apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: trust-manager-selfsigned-issuer
spec:
  selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: cluster-root-certificate
  namespace: ${namespace}
spec:
  isCA: true
  commonName: cluster-root-certificate-ca
  secretName: cluster-root-certificate-ca-secret
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: trust-manager-selfsigned-issuer
    kind: ClusterIssuer
    group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: default-cluster-ca-issuer
spec:
  ca:
    secretName: cluster-root-certificate-ca-secret
---
apiVersion: trust.cert-manager.io/v1alpha1
kind: Bundle
metadata:
  name: in-cluster-trust-bundle
spec:
  sources:
  - useDefaultCAs: true
  - secret:
      name: "cluster-root-certificate-ca-secret"
      key: "tls.crt"
  target:
    configMap:
      key: "trust-bundle.pem"