diff --git a/deploy/charts/cert-manager/README.template.md b/deploy/charts/cert-manager/README.template.md index fb62fb075..c449b2ad3 100644 --- a/deploy/charts/cert-manager/README.template.md +++ b/deploy/charts/cert-manager/README.template.md @@ -69,178 +69,4023 @@ $ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/downlo ``` ## Configuration + -The following table lists the configurable parameters of the cert-manager chart and their default values. +### Global -| Parameter | Description | Default | -| --------- | ----------- | ------- | -| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | -| `global.commonLabels` | Labels to apply to all resources | `{}` | -| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | -| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` | -| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` | -| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` | -| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` | -| `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | | -| `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | | -| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | | -| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | -| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | -| `image.tag` | Image tag | `{{RELEASE_VERSION}}` | -| `image.pullPolicy` | Image pull policy | `IfNotPresent` | -| `replicaCount` | Number of cert-manager replicas | `1` | -| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | -| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `.extraArgs` | `` | -| `extraArgs` | Optional flags for cert-manager | `[]` | -| `extraEnv` | Optional environment variables for cert-manager | `[]` | -| `serviceAccount.create` | If `true`, create a new service account | `true` | -| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `serviceAccount.annotations` | Annotations to add to the service account | | -| `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | -| `volumes` | Optional volumes for cert-manager | `[]` | -| `volumeMounts` | Optional volume mounts for cert-manager | `[]` | -| `resources` | CPU/memory resource requests/limits | `{}` | -| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) | -| `nodeSelector` | Node labels for pod assignment | `{}` | -| `affinity` | Node affinity for pod assignment | `{}` | -| `tolerations` | Node tolerations for pod assignment | `[]` | -| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` | -| `livenessProbe.enabled` | Enable or disable the liveness probe for the controller container in the controller Pod. See https://cert-manager.io/docs/installation/best-practice/ to learn about when you might want to enable this livenss probe. | `false` | -| `livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `10` | -| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | -| `livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `10` | -| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | -| `livenessProbe.successThreshold` | The liveness probe success threshold | `1` | -| `livenessProbe.failureThreshold` | The liveness probe failure threshold | `8` | -| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | | -| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | | -| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | | -| `prometheus.enabled` | Enable Prometheus monitoring | `true` | -| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` | -| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) | -| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` | -| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` | -| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` | -| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` | -| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | | -| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | -| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` | -| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` | -| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` | -| `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | -| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | -| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | -| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | | -| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | -| `podLabels` | Labels to add to the cert-manager pod | `{}` | -| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` | -| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` | -| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | -| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | -| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | -| `dns01RecursiveNameservers` | Comma separated string with host and port of the recursive nameservers cert-manager should query | `` | -| `dns01RecursiveNameserversOnly` | Forces cert-manager to only use the recursive nameservers for verification. | `false` | -| `enableCertificateOwnerRef` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted | `false` | -| `config` | ControllerConfiguration YAML used to configure flags for the controller. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` | -| `enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | -| `webhook.timeoutSeconds` | Seconds the API server should wait for the webhook to respond before treating the call as a failure. Value must be between 1 and 30 seconds. | `30` | -| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | -| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` | -| `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` | -| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | -| `webhook.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | -| `webhook.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | -| `webhook.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | -| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` | -| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` | -| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` | -| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` | -| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | -| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` | -| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | | -| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | | -| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` | -| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | -| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` | -| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | -| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | -| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | -| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | -| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` | -| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | -| `webhook.image.tag` | Webhook image tag | `{{RELEASE_VERSION}}` | -| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | -| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | -| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) | -| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` | -| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` | -| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | | -| `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | | -| `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` | -| `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` | -| `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | -| `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` | -| `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` | -| `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` | -| `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` | -| `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` | -| `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` | -| `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` | -| `webhook.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | -| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` | -| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` | -| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` | -| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` | -| `cainjector.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | -| `cainjector.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | -| `cainjector.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | -| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` | -| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` | -| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | | -| `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` | -| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` | -| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | -| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | -| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | -| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` | -| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | -| `cainjector.image.tag` | cainjector image tag | `{{RELEASE_VERSION}}` | -| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | -| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) | -| `cainjector.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` | -| `acmesolver.image.tag` | acmesolver image tag | `{{RELEASE_VERSION}}` | -| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` | -| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` | -| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) | -| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) | -| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` | -| `startupapicheck.backoffLimit` | Job backoffLimit | `4` | -| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` | -| `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` | -| `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `["-v"]` | -| `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` | -| `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` | -| `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` | -| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` | -| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` | -| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` | -| `startupapicheck.image.tag` | startupapicheck image tag | `{{RELEASE_VERSION}}` | -| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` | -| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` | -| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | -| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | | -| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` | -| `startupapicheck.enableServiceLinks` | Indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. | `false` | -| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` | + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
global.imagePullSecrets + +Reference to one or more secrets to be used when pulling images +ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + +For example: + +```yaml +imagePullSecrets: + - name: "image-pull-secret" +``` + +array + +```yaml +[] +``` + +
global.commonLabels + +Labels to apply to all resources +Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress + ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress +eg. secretTemplate in CertificateSpec + ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec + +object + +```yaml +{} +``` + +
global.revisionHistoryLimit + +The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10) + + +number + +```yaml + +``` + +
global.priorityClassName + +Optional priority class to be used for the cert-manager pods + +string + +```yaml +"" +``` + +
global.rbac.create + +Create required ClusterRoles and ClusterRoleBindings for cert-manager + +bool + +```yaml +true +``` + +
global.rbac.aggregateClusterRoles + +Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + +bool + +```yaml +true +``` + +
global.podSecurityPolicy.enabled + +Create PodSecurityPolicy for cert-manager + +NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25 + +bool + +```yaml +false +``` + +
global.podSecurityPolicy.useAppArmor + +Configure the PodSecurityPolicy to use AppArmor + +bool + +```yaml +true +``` + +
global.logLevel + +Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. + +number + +```yaml +2 +``` + +
global.leaderElection.namespace + +Override the namespace used for the leader election lease + +string + +```yaml +kube-system +``` + +
global.leaderElection.leaseDuration + +The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. + + +string + +```yaml + +``` + +
global.leaderElection.renewDeadline + +The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. + + +string + +```yaml + +``` + +
global.leaderElection.retryPeriod + +The duration the clients should wait between attempting acquisition and renewal of a leadership. + + +string + +```yaml + +``` + +
installCRDs + +Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs + +bool + +```yaml +false +``` + +
+ +### Controller + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
replicaCount + +Number of replicas of the cert-manager controller to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +number + +```yaml +1 +``` + +
strategy + +Deployment update strategy for the cert-manager controller deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` + +object + +```yaml +{} +``` + +
podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +```yaml +false +``` + +
podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +```yaml + +``` + +
podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +```yaml + +``` + +
featureGates + +Comma separated list of feature gates that should be enabled on the controller pod. + +string + +```yaml +"" +``` + +
maxConcurrentChallenges + +The maximum number of challenges that can be scheduled as 'processing' at once + +number + +```yaml +60 +``` + +
image.registry + +The container registry to pull the manager image from + + +string + +```yaml + +``` + +
image.repository + +The container image for the cert-manager controller + + +string + +```yaml +quay.io/jetstack/cert-manager-controller +``` + +
image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml + +``` + +
image.digest + +Setting a digest will override any tag + + +string + +```yaml + +``` + +
image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
clusterResourceNamespace + +Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. + +string + +```yaml +"" +``` + +
namespace + +This namespace allows you to define where the services will be installed into if not set then they will use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart) + +string + +```yaml +"" +``` + +
serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +```yaml + +``` + +
serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + +object + +```yaml + +``` + +
serviceAccount.labels + +Optional additional labels to add to the controller's ServiceAccount + + +object + +```yaml + +``` + +
serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + +bool + +```yaml +true +``` + +
automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +```yaml + +``` + +
enableCertificateOwnerRef + +When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted + +bool + +```yaml +false +``` + +
config + +Used to configure options for the controller pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +config: + apiVersion: controller.config.cert-manager.io/v1alpha1 + kind: ControllerConfiguration + logging: + verbosity: 2 + format: text + leaderElectionConfig: + namespace: kube-system + kubernetesAPIQPS: 9000 + kubernetesAPIBurst: 9000 + numberOfConcurrentWorkers: 200 + featureGates: + AdditionalCertificateOutputFormats: true + DisallowInsecureCSRUsageDefinition: true + ExperimentalCertificateSigningRequestControllers: true + ExperimentalGatewayAPISupport: true + LiteralCertificateSubject: true + SecretsFilteredCaching: true + ServerSideApply: true + StableCertificateRequestName: true + UseCertificateRequestBasicConstraints: true + ValidateCAA: true + metricsTLSConfig: + dynamic: + secretNamespace: "cert-manager" + secretName: "cert-manager-metrics-ca" + dnsNames: + - cert-manager-metrics + - cert-manager-metrics.cert-manager + - cert-manager-metrics.cert-manager.svc +``` + +object + +```yaml +{} +``` + +
dns01RecursiveNameservers + +Comma separated string with host and port of the recursive nameservers cert-manager should query + +string + +```yaml +"" +``` + +
dns01RecursiveNameserversOnly + +Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers + +bool + +```yaml +false +``` + +
extraArgs + +Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help + +Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver + +For example: + +```yaml +extraArgs: + - --controllers=*,-certificaterequests-approver +``` + +array + +```yaml +[] +``` + +
extraEnv + +Additional environment variables to pass to cert-manager controller binary. + +array + +```yaml +[] +``` + +
resources + +Resources to provide to the cert-manager controller pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + +object + +```yaml +{} +``` + +
securityContext + +Pod Security Context +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +
containerSecurityContext + +Container Security Context to be set on the controller component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + +
volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +```yaml +[] +``` + +
volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +```yaml +[] +``` + +
deploymentAnnotations + +Optional additional annotations to add to the controller Deployment + + +object + +```yaml + +``` + +
podAnnotations + +Optional additional annotations to add to the controller Pods + + +object + +```yaml + +``` + +
podLabels + +Optional additional labels to add to the controller Pods + +object + +```yaml +{} +``` + +
serviceAnnotations + +Optional annotations to add to the controller Service + + +object + +```yaml + +``` + +
serviceLabels + +Optional additional labels to add to the controller Service + + +object + +```yaml + +``` + +
podDnsPolicy + +Pod DNS policy +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy + + +string + +```yaml + +``` + +
podDnsConfig + +Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config + + +object + +```yaml + +``` + +
nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +```yaml +kubernetes.io/os: linux +``` + +
ingressShim.defaultIssuerName + +Optional default issuer to use for ingress resources + + +string + +```yaml + +``` + +
ingressShim.defaultIssuerKind + +Optional default issuer kind to use for ingress resources + + +string + +```yaml + +``` + +
ingressShim.defaultIssuerGroup + +Optional default issuer group to use for ingress resources + + +string + +```yaml + +``` + +
http_proxy + +Configures the HTTP_PROXY environment variable for where a HTTP proxy is required + + +string + +```yaml + +``` + +
https_proxy + +Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required + + +string + +```yaml + +``` + +
no_proxy + +Configures the NO_PROXY environment variable for where a HTTP proxy is required, but certain domains should be excluded + + +string + +```yaml + +``` + +
affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +```yaml +[] +``` + +
topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + +array + +```yaml +[] +``` + +
livenessProbe + +LivenessProbe settings for the controller container of the controller Pod. + +Enabled by default, because we want to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. See: https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 + + +object + +```yaml +enabled: true +failureThreshold: 8 +initialDelaySeconds: 10 +periodSeconds: 10 +successThreshold: 1 +timeoutSeconds: 15 +``` + +
enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +```yaml +false +``` + +
+ +### Prometheus + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
prometheus.enabled + +Enable prometheus monitoring for the cert-manager controller, to use with. Prometheus Operator either `prometheus.servicemonitor.enabled` or +`prometheus.podmonitor.enabled` can be used to create a ServiceMonitor/PodMonitor +resource + +bool + +```yaml +true +``` + +
prometheus.servicemonitor.enabled + +Create a ServiceMonitor to add cert-manager to Prometheus + +bool + +```yaml +false +``` + +
prometheus.servicemonitor.prometheusInstance + +Specifies the `prometheus` label on the created ServiceMonitor, this is used when different Prometheus instances have label selectors matching different ServiceMonitors. + +string + +```yaml +default +``` + +
prometheus.servicemonitor.targetPort + +The target port to set on the ServiceMonitor, should match the port that cert-manager controller is listening on for metrics + +number + +```yaml +9402 +``` + +
prometheus.servicemonitor.path + +The path to scrape for metrics + +string + +```yaml +/metrics +``` + +
prometheus.servicemonitor.interval + +The interval to scrape metrics + +string + +```yaml +60s +``` + +
prometheus.servicemonitor.scrapeTimeout + +The timeout before a metrics scrape fails + +string + +```yaml +30s +``` + +
prometheus.servicemonitor.labels + +Additional labels to add to the ServiceMonitor + +object + +```yaml +{} +``` + +
prometheus.servicemonitor.annotations + +Additional annotations to add to the ServiceMonitor + +object + +```yaml +{} +``` + +
prometheus.servicemonitor.honorLabels + +Keep labels from scraped data, overriding server-side labels. + +bool + +```yaml +false +``` + +
prometheus.servicemonitor.endpointAdditionalProperties + +EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. + +For example: + +```yaml +endpointAdditionalProperties: + relabelings: + - action: replace + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: instance +``` + + + + +object + +```yaml +{} +``` + +
prometheus.podmonitor.enabled + +Create a PodMonitor to add cert-manager to Prometheus + +bool + +```yaml +false +``` + +
prometheus.podmonitor.prometheusInstance + +Specifies the `prometheus` label on the created PodMonitor, this is used when different Prometheus instances have label selectors matching different PodMonitor. + +string + +```yaml +default +``` + +
prometheus.podmonitor.path + +The path to scrape for metrics + +string + +```yaml +/metrics +``` + +
prometheus.podmonitor.interval + +The interval to scrape metrics + +string + +```yaml +60s +``` + +
prometheus.podmonitor.scrapeTimeout + +The timeout before a metrics scrape fails + +string + +```yaml +30s +``` + +
prometheus.podmonitor.labels + +Additional labels to add to the PodMonitor + +object + +```yaml +{} +``` + +
prometheus.podmonitor.annotations + +Additional annotations to add to the PodMonitor + +object + +```yaml +{} +``` + +
prometheus.podmonitor.honorLabels + +Keep labels from scraped data, overriding server-side labels. + +bool + +```yaml +false +``` + +
prometheus.podmonitor.endpointAdditionalProperties + +EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. + +For example: + +```yaml +endpointAdditionalProperties: + relabelings: + - action: replace + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: instance +``` + + + + +object + +```yaml +{} +``` + +
+ +### Webhook + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
webhook.replicaCount + +Number of replicas of the cert-manager webhook to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`. + +number + +```yaml +1 +``` + +
webhook.timeoutSeconds + +Seconds the API server should wait for the webhook to respond before treating the call as a failure. +Value must be between 1 and 30 seconds. See: +https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/ + +We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user. + +number + +```yaml +30 +``` + +
webhook.config + +Used to configure options for the webhook pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +apiVersion: webhook.config.cert-manager.io/v1alpha1 +kind: WebhookConfiguration +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 +``` + +object + +```yaml +{} +``` + +
webhook.strategy + +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` + +object + +```yaml +{} +``` + +
webhook.securityContext + +Pod Security Context to be set on the webhook component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +
webhook.containerSecurityContext + +Container Security Context to be set on the webhook component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + +
webhook.podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +```yaml +false +``` + +
webhook.podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +```yaml + +``` + +
webhook.podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +```yaml + +``` + +
webhook.deploymentAnnotations + +Optional additional annotations to add to the webhook Deployment + + +object + +```yaml + +``` + +
webhook.podAnnotations + +Optional additional annotations to add to the webhook Pods + + +object + +```yaml + +``` + +
webhook.serviceAnnotations + +Optional additional annotations to add to the webhook Service + + +object + +```yaml + +``` + +
webhook.mutatingWebhookConfigurationAnnotations + +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + + +object + +```yaml + +``` + +
webhook.validatingWebhookConfigurationAnnotations + +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + + +object + +```yaml + +``` + +
webhook.validatingWebhookConfiguration.namespaceSelector + +Configure spec.namespaceSelector for validating webhooks. + + +object + +```yaml +matchExpressions: + - key: cert-manager.io/disable-validation + operator: NotIn + values: + - "true" +``` + +
webhook.mutatingWebhookConfiguration.namespaceSelector + +Configure spec.namespaceSelector for mutating webhooks. + + +object + +```yaml +{} +``` + +
webhook.extraArgs + +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + +array + +```yaml +[] +``` + +
webhook.featureGates + +Comma separated list of feature gates that should be enabled on the webhook pod. + +string + +```yaml +"" +``` + +
webhook.resources + +Resources to provide to the cert-manager webhook pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + +object + +```yaml +{} +``` + +
webhook.livenessProbe + +Liveness probe values +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + + +object + +```yaml +failureThreshold: 3 +initialDelaySeconds: 60 +periodSeconds: 10 +successThreshold: 1 +timeoutSeconds: 1 +``` + +
webhook.readinessProbe + +Readiness probe values +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + + +object + +```yaml +failureThreshold: 3 +initialDelaySeconds: 5 +periodSeconds: 5 +successThreshold: 1 +timeoutSeconds: 1 +``` + +
webhook.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +```yaml +kubernetes.io/os: linux +``` + +
webhook.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
webhook.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +```yaml +[] +``` + +
webhook.topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + +array + +```yaml +[] +``` + +
webhook.podLabels + +Optional additional labels to add to the Webhook Pods + +object + +```yaml +{} +``` + +
webhook.serviceLabels + +Optional additional labels to add to the Webhook Service + +object + +```yaml +{} +``` + +
webhook.image.registry + +The container registry to pull the webhook image from + + +string + +```yaml + +``` + +
webhook.image.repository + +The container image for the cert-manager webhook + + +string + +```yaml +quay.io/jetstack/cert-manager-webhook +``` + +
webhook.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml + +``` + +
webhook.image.digest + +Setting a digest will override any tag + + +string + +```yaml + +``` + +
webhook.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
webhook.serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
webhook.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +```yaml + +``` + +
webhook.serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + +object + +```yaml + +``` + +
webhook.serviceAccount.labels + +Optional additional labels to add to the webhook's ServiceAccount + + +object + +```yaml + +``` + +
webhook.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + +bool + +```yaml +true +``` + +
webhook.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +```yaml + +``` + +
webhook.securePort + +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + +number + +```yaml +10250 +``` + +
webhook.hostNetwork + +Specifies if the webhook should be started in hostNetwork mode. + +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + +bool + +```yaml +false +``` + +
webhook.serviceType + +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + +string + +```yaml +ClusterIP +``` + +
webhook.loadBalancerIP + +Specify the load balancer IP for the created service + + +string + +```yaml + +``` + +
webhook.url + +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + +object + +```yaml +{} +``` + +
webhook.networkPolicy.enabled + +Create network policies for the webhooks + +bool + +```yaml +false +``` + +
webhook.networkPolicy.ingress + +Ingress rule for the webhook network policy, by default will allow all inbound traffic + + +array + +```yaml +- from: + - ipBlock: + cidr: 0.0.0.0/0 +``` + +
webhook.networkPolicy.egress + +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + + +array + +```yaml +- ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - port: 6443 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 +``` + +
webhook.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +```yaml +[] +``` + +
webhook.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +```yaml +[] +``` + +
webhook.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +```yaml +false +``` + +
+ +### CA Injector + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
cainjector.enabled + +Create the CA Injector deployment + +bool + +```yaml +true +``` + +
cainjector.replicaCount + +Number of replicas of the cert-manager cainjector to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +number + +```yaml +1 +``` + +
cainjector.config + +Used to configure options for the cainjector pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +apiVersion: cainjector.config.cert-manager.io/v1alpha1 +kind: CAInjectorConfiguration +logging: + verbosity: 2 + format: text +leaderElectionConfig: + namespace: kube-system +``` + +object + +```yaml +{} +``` + +
cainjector.strategy + +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` + +object + +```yaml +{} +``` + +
cainjector.securityContext + +Pod Security Context to be set on the cainjector component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +
cainjector.containerSecurityContext + +Container Security Context to be set on the cainjector component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + +
cainjector.podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +```yaml +false +``` + +
cainjector.podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +```yaml + +``` + +
cainjector.podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +```yaml + +``` + +
cainjector.deploymentAnnotations + +Optional additional annotations to add to the cainjector Deployment + + +object + +```yaml + +``` + +
cainjector.podAnnotations + +Optional additional annotations to add to the cainjector Pods + + +object + +```yaml + +``` + +
cainjector.extraArgs + +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + +array + +```yaml +[] +``` + +
cainjector.featureGates + +Comma separated list of feature gates that should be enabled on the cainjector pod. + +string + +```yaml +"" +``` + +
cainjector.resources + +Resources to provide to the cert-manager cainjector pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + +object + +```yaml +{} +``` + +
cainjector.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +```yaml +kubernetes.io/os: linux +``` + +
cainjector.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
cainjector.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +```yaml +[] +``` + +
cainjector.topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + +array + +```yaml +[] +``` + +
cainjector.podLabels + +Optional additional labels to add to the CA Injector Pods + +object + +```yaml +{} +``` + +
cainjector.image.registry + +The container registry to pull the cainjector image from + + +string + +```yaml + +``` + +
cainjector.image.repository + +The container image for the cert-manager cainjector + + +string + +```yaml +quay.io/jetstack/cert-manager-controller +``` + +
cainjector.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml + +``` + +
cainjector.image.digest + +Setting a digest will override any tag + + +string + +```yaml + +``` + +
cainjector.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
cainjector.serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
cainjector.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +```yaml + +``` + +
cainjector.serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + +object + +```yaml + +``` + +
cainjector.serviceAccount.labels + +Optional additional labels to add to the cainjector's ServiceAccount + + +object + +```yaml + +``` + +
cainjector.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + +bool + +```yaml +true +``` + +
cainjector.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +```yaml + +``` + +
cainjector.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +```yaml +[] +``` + +
cainjector.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +```yaml +[] +``` + +
cainjector.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +```yaml +false +``` + +
+ +### ACME Solver + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
acmesolver.image.registry + +The container registry to pull the acmesolver image from + + +string + +```yaml + +``` + +
acmesolver.image.repository + +The container image for the cert-manager acmesolver + + +string + +```yaml +quay.io/jetstack/cert-manager-acmesolver +``` + +
acmesolver.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml + +``` + +
acmesolver.image.digest + +Setting a digest will override any tag + + +string + +```yaml + +``` + +
acmesolver.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
+ +### Startup API Check + + +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
startupapicheck.enabled + +Enables the startup api check + +bool + +```yaml +true +``` + +
startupapicheck.securityContext + +Pod Security Context to be set on the startupapicheck component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +
startupapicheck.containerSecurityContext + +Container Security Context to be set on the controller component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + +object + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + +
startupapicheck.timeout + +Timeout for 'kubectl check api' command + +string + +```yaml +1m +``` + +
startupapicheck.backoffLimit + +Job backoffLimit + +number + +```yaml +4 +``` + +
startupapicheck.jobAnnotations + +Optional additional annotations to add to the startupapicheck Job + + +object + +```yaml +helm.sh/hook: post-install +helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +helm.sh/hook-weight: "1" +``` + +
startupapicheck.podAnnotations + +Optional additional annotations to add to the startupapicheck Pods + + +object + +```yaml + +``` + +
startupapicheck.extraArgs + +Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help + +We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example. + + +array + +```yaml +- -v +``` + +
startupapicheck.resources + +Resources to provide to the cert-manager controller pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ + +object + +```yaml +{} +``` + +
startupapicheck.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +```yaml +kubernetes.io/os: linux +``` + +
startupapicheck.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
startupapicheck.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +```yaml +[] +``` + +
startupapicheck.podLabels + +Optional additional labels to add to the startupapicheck Pods + +object + +```yaml +{} +``` + +
startupapicheck.image.registry + +The container registry to pull the startupapicheck image from + + +string + +```yaml + +``` + +
startupapicheck.image.repository + +The container image for the cert-manager startupapicheck + + +string + +```yaml +quay.io/jetstack/cert-manager-startupapicheck +``` + +
startupapicheck.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml + +``` + +
startupapicheck.image.digest + +Setting a digest will override any tag + + +string + +```yaml + +``` + +
startupapicheck.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
startupapicheck.rbac.annotations + +annotations for the startup API Check job RBAC and PSP resources + + +object + +```yaml +helm.sh/hook: post-install +helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +helm.sh/hook-weight: "-5" +``` + +
startupapicheck.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +```yaml + +``` + +
startupapicheck.serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
startupapicheck.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +```yaml + +``` + +
startupapicheck.serviceAccount.annotations + +Optional additional annotations to add to the Job's ServiceAccount + + +object + +```yaml +helm.sh/hook: post-install +helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +helm.sh/hook-weight: "-5" +``` + +
startupapicheck.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + + +bool + +```yaml +true +``` + +
startupapicheck.serviceAccount.labels + +Optional additional labels to add to the startupapicheck's ServiceAccount + + +object + +```yaml + +``` + +
startupapicheck.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +```yaml +[] +``` + +
startupapicheck.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +```yaml +[] +``` + +
startupapicheck.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +```yaml +false +``` + +
+ + ### Default Security Contexts The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies. diff --git a/deploy/charts/cert-manager/values.yaml b/deploy/charts/cert-manager/values.yaml index 7bf2cd66a..59e8e0b4d 100644 --- a/deploy/charts/cert-manager/values.yaml +++ b/deploy/charts/cert-manager/values.yaml @@ -1,11 +1,16 @@ +# +docs:section=Global + # Default values for cert-manager. # This is a YAML-formatted file. # Declare variables to be passed into your templates. global: # Reference to one or more secrets to be used when pulling images # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # + # For example: + # imagePullSecrets: + # - name: "image-pull-secret" imagePullSecrets: [] - # - name: "image-pull-secret" # Labels to apply to all resources # Please note that this does not add labels to the resources created dynamically by the controllers. @@ -15,20 +20,26 @@ global: # eg. secretTemplate in CertificateSpec # ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec commonLabels: {} - # team_name: dev # The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # +docs:property # revisionHistoryLimit: 1 # Optional priority class to be used for the cert-manager pods priorityClassName: "" + rbac: + # Create required ClusterRoles and ClusterRoleBindings for cert-manager create: true # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles aggregateClusterRoles: true podSecurityPolicy: + # Create PodSecurityPolicy for cert-manager + # + # NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25 enabled: false + # Configure the PodSecurityPolicy to use AppArmor useAppArmor: true # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. @@ -42,34 +53,67 @@ global: # leadership renewal until attempting to acquire leadership of a led but # unrenewed leader slot. This is effectively the maximum duration that a # leader can be stopped before it is replaced by another candidate. + # +docs:property # leaseDuration: 60s # The interval between attempts by the acting master to renew a leadership # slot before it stops leading. This must be less than or equal to the # lease duration. + # +docs:property # renewDeadline: 40s # The duration the clients should wait between attempting acquisition and # renewal of a leadership. + # +docs:property # retryPeriod: 15s +# Install the cert-manager CRDs, it is recommended to not use Helm to manage +# the CRDs installCRDs: false +# +docs:section=Controller + +# Number of replicas of the cert-manager controller to run. +# +# The default is 1, but in production you should set this to 2 or 3 to provide high +# availability. +# +# If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`. +# +# Note: cert-manager uses leader election to ensure that there can +# only be a single instance active at a time. replicaCount: 1 +# Deployment update strategy for the cert-manager controller deployment. +# See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +# +# For example: +# strategy: +# type: RollingUpdate +# rollingUpdate: +# maxSurge: 0 +# maxUnavailable: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. enabled: false - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property # maxUnavailable: 1 # Comma separated list of feature gates that should be enabled on the @@ -80,17 +124,24 @@ featureGates: "" maxConcurrentChallenges: 60 image: - repository: quay.io/jetstack/cert-manager-controller - # You can manage a registry with + # The container registry to pull the manager image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-controller + + # The container image for the cert-manager controller + # +docs:property + repository: quay.io/jetstack/cert-manager-controller # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent # Override the namespace used to store DNS provider credentials etc. for ClusterIssuer @@ -106,17 +157,25 @@ namespace: "" serviceAccount: # Specifies whether a service account should be created create: true + # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # +docs:property # annotations: {} - # Automount API credentials for a Service Account. + # Optional additional labels to add to the controller's ServiceAccount + # +docs:property # labels: {} + + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod +# +docs:property # automountServiceAccountToken: true # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted @@ -126,36 +185,39 @@ enableCertificateOwnerRef: false # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. # Flags will override options that are set here. -config: -# apiVersion: controller.config.cert-manager.io/v1alpha1 -# kind: ControllerConfiguration -# logging: -# verbosity: 2 -# format: text -# leaderElectionConfig: -# namespace: kube-system -# kubernetesAPIQPS: 9000 -# kubernetesAPIBurst: 9000 -# numberOfConcurrentWorkers: 200 -# featureGates: -# AdditionalCertificateOutputFormats: true -# DisallowInsecureCSRUsageDefinition: true -# ExperimentalCertificateSigningRequestControllers: true -# ExperimentalGatewayAPISupport: true -# LiteralCertificateSubject: true -# SecretsFilteredCaching: true -# ServerSideApply: true -# StableCertificateRequestName: true -# UseCertificateRequestBasicConstraints: true -# ValidateCAA: true -# metricsTLSConfig: -# dynamic: -# secretNamespace: "cert-manager" -# secretName: "cert-manager-metrics-ca" -# dnsNames: -# - cert-manager-metrics -# - cert-manager-metrics.cert-manager -# - cert-manager-metrics.cert-manager.svc +# +# For example: +# config: +# apiVersion: controller.config.cert-manager.io/v1alpha1 +# kind: ControllerConfiguration +# logging: +# verbosity: 2 +# format: text +# leaderElectionConfig: +# namespace: kube-system +# kubernetesAPIQPS: 9000 +# kubernetesAPIBurst: 9000 +# numberOfConcurrentWorkers: 200 +# featureGates: +# AdditionalCertificateOutputFormats: true +# DisallowInsecureCSRUsageDefinition: true +# ExperimentalCertificateSigningRequestControllers: true +# ExperimentalGatewayAPISupport: true +# LiteralCertificateSubject: true +# SecretsFilteredCaching: true +# ServerSideApply: true +# StableCertificateRequestName: true +# UseCertificateRequestBasicConstraints: true +# ValidateCAA: true +# metricsTLSConfig: +# dynamic: +# secretNamespace: "cert-manager" +# secretName: "cert-manager-metrics-ca" +# dnsNames: +# - cert-manager-metrics +# - cert-manager-metrics.cert-manager +# - cert-manager-metrics.cert-manager.svc +config: {} # Setting Nameservers for DNS01 Self Check # See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check @@ -169,21 +231,32 @@ dns01RecursiveNameserversOnly: false # Additional command line flags to pass to cert-manager controller binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help +# +# Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver +# +# For example: +# extraArgs: +# - --controllers=*,-certificaterequests-approver extraArgs: [] - # Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver - # - --controllers=*,-certificaterequests-approver +# Additional environment variables to pass to cert-manager controller binary. extraEnv: [] # - name: SOME_VAR # value: 'some value' +# Resources to provide to the cert-manager controller pod +# +# For example: +# requests: +# cpu: 10m +# memory: 32Mi +# +# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi # Pod Security Context # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# +docs:property securityContext: runAsNonRoot: true seccompProfile: @@ -191,6 +264,7 @@ securityContext: # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +# +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -198,23 +272,29 @@ containerSecurityContext: - ALL readOnlyRootFilesystem: true - +# Additional volumes to add to the cert-manager controller pod. volumes: [] +# Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # Optional additional annotations to add to the controller Deployment +# +docs:property # deploymentAnnotations: {} # Optional additional annotations to add to the controller Pods +# +docs:property # podAnnotations: {} +# Optional additional labels to add to the controller Pods podLabels: {} # Optional annotations to add to the controller Service +# +docs:property # serviceAnnotations: {} # Optional additional labels to add to the controller Service +# +docs:property # serviceLabels: {} # Optional DNS settings, useful if you have a public and private DNS zone for @@ -222,51 +302,65 @@ podLabels: {} # cert-manager can access an ingress or DNS TXT records at all times. # NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for # the cluster to work. + +# Pod DNS policy +# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +# +docs:property # podDnsPolicy: "None" + +# Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy +# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. +# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +# +docs:property # podDnsConfig: # nameservers: # - "1.1.1.1" # - "8.8.8.8" +# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with +# matching labels. +# See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +# +# This default ensures that Pods are only scheduled to Linux nodes. +# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. +# +docs:property nodeSelector: kubernetes.io/os: linux +# +docs:ignore ingressShim: {} + + # Optional default issuer to use for ingress resources + # +docs:property=ingressShim.defaultIssuerName # defaultIssuerName: "" + + # Optional default issuer kind to use for ingress resources + # +docs:property=ingressShim.defaultIssuerKind # defaultIssuerKind: "" + + # Optional default issuer group to use for ingress resources + # +docs:property=ingressShim.defaultIssuerGroup # defaultIssuerGroup: "" -prometheus: - enabled: true - servicemonitor: - enabled: false - prometheusInstance: default - targetPort: 9402 - path: /metrics - interval: 60s - scrapeTimeout: 30s - labels: {} - annotations: {} - honorLabels: false - endpointAdditionalProperties: {} - # Note: Enabling both PodMonitor and ServiceMonitor is mutually exclusive, enabling both will result in a error. - podmonitor: - enabled: false - prometheusInstance: default - path: /metrics - interval: 60s - scrapeTimeout: 30s - labels: {} - annotations: {} - honorLabels: false - endpointAdditionalProperties: {} # Use these variables to configure the HTTP_PROXY environment variables + +# Configures the HTTP_PROXY environment variable for where a HTTP proxy is required +# +docs:property # http_proxy: "http://proxy:8080" + +# Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required +# +docs:property # https_proxy: "https://proxy:8080" + +# Configures the NO_PROXY environment variable for where a HTTP proxy is required, +# but certain domains should be excluded +# +docs:property # no_proxy: 127.0.0.1,localhost + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core -# for example: +# +# For example: # affinity: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: @@ -279,7 +373,8 @@ prometheus: affinity: {} # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core -# for example: +# +# For example: # tolerations: # - key: foo.bar.com/role # operator: Equal @@ -288,7 +383,8 @@ affinity: {} tolerations: [] # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core -# for example: +# +# For example: # topologySpreadConstraints: # - maxSkew: 2 # topologyKey: topology.kubernetes.io/zone @@ -306,6 +402,7 @@ topologySpreadConstraints: [] # LivenessProbe durations and thresholds are based on those used for the Kubernetes # controller-manager. See: # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 +# +docs:property livenessProbe: enabled: true initialDelaySeconds: 10 @@ -319,7 +416,110 @@ livenessProbe: # links. enableServiceLinks: false +# +docs:section=Prometheus + +prometheus: + # Enable prometheus monitoring for the cert-manager controller, to use with + # Prometheus Operator either `prometheus.servicemonitor.enabled` or + # `prometheus.podmonitor.enabled` can be used to create a ServiceMonitor/PodMonitor + # resource + enabled: true + servicemonitor: + # Create a ServiceMonitor to add cert-manager to Prometheus + enabled: false + + # Specifies the `prometheus` label on the created ServiceMonitor, this is + # used when different Prometheus instances have label selectors matching + # different ServiceMonitors. + prometheusInstance: default + + # The target port to set on the ServiceMonitor, should match the port that + # cert-manager controller is listening on for metrics + targetPort: 9402 + + # The path to scrape for metrics + path: /metrics + + # The interval to scrape metrics + interval: 60s + + # The timeout before a metrics scrape fails + scrapeTimeout: 30s + + # Additional labels to add to the ServiceMonitor + labels: {} + + # Additional annotations to add to the ServiceMonitor + annotations: {} + + # Keep labels from scraped data, overriding server-side labels. + honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # + # +docs:property + endpointAdditionalProperties: {} + + # Note: Enabling both PodMonitor and ServiceMonitor is mutually exclusive, enabling both will result in a error. + podmonitor: + # Create a PodMonitor to add cert-manager to Prometheus + enabled: false + + # Specifies the `prometheus` label on the created PodMonitor, this is + # used when different Prometheus instances have label selectors matching + # different PodMonitor. + prometheusInstance: default + + # The path to scrape for metrics + path: /metrics + + # The interval to scrape metrics + interval: 60s + + # The timeout before a metrics scrape fails + scrapeTimeout: 30s + + # Additional labels to add to the PodMonitor + labels: {} + + # Additional annotations to add to the PodMonitor + annotations: {} + + # Keep labels from scraped data, overriding server-side labels. + honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # + # +docs:property + endpointAdditionalProperties: {} + +# +docs:section=Webhook + webhook: + # Number of replicas of the cert-manager webhook to run. + # + # The default is 1, but in production you should set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`. replicaCount: 1 # Seconds the API server should wait for the webhook to respond before treating the call as a failure. @@ -342,43 +542,42 @@ webhook: # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. # Flags will override options that are set here. - config: - # apiVersion: webhook.config.cert-manager.io/v1alpha1 - # kind: WebhookConfiguration - - # The port that the webhook should listen on for requests. - # In GKE private clusters, by default kubernetes apiservers are allowed to - # talk to the cluster nodes only on 443 and 10250. so configuring - # securePort: 10250, will work out of the box without needing to add firewall - # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. - # This should be uncommented and set as a default by the chart once we graduate - # the apiVersion of WebhookConfiguration past v1alpha1. - # securePort: 10250 + # + # For example: + # apiVersion: webhook.config.cert-manager.io/v1alpha1 + # kind: WebhookConfiguration + # # The port that the webhook should listen on for requests. + # # In GKE private clusters, by default kubernetes apiservers are allowed to + # # talk to the cluster nodes only on 443 and 10250. so configuring + # # securePort: 10250, will work out of the box without needing to add firewall + # # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. + # # This should be uncommented and set as a default by the chart once we graduate + # # the apiVersion of WebhookConfiguration past v1alpha1. + # securePort: 10250 + config: {} + # Deployment update strategy for the cert-manager webhook deployment. + # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 # Pod Security Context to be set on the webhook component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - podDisruptionBudget: - enabled: false - - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` - # minAvailable: 1 - # maxUnavailable: 1 - # Container Security Context to be set on the webhook component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -386,23 +585,50 @@ webhook: - ALL readOnlyRootFilesystem: true + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property + # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property + # maxUnavailable: 1 + # Optional additional annotations to add to the webhook Deployment + # +docs:property # deploymentAnnotations: {} # Optional additional annotations to add to the webhook Pods + # +docs:property # podAnnotations: {} # Optional additional annotations to add to the webhook Service + # +docs:property # serviceAnnotations: {} # Optional additional annotations to add to the webhook MutatingWebhookConfiguration + # +docs:property # mutatingWebhookConfigurationAnnotations: {} # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + # +docs:property # validatingWebhookConfigurationAnnotations: {} validatingWebhookConfiguration: # Configure spec.namespaceSelector for validating webhooks. + # +docs:property namespaceSelector: matchExpressions: - key: "cert-manager.io/disable-validation" @@ -412,6 +638,7 @@ webhook: mutatingWebhookConfiguration: # Configure spec.namespaceSelector for mutating webhooks. + # +docs:property namespaceSelector: {} # matchLabels: # key: value @@ -432,20 +659,31 @@ webhook: # webhook pod. featureGates: "" + # Resources to provide to the cert-manager webhook pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi - ## Liveness and readiness probe values - ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes - ## + # Liveness probe values + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + # + # +docs:property livenessProbe: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 + + # Readiness probe values + # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + # + # +docs:property readinessProbe: failureThreshold: 3 initialDelaySeconds: 5 @@ -453,13 +691,51 @@ webhook: successThreshold: 1 timeoutSeconds: 1 + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] + # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller topologySpreadConstraints: [] # Optional additional labels to add to the Webhook Pods @@ -469,34 +745,48 @@ webhook: serviceLabels: {} image: - repository: quay.io/jetstack/cert-manager-webhook - # You can manage a registry with + # The container registry to pull the webhook image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-webhook + + # The container image for the cert-manager webhook + # +docs:property + repository: quay.io/jetstack/cert-manager-webhook # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true + # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # +docs:property # annotations: {} + # Optional additional labels to add to the webhook's ServiceAccount + # +docs:property # labels: {} + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true # The port that the webhook should listen on for requests. @@ -521,7 +811,10 @@ webhook: # webhook to outside of the cluster. In some cases, the control plane cannot # reach internal services. serviceType: ClusterIP - # loadBalancerIP: + + # Specify the load balancer IP for the created service + # +docs:property + # loadBalancerIP: "10.10.10.10" # Overrides the mutating webhook and validating webhook so they reach the webhook # service using the `url` field instead of a service. @@ -530,11 +823,20 @@ webhook: # Enables default network policies for webhooks. networkPolicy: + # Create network policies for the webhooks enabled: false + + # Ingress rule for the webhook network policy, by default will allow all + # inbound traffic + # +docs:property ingress: - from: - ipBlock: cidr: 0.0.0.0/0 + + # Egress rule for the webhook network policy, by default will allow all + # outbound traffic traffic to ports 80 and 443, as well as DNS ports + # +docs:property egress: - ports: - port: 80 @@ -553,7 +855,10 @@ webhook: - ipBlock: cidr: 0.0.0.0/0 + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be @@ -561,47 +866,60 @@ webhook: # links. enableServiceLinks: false +# +docs:section=CA Injector + cainjector: + # Create the CA Injector deployment enabled: true + + # Number of replicas of the cert-manager cainjector to run. + # + # The default is 1, but in production you should set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`. + # + # Note: cert-manager uses leader election to ensure that there can + # only be a single instance active at a time. replicaCount: 1 # Used to configure options for the cainjector pod. # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. # Flags will override options that are set here. - config: - # apiVersion: cainjector.config.cert-manager.io/v1alpha1 - # kind: CAInjectorConfiguration - # logging: - # verbosity: 2 - # format: text - # leaderElectionConfig: - # namespace: kube-system + # + # For example: + # apiVersion: cainjector.config.cert-manager.io/v1alpha1 + # kind: CAInjectorConfiguration + # logging: + # verbosity: 2 + # format: text + # leaderElectionConfig: + # namespace: kube-system + config: {} + # Deployment update strategy for the cert-manager cainjector deployment. + # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 strategy: {} - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 # Pod Security Context to be set on the cainjector component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - podDisruptionBudget: - enabled: false - - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` - # minAvailable: 1 - # maxUnavailable: 1 - # Container Security Context to be set on the cainjector component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -609,11 +927,33 @@ cainjector: - ALL readOnlyRootFilesystem: true + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property + # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property + # maxUnavailable: 1 # Optional additional annotations to add to the cainjector Deployment + # +docs:property # deploymentAnnotations: {} # Optional additional annotations to add to the cainjector Pods + # +docs:property # podAnnotations: {} # Additional command line flags to pass to cert-manager cainjector binary. @@ -626,55 +966,116 @@ cainjector: # cainjector pod. featureGates: "" + # Resources to provide to the cert-manager cainjector pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] + # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller topologySpreadConstraints: [] # Optional additional labels to add to the CA Injector Pods podLabels: {} image: - repository: quay.io/jetstack/cert-manager-cainjector - # You can manage a registry with + # The container registry to pull the cainjector image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-cainjector + + # The container image for the cert-manager cainjector + # +docs:property + repository: quay.io/jetstack/cert-manager-controller # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true + # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" + # Optional additional annotations to add to the controller's ServiceAccount + # +docs:property # annotations: {} - # Automount API credentials for a Service Account. + # Optional additional labels to add to the cainjector's ServiceAccount + # +docs:property # labels: {} + + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be @@ -682,32 +1083,46 @@ cainjector: # links. enableServiceLinks: false +# +docs:section=ACME Solver + acmesolver: image: - repository: quay.io/jetstack/cert-manager-acmesolver - # You can manage a registry with + # The container registry to pull the acmesolver image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-acmesolver + + # The container image for the cert-manager acmesolver + # +docs:property + repository: quay.io/jetstack/cert-manager-acmesolver # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + +# +docs:section=Startup API Check # This startupapicheck is a Helm post-install hook that waits for the webhook # endpoints to become available. -# The check is implemented using a Kubernetes Job- if you are injecting mesh +# The check is implemented using a Kubernetes Job - if you are injecting mesh # sidecar proxies into cert-manager pods, you probably want to ensure that they # are not injected into this Job's pod. Otherwise the installation may time out # due to the Job never being completed because the sidecar proxy does not exit. # See https://github.com/cert-manager/cert-manager/pull/4414 for context. + startupapicheck: + # Enables the startup api check enabled: true # Pod Security Context to be set on the startupapicheck component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property securityContext: runAsNonRoot: true seccompProfile: @@ -715,6 +1130,7 @@ startupapicheck: # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property containerSecurityContext: allowPrivilegeEscalation: false capabilities: @@ -729,12 +1145,14 @@ startupapicheck: backoffLimit: 4 # Optional additional annotations to add to the startupapicheck Job + # +docs:property jobAnnotations: helm.sh/hook: post-install helm.sh/hook-weight: "1" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Optional additional annotations to add to the startupapicheck Pods + # +docs:property # podAnnotations: {} # Additional command line flags to pass to startupapicheck binary. @@ -743,47 +1161,89 @@ startupapicheck: # We enable verbose logging by default so that if startupapicheck fails, users # can know what exactly caused the failure. Verbose logs include details of # the webhook URL, IP address and TCP connect errors for example. + # +docs:property extraArgs: - -v + # Resources to provide to the cert-manager controller pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] # Optional additional labels to add to the startupapicheck Pods podLabels: {} image: - repository: quay.io/jetstack/cert-manager-startupapicheck - # You can manage a registry with + # The container registry to pull the startupapicheck image from + # +docs:property # registry: quay.io - # repository: jetstack/cert-manager-ctl + + # The container image for the cert-manager startupapicheck + # +docs:property + repository: quay.io/jetstack/cert-manager-startupapicheck # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. - # tag: canary + # +docs:property + # tag: vX.Y.Z # Setting a digest will override any tag + # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent rbac: # annotations for the startup API Check job RBAC and PSP resources + # +docs:property annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true serviceAccount: @@ -792,21 +1252,28 @@ startupapicheck: # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template + # +docs:property # name: "" # Optional additional annotations to add to the Job's ServiceAccount + # +docs:property annotations: helm.sh/hook: post-install helm.sh/hook-weight: "-5" helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automount API credentials for a Service Account. + # +docs:property automountServiceAccountToken: true # Optional additional labels to add to the startupapicheck's ServiceAccount + # +docs:property # labels: {} + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be diff --git a/make/ci.mk b/make/ci.mk index 324ea554e..57246b251 100644 --- a/make/ci.mk +++ b/make/ci.mk @@ -109,10 +109,14 @@ update-codegen: | k8s-codegen-tools $(NEEDS_GO) ./$(BINDIR)/tools/conversion-gen \ ./$(BINDIR)/tools/openapi-gen +.PHONY: update-helm-docs +update-helm-docs: | $(NEEDS_HELM-TOOL) + $(HELM-TOOL) inject --header-search '^' --footer-search '^' -i deploy/charts/cert-manager/values.yaml -o deploy/charts/cert-manager/README.template.md + .PHONY: update-all ## Update CRDs, code generation and licenses to the latest versions. ## This is provided as a convenience to run locally before creating a PR, to ensure ## that everything is up-to-date. ## ## @category Development -update-all: update-crds update-codegen update-licenses +update-all: update-crds update-codegen update-licenses update-helm-docs diff --git a/make/tools.mk b/make/tools.mk index e058173c0..d4f3f333e 100644 --- a/make/tools.mk +++ b/make/tools.mk @@ -65,6 +65,8 @@ TOOLS += boilersuite=v0.1.0 TOOLS += ginkgo=$(shell awk '/ginkgo\/v2/ {print $$2}' go.mod) # https://github.com/golangci/golangci-lint/releases TOOLS += golangci-lint=v1.55.2 +# https://github.com/cert-manager/helm-tool +TOOLS += helm-tool=v0.2.1 # Version of Gateway API install bundle https://gateway-api.sigs.k8s.io/v1alpha2/guides/#installing-gateway-api GATEWAY_API_VERSION=v1.0.0 @@ -243,6 +245,7 @@ GO_DEPENDENCIES += gotestsum=gotest.tools/gotestsum GO_DEPENDENCIES += crane=github.com/google/go-containerregistry/cmd/crane GO_DEPENDENCIES += boilersuite=github.com/cert-manager/boilersuite GO_DEPENDENCIES += golangci-lint=github.com/golangci/golangci-lint/cmd/golangci-lint +GO_DEPENDENCIES += helm-tool=github.com/cert-manager/helm-tool define go_dependency $$(BINDIR)/downloaded/tools/$1@$($(call UC,$1)_VERSION)_%: | $$(NEEDS_GO) $$(BINDIR)/downloaded/tools