DirectorySecurity AdvisoriesPricing
Sign in
Directory
cert-manager-istio-csr logoHELM

cert-manager-istio-csr

Helm chart
Last changed
Request a free trial

Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.

Overview
Chart versions
Default values
Chart metadata
Images

Tag:

1
# nameOverride replaces the name of the chart in the Chart.yaml file when this
2
# is used to construct Kubernetes object names.
3
# +docs:property
4
# nameOverride: istio-csr
5
6
# The number of replicas of istio-csr to run.
7
replicaCount: 1
8
# The container registry used for istio-csr images by default.
9
# This can include path prefixes (e.g. "artifactory.example.com/docker").
10
# +docs:property
11
imageRegistry: quay.io
12
# The repository namespace used for istio-csr images by default.
13
# Examples:
14
# - jetstack
15
# - cert-manager
16
# +docs:property
17
imageNamespace: jetstack
18
image:
19
# Target image registry. This value is prepended to the target image repository, if set.
20
# For example:
21
# registry: quay.io
22
# repository: jetstack/cert-manager-istio-csr
23
# Deprecated: per-component registry prefix.
24
#
25
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
26
# This applies both when `image.repository` is set and when the repository is computed from
27
# `imageRegistry` + `imageNamespace` + `image.name`.
28
#
29
# This can produce "double registry" style references such as
30
# `legacy.example.io/quay.io/jetstack/...`. Prefer using the global
31
# `imageRegistry`/`imageNamespace` values.
32
# +docs:property
33
# registry: quay.io
34
35
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`,
36
# and `image.name`).
37
# Example: quay.io/jetstack/cert-manager-istio-csr
38
# +docs:property
39
repository: cgr.dev/chainguard-private/cert-manager-istio-csr-fips
40
# The image name for istio-csr.
41
# This is used (together with `imageRegistry` and `imageNamespace`) to construct the full
42
# image reference.
43
# +docs:property
44
name: cert-manager-istio-csr
45
# Override the image tag to deploy by setting this variable.
46
# If no value is set, the chart's appVersion is used.
47
# +docs:property
48
# tag: vX.Y.Z
49
50
# Target image digest. Override any tag, if set.
51
# For example:
52
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
53
# +docs:property
54
# digest: sha256:...
55
56
# Kubernetes imagePullPolicy on Deployment.
57
pullPolicy: IfNotPresent
58
tag: latest
59
digest: sha256:66cb39abb9db302cfd007fc6e2afd210ac1146cea9e74da6edc04041d98dc5a2
60
# Optional secrets used for pulling the istio-csr container image.
61
imagePullSecrets: []
62
service:
63
# Service type to expose the istio-csr gRPC service.
64
type: ClusterIP
65
# Service port to expose the istio-csr gRPC service.
66
port: 443
67
# Service nodePort to expose the istio-csr gRPC service.
68
# +docs:type=number
69
# +docs:property
70
# nodePort:
71
app:
72
# Verbosity of istio-csr logging.
73
logLevel: 1 # 1-5
74
# Output format of istio-csr logging.
75
logFormat: text # text or json
76
metrics:
77
# Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
78
port: 9402
79
# Service to expose metrics endpoint.
80
service:
81
# Create a Service resource to expose the metrics endpoint.
82
enabled: true
83
# Service type to expose metrics.
84
type: ClusterIP
85
# The ServiceMonitor resource for this Service.
86
servicemonitor:
87
# Create a Prometheus ServiceMonitor resource.
88
enabled: false
89
# The value for the "prometheus" label on the ServiceMonitor. This allows
90
# for multiple Prometheus instances selecting different ServiceMonitors
91
# using label selectors.
92
prometheusInstance: default
93
# The interval at which Prometheus will scrape for metrics.
94
interval: 10s
95
# The timeout on each metric probe request.
96
scrapeTimeout: 5s
97
# Additional labels to give the ServiceMonitor resource.
98
labels: {}
99
# DEPRECATED: moved to app.runtimeConfiguration.name
100
#
101
# Name of a ConfigMap in the installation namespace to watch, providing
102
# runtime configuration of an issuer to use.
103
#
104
# The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in
105
# the ConfigMap for it to be used.
106
#
107
# +docs:hidden
108
runtimeIssuanceConfigMap: ""
109
runtimeConfiguration:
110
# Create the runtime-configuration ConfigMap.
111
create: false
112
# Name of a ConfigMap in the installation namespace to watch, providing
113
# runtime configuration of an issuer to use.
114
#
115
# If create is set to true, then this name is used to create the ConfigMap,
116
# otherwise the ConfigMap must exist, and the "issuer-name", "issuer-kind"
117
# and "issuer-group" keys must be present in it.
118
name: ""
119
issuer:
120
# Issuer name set on created CertificateRequests for both istio-csr's
121
# serving certificate and incoming gRPC CSRs.
122
name: istio-ca
123
# Issuer kind set on created CertificateRequests for both istio-csr's
124
# serving certificate and incoming gRPC CSRs.
125
kind: Issuer
126
# Issuer group name set on created CertificateRequests for both
127
# istio-csr's serving certificate and incoming gRPC CSRs.
128
group: cert-manager.io
129
readinessProbe:
130
# Container port to expose the istio-csr HTTP readiness probe on the default network interface.
131
port: 6060
132
# Path to expose the istio-csr HTTP readiness probe on the default network interface.
133
path: "/readyz"
134
certmanager:
135
# Namespace to create CertificateRequests for both istio-csr's serving
136
# certificate and incoming gRPC CSRs.
137
namespace: istio-system
138
# Don't delete created CertificateRequests once they have been signed.
139
# WARNING: Do not enable this option in production, or environments with
140
# any non-trivial number of workloads for an extended period of time. Doing
141
# so will balloon the resource consumption of both ETCD and the API server,
142
# leading to errors and slow down. This option is intended for debugging
143
# purposes only, for limited periods of time.
144
preserveCertificateRequests: false
145
# Additional annotations to include on certificate requests.
146
# Takes key/value pairs in the format:
147
# additionalAnnotations:
148
# - name: custom.cert-manager.io/policy-name
149
# value: istio-csr
150
additionalAnnotations: []
151
issuer:
152
# Enable the default issuer, this is the issuer used when no runtime
153
# configuration is provided.
154
#
155
# When enabled, the istio-csr Pod will not be "Ready" until the issuer
156
# has been used to issue the istio-csr GRPC certificate.
157
#
158
# For istio-csr to function, either this or runtime configuration must be
159
# enabled.
160
enabled: true
161
# Issuer name set on created CertificateRequests for both istio-csr's
162
# serving certificate and incoming gRPC CSRs.
163
name: istio-ca
164
# Issuer kind set on created CertificateRequests for both istio-csr's
165
# serving certificate and incoming gRPC CSRs.
166
kind: Issuer
167
# Issuer group name set on created CertificateRequests for both
168
# istio-csr's serving certificate and incoming gRPC CSRs.
169
group: cert-manager.io
170
tls:
171
# The Istio cluster's trust domain.
172
trustDomain: "cluster.local"
173
# An optional file location to a PEM encoded root CA that the root CA
174
# ConfigMap in all namespaces will be populated with. If empty, the CA
175
# returned from cert-manager for the serving certificate will be used.
176
rootCAFile: # /var/certs/ca.pem
177
# The DNS names to request for the server's serving certificate which is
178
# presented to istio-agents. istio-agents must route to istio-csr using one
179
# of these DNS names.
180
certificateDNSNames:
181
- cert-manager-istio-csr.cert-manager.svc
182
# Requested duration of the gRPC serving certificate. Will be automatically
183
# renewed.
184
# Based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
185
certificateDuration: 1h
186
# If true, create the istiod certificate using a cert-manager certificate as part
187
# of the install. If set to "dynamic", will create the cert dynamically when
188
# istio-csr pods start up. If false, no cert is created.
189
# +docs:type=boolean,string,null
190
istiodCertificateEnable: true
191
# Requested duration of istio's Certificate. Will be automatically renewed.
192
# Default is based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
193
# Warning: cert-manager does not allow a duration on Certificates less than 1 hour.
194
istiodCertificateDuration: 1h
195
# Amount of time to wait before trying to renew the istiod certificate.
196
# Must be smaller than the certificate's duration.
197
istiodCertificateRenewBefore: 30m
198
# Private key algorithm to use. For backwards compatibility, defaults to the same value as app.server.serving.signatureAlgorithm
199
istiodPrivateKeyAlgorithm: ""
200
# Parameter for the istiod certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.
201
istiodPrivateKeySize: 2048
202
# Provide additional DNS names to request on the istiod certificate. Useful if istiod
203
# should be accessible via multiple DNS names and/or outside of the cluster.
204
istiodAdditionalDNSNames: []
205
server:
206
authenticators:
207
# Enable the client certificate authenticator. This will allow workloads to use preexisting certificates to
208
# authenticate with istio-csr when rotating their certificate.
209
enableClientCert: false
210
# The istio cluster ID to verify incoming CSRs.
211
clusterID: "Kubernetes"
212
# Maximum validity duration that can be requested for a certificate.
213
# istio-csr will request a duration of the smaller of this value, and that of
214
# the incoming gRPC CSR.
215
# Based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
216
maxCertificateDuration: 1h
217
serving:
218
# Container address to serve the istio-csr gRPC service.
219
address: 0.0.0.0
220
# Container port to serve the istio-csr gRPC service.
221
port: 6443
222
# Parameter for the serving certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.
223
certificateKeySize: 2048
224
# The type of private key to generate for the serving certificate. Only RSA (default) and ECDSA are supported.
225
# NB: This variable is named incorrectly; it controls private key algorithm, not signature algorithm.
226
signatureAlgorithm: "RSA"
227
# A comma-separated list of service accounts that are allowed to use node authentication for CSRs, e.g. "istio-system/ztunnel".
228
caTrustedNodeAccounts: ""
229
istio:
230
# The istio revisions that are currently installed in the cluster.
231
# Changing this field will modify the DNS names that will be requested for
232
# the istiod certificate (if enabled).
233
# The common name for the istiod certificate is hard coded to the `default` revision
234
# DNS name.
235
# Some issuers may require that the common name on certificates match one
236
# of the DNS names. If 1. Your issuer has this constraint, and 2. You are
237
# not using `default` as a revision, add the `default` revision here
238
# anyway. The resulting certificate will include a DNS name that won't be
239
# used, but will pass this constraint.
240
revisions: ["default"]
241
# The namespace where the istio control-plane is running.
242
namespace: istio-system
243
controller:
244
leaderElectionNamespace: istio-system
245
# If set, limit where istio-csr creates configmaps with root CA certificates. If unset, configmap created in ALL namespaces.
246
# Example: maistra.io/member-of=istio-system
247
# +docs:type=string
248
# +docs:property
249
# configmapNamespaceSelector:
250
251
# Allows you to disable the default Kubernetes client rate limiter if
252
# istio-csr is exceeding the default QPS (5) and Burst (10) limits.
253
# For example, in large clusters with many Istio workloads, restarting the Pods may cause
254
# istio-csr to send bursts of Kubernetes API requests that exceed the limits of
255
# the default Kubernetes client rate limiter, and istio-csr will become slow to issue
256
# certificates for your workloads.
257
# Only disable client rate limiting if the Kubernetes API server supports
258
# [API Priority and Fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/),
259
# to avoid overloading the server.
260
disableKubernetesClientRateLimiter: false
261
# Maximum number of concurrent reconciles that the controller executes with. Defaults to 1.
262
# Example: 4
263
# +docs:type=number
264
# +docs:property
265
# maxConcurrentReconciles:
266
# Optional extra labels for deployment.
267
deploymentLabels: {}
268
# Optional extra annotations for deployment.
269
deploymentAnnotations: {}
270
# Optional extra labels for pod.
271
podLabels: {}
272
# Optional extra annotations for pod.
273
podAnnotations: {}
274
# Optional extra volumes. Useful for mounting custom root CAs.
275
#
276
# For example:
277
# volumes:
278
# - name: root-ca
279
# secret:
280
# secretName: root-cert
281
volumes: []
282
# Optional extra volume mounts. Useful for mounting custom root CAs.
283
#
284
# For example:
285
# volumeMounts:
286
# - name: root-ca
287
# mountPath: /etc/tls
288
volumeMounts: []
289
# Kubernetes [pod resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
290
#
291
# For example:
292
# resources:
293
# limits:
294
# cpu: 100m
295
# memory: 128Mi
296
# requests:
297
# cpu: 100m
298
# memory: 128Mi
299
resources: {}
300
# Kubernetes [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
301
#
302
# See the default values for an example.
303
# +docs:property
304
securityContext:
305
allowPrivilegeEscalation: false
306
readOnlyRootFilesystem: true
307
runAsNonRoot: true
308
capabilities:
309
drop:
310
- ALL
311
seccompProfile:
312
type: RuntimeDefault
313
# Expects input structure as per [specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core).
314
#
315
# For example:
316
# affinity:
317
# nodeAffinity:
318
# requiredDuringSchedulingIgnoredDuringExecution:
319
# nodeSelectorTerms:
320
# - matchExpressions:
321
# - key: foo.bar.com/role
322
# operator: In
323
# values:
324
# - master
325
affinity: {}
326
# Expects input structure as per [specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core).
327
#
328
# For example:
329
# tolerations:
330
# - key: foo.bar.com/role
331
# operator: Equal
332
# value: master
333
# effect: NoSchedule
334
tolerations: []
335
# List of Kubernetes TopologySpreadConstraints. For more information, see [TopologySpreadConstraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
336
# For example:
337
# topologySpreadConstraints:
338
# - maxSkew: 2
339
# topologyKey: topology.kubernetes.io/zone
340
# whenUnsatisfiable: ScheduleAnyway
341
# labelSelector:
342
# matchLabels:
343
# app.kubernetes.io/name: cert-manager-istio-csr
344
# app.kubernetes.io/instance: istio-csr
345
topologySpreadConstraints: []
346
# Kubernetes node selector: node labels for pod assignment.
347
# +docs:property=nodeSelector
348
nodeSelector:
349
kubernetes.io/os: linux
350
# Labels to apply to all resources.
351
commonLabels: {}
352
# Create resources alongside installing istio-csr, via Helm values. Can accept an array of YAML-formatted
353
# resources. Each array entry can include multiple YAML documents, separated by '---'.
354
#
355
# For example:
356
# extraObjects:
357
# - |
358
# apiVersion: v1
359
# kind: ConfigMap
360
# metadata:
361
# name: '{{ template "cert-manager-istio-csr.fullname" . }}-extra-configmap'
362
extraObjects: []
363
# Configures a disruption budget for istio-csr.
364
podDisruptionBudget:
365
# Enable or disable the PodDisruptionBudget resource for istio-csr.
366
enabled: false
367
# This configures the minimum available pods for disruptions. It can either be set to
368
# an integer (e.g., 1) or a percentage value (e.g., 25%).
369
# It cannot be used if `maxUnavailable` is set.
370
# +docs:property
371
# +docs:type=string,integer
372
# minAvailable: 0
373
374
# This configures the maximum unavailable pods for disruptions. It can either be set to
375
# an integer (e.g., 1) or a percentage value (e.g., 25%).
376
# it cannot be used if `minAvailable` is set.
377
# +docs:property
378
# +docs:type=string,integer
379
maxUnavailable: 1
380

The trusted source for open source

Talk to an expert
PrivacyTerms

Product

Chainguard ContainersChainguard LibrariesChainguard VMsChainguard OS PackagesChainguard ActionsChainguard Agent SkillsIntegrationsPricing
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.