2160h # 90d
  renewBefore: 360h # 15d
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer