1# nameOverride replaces the name of the chart in the Chart.yaml file when this
2# is used to construct Kubernetes object names.
4# nameOverride: istio-csr
6# The number of replicas of istio-csr to run.
8# The container registry used for istio-csr images by default.
9# This can include path prefixes (e.g. "artifactory.example.com/docker").
12# The repository namespace used for istio-csr images by default.
17imageNamespace: jetstack
19 # Target image registry. This value is prepended to the target image repository, if set.
22 # repository: jetstack/cert-manager-istio-csr
23 # Deprecated: per-component registry prefix.
25 # If set, this value is *prepended* to the image repository that the chart would otherwise render.
26 # This applies both when `image.repository` is set and when the repository is computed from
27 # `imageRegistry` + `imageNamespace` + `image.name`.
29 # This can produce "double registry" style references such as
30 # `legacy.example.io/quay.io/jetstack/...`. Prefer using the global
31 # `imageRegistry`/`imageNamespace` values.
35 # Full repository override (takes precedence over `imageRegistry`, `imageNamespace`,
37 # Example: quay.io/jetstack/cert-manager-istio-csr
39 repository: cgr.dev/chainguard-private/cert-manager-istio-csr-fips
40 # The image name for istio-csr.
41 # This is used (together with `imageRegistry` and `imageNamespace`) to construct the full
44 name: cert-manager-istio-csr
45 # Override the image tag to deploy by setting this variable.
46 # If no value is set, the chart's appVersion is used.
50 # Target image digest. Override any tag, if set.
52 # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
56 # Kubernetes imagePullPolicy on Deployment.
57 pullPolicy: IfNotPresent
59 digest: sha256:66cb39abb9db302cfd007fc6e2afd210ac1146cea9e74da6edc04041d98dc5a2
60# Optional secrets used for pulling the istio-csr container image.
63 # Service type to expose the istio-csr gRPC service.
65 # Service port to expose the istio-csr gRPC service.
67 # Service nodePort to expose the istio-csr gRPC service.
72 # Verbosity of istio-csr logging.
74 # Output format of istio-csr logging.
75 logFormat: text # text or json
77 # Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
79 # Service to expose metrics endpoint.
81 # Create a Service resource to expose the metrics endpoint.
83 # Service type to expose metrics.
85 # The ServiceMonitor resource for this Service.
87 # Create a Prometheus ServiceMonitor resource.
89 # The value for the "prometheus" label on the ServiceMonitor. This allows
90 # for multiple Prometheus instances selecting different ServiceMonitors
91 # using label selectors.
92 prometheusInstance: default
93 # The interval at which Prometheus will scrape for metrics.
95 # The timeout on each metric probe request.
97 # Additional labels to give the ServiceMonitor resource.
99 # DEPRECATED: moved to app.runtimeConfiguration.name
101 # Name of a ConfigMap in the installation namespace to watch, providing
102 # runtime configuration of an issuer to use.
104 # The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in
105 # the ConfigMap for it to be used.
108 runtimeIssuanceConfigMap: ""
109 runtimeConfiguration:
110 # Create the runtime-configuration ConfigMap.
112 # Name of a ConfigMap in the installation namespace to watch, providing
113 # runtime configuration of an issuer to use.
115 # If create is set to true, then this name is used to create the ConfigMap,
116 # otherwise the ConfigMap must exist, and the "issuer-name", "issuer-kind"
117 # and "issuer-group" keys must be present in it.
120 # Issuer name set on created CertificateRequests for both istio-csr's
121 # serving certificate and incoming gRPC CSRs.
123 # Issuer kind set on created CertificateRequests for both istio-csr's
124 # serving certificate and incoming gRPC CSRs.
126 # Issuer group name set on created CertificateRequests for both
127 # istio-csr's serving certificate and incoming gRPC CSRs.
128 group: cert-manager.io
130 # Container port to expose the istio-csr HTTP readiness probe on the default network interface.
132 # Path to expose the istio-csr HTTP readiness probe on the default network interface.
135 # Namespace to create CertificateRequests for both istio-csr's serving
136 # certificate and incoming gRPC CSRs.
137 namespace: istio-system
138 # Don't delete created CertificateRequests once they have been signed.
139 # WARNING: Do not enable this option in production, or environments with
140 # any non-trivial number of workloads for an extended period of time. Doing
141 # so will balloon the resource consumption of both ETCD and the API server,
142 # leading to errors and slow down. This option is intended for debugging
143 # purposes only, for limited periods of time.
144 preserveCertificateRequests: false
145 # Additional annotations to include on certificate requests.
146 # Takes key/value pairs in the format:
147 # additionalAnnotations:
148 # - name: custom.cert-manager.io/policy-name
150 additionalAnnotations: []
152 # Enable the default issuer, this is the issuer used when no runtime
153 # configuration is provided.
155 # When enabled, the istio-csr Pod will not be "Ready" until the issuer
156 # has been used to issue the istio-csr GRPC certificate.
158 # For istio-csr to function, either this or runtime configuration must be
161 # Issuer name set on created CertificateRequests for both istio-csr's
162 # serving certificate and incoming gRPC CSRs.
164 # Issuer kind set on created CertificateRequests for both istio-csr's
165 # serving certificate and incoming gRPC CSRs.
167 # Issuer group name set on created CertificateRequests for both
168 # istio-csr's serving certificate and incoming gRPC CSRs.
169 group: cert-manager.io
171 # The Istio cluster's trust domain.
172 trustDomain: "cluster.local"
173 # An optional file location to a PEM encoded root CA that the root CA
174 # ConfigMap in all namespaces will be populated with. If empty, the CA
175 # returned from cert-manager for the serving certificate will be used.
176 rootCAFile: # /var/certs/ca.pem
177 # The DNS names to request for the server's serving certificate which is
178 # presented to istio-agents. istio-agents must route to istio-csr using one
179 # of these DNS names.
181 - cert-manager-istio-csr.cert-manager.svc
182 # Requested duration of the gRPC serving certificate. Will be automatically
184 # Based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
185 certificateDuration: 1h
186 # If true, create the istiod certificate using a cert-manager certificate as part
187 # of the install. If set to "dynamic", will create the cert dynamically when
188 # istio-csr pods start up. If false, no cert is created.
189 # +docs:type=boolean,string,null
190 istiodCertificateEnable: true
191 # Requested duration of istio's Certificate. Will be automatically renewed.
192 # Default is based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
193 # Warning: cert-manager does not allow a duration on Certificates less than 1 hour.
194 istiodCertificateDuration: 1h
195 # Amount of time to wait before trying to renew the istiod certificate.
196 # Must be smaller than the certificate's duration.
197 istiodCertificateRenewBefore: 30m
198 # Private key algorithm to use. For backwards compatibility, defaults to the same value as app.server.serving.signatureAlgorithm
199 istiodPrivateKeyAlgorithm: ""
200 # Parameter for the istiod certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.
201 istiodPrivateKeySize: 2048
202 # Provide additional DNS names to request on the istiod certificate. Useful if istiod
203 # should be accessible via multiple DNS names and/or outside of the cluster.
204 istiodAdditionalDNSNames: []
207 # Enable the client certificate authenticator. This will allow workloads to use preexisting certificates to
208 # authenticate with istio-csr when rotating their certificate.
209 enableClientCert: false
210 # The istio cluster ID to verify incoming CSRs.
211 clusterID: "Kubernetes"
212 # Maximum validity duration that can be requested for a certificate.
213 # istio-csr will request a duration of the smaller of this value, and that of
214 # the incoming gRPC CSR.
215 # Based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
216 maxCertificateDuration: 1h
218 # Container address to serve the istio-csr gRPC service.
220 # Container port to serve the istio-csr gRPC service.
222 # Parameter for the serving certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.
223 certificateKeySize: 2048
224 # The type of private key to generate for the serving certificate. Only RSA (default) and ECDSA are supported.
225 # NB: This variable is named incorrectly; it controls private key algorithm, not signature algorithm.
226 signatureAlgorithm: "RSA"
227 # A comma-separated list of service accounts that are allowed to use node authentication for CSRs, e.g. "istio-system/ztunnel".
228 caTrustedNodeAccounts: ""
230 # The istio revisions that are currently installed in the cluster.
231 # Changing this field will modify the DNS names that will be requested for
232 # the istiod certificate (if enabled).
233 # The common name for the istiod certificate is hard coded to the `default` revision
235 # Some issuers may require that the common name on certificates match one
236 # of the DNS names. If 1. Your issuer has this constraint, and 2. You are
237 # not using `default` as a revision, add the `default` revision here
238 # anyway. The resulting certificate will include a DNS name that won't be
239 # used, but will pass this constraint.
240 revisions: ["default"]
241 # The namespace where the istio control-plane is running.
242 namespace: istio-system
244 leaderElectionNamespace: istio-system
245 # If set, limit where istio-csr creates configmaps with root CA certificates. If unset, configmap created in ALL namespaces.
246 # Example: maistra.io/member-of=istio-system
249 # configmapNamespaceSelector:
251 # Allows you to disable the default Kubernetes client rate limiter if
252 # istio-csr is exceeding the default QPS (5) and Burst (10) limits.
253 # For example, in large clusters with many Istio workloads, restarting the Pods may cause
254 # istio-csr to send bursts of Kubernetes API requests that exceed the limits of
255 # the default Kubernetes client rate limiter, and istio-csr will become slow to issue
256 # certificates for your workloads.
257 # Only disable client rate limiting if the Kubernetes API server supports
258 # [API Priority and Fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/),
259 # to avoid overloading the server.
260 disableKubernetesClientRateLimiter: false
261 # Maximum number of concurrent reconciles that the controller executes with. Defaults to 1.
265 # maxConcurrentReconciles:
266# Optional extra labels for deployment.
268# Optional extra annotations for deployment.
269deploymentAnnotations: {}
270# Optional extra labels for pod.
272# Optional extra annotations for pod.
274# Optional extra volumes. Useful for mounting custom root CAs.
280# secretName: root-cert
282# Optional extra volume mounts. Useful for mounting custom root CAs.
289# Kubernetes [pod resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
300# Kubernetes [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
302# See the default values for an example.
305 allowPrivilegeEscalation: false
306 readOnlyRootFilesystem: true
313# Expects input structure as per [specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core).
318# requiredDuringSchedulingIgnoredDuringExecution:
321# - key: foo.bar.com/role
326# Expects input structure as per [specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core).
330# - key: foo.bar.com/role
335# List of Kubernetes TopologySpreadConstraints. For more information, see [TopologySpreadConstraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
337# topologySpreadConstraints:
339# topologyKey: topology.kubernetes.io/zone
340# whenUnsatisfiable: ScheduleAnyway
343# app.kubernetes.io/name: cert-manager-istio-csr
344# app.kubernetes.io/instance: istio-csr
345topologySpreadConstraints: []
346# Kubernetes node selector: node labels for pod assignment.
347# +docs:property=nodeSelector
349 kubernetes.io/os: linux
350# Labels to apply to all resources.
352# Create resources alongside installing istio-csr, via Helm values. Can accept an array of YAML-formatted
353# resources. Each array entry can include multiple YAML documents, separated by '---'.
361# name: '{{ template "cert-manager-istio-csr.fullname" . }}-extra-configmap'
363# Configures a disruption budget for istio-csr.
365 # Enable or disable the PodDisruptionBudget resource for istio-csr.
367 # This configures the minimum available pods for disruptions. It can either be set to
368 # an integer (e.g., 1) or a percentage value (e.g., 25%).
369 # It cannot be used if `maxUnavailable` is set.
371 # +docs:type=string,integer
374 # This configures the maximum unavailable pods for disruptions. It can either be set to
375 # an integer (e.g., 1) or a percentage value (e.g., 25%).
376 # it cannot be used if `minAvailable` is set.
378 # +docs:type=string,integer