apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: lab-root-ca
  namespace: cert-manager
spec:
  commonName: lab-root-ca
  secretName: lab-root-ca-secret
  isCA: true
  duration: 8760h
  renewBefore: 720h
  privateKey:
    algorithm: RSA
    size: 2048
    rotationPolicy: Always
  subject:
    organizations:
      - k8s-lab
  issuerRef:
    kind: ClusterIssuer
    name: lab-selfsigned-bootstrap