step-cli certificate create root.linkerd.cluster.local ca.crt ca.key \
  --profile root-ca --no-password --insecure &&
  kubectl create secret tls \
    linkerd-trust-anchor \
    --cert=ca.crt \
    --key=ca.key \
    --namespace=linkerd &&
  yq e -i '.["linkerd-control-plane"].identityTrustAnchorsPEM=load_str("ca.crt")' values.yaml &&
  rm ca.crt ca.key

step-cli certificate create webhook.linkerd.cluster.local webhook_ca.crt webhook_ca.key \
  --profile root-ca --no-password --insecure --san webhook.linkerd.cluster.local &&
  kubectl create secret tls \
    webhook-issuer-tls \
    --cert=webhook_ca.crt \
    --key=webhook_ca.key \
    --namespace=linkerd &&
  kubectl create secret tls \
    webhook-issuer-tls \
    --cert=webhook_ca.crt \
    --key=webhook_ca.key \
    --namespace=linkerd-viz &&
  yq e -i '.["linkerd-control-plane"].policyValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
  yq e -i '.["linkerd-control-plane"].proxyInjector.caBundle=load_str("webhook_ca.crt")' values.yaml &&
  yq e -i '.["linkerd-control-plane"].profileValidator.caBundle=load_str("webhook_ca.crt")' values.yaml &&
  yq e -i '.["linkerd-viz"].tap.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
  yq e -i '.["linkerd-viz"].tapInjector.caBundle=load_str("webhook_ca.crt")' ../linkerd-viz/values.yaml &&
  rm webhook_ca.crt webhook_ca.key