cert-manager
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# +docs:section=Global
2
3
# Default values for cert-manager.
4
# This is a YAML-formatted file.
5
# Declare variables to be passed into your templates.
6
global:
7
# Reference to one or more secrets to be used when pulling images.
8
# For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
9
#
10
# For example:
11
# imagePullSecrets:
12
# - name: "image-pull-secret"
13
imagePullSecrets: []
14
# Global node selector
15
#
16
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
17
# matching labels.
18
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
19
#
20
# If a component-specific nodeSelector is also set, it will be merged and take precedence.
21
# +docs:property
22
nodeSelector: {}
23
# Labels to apply to all resources.
24
# Please note that this does not add labels to the resources created dynamically by the controllers.
25
# For these resources, you have to add the labels in the template in the cert-manager custom resource:
26
# For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
27
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).
28
# For example, secretTemplate in CertificateSpec
29
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
30
commonLabels: {}
31
# The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10).
32
# +docs:property
33
# revisionHistoryLimit: 1
34
35
# The optional priority class to be used for the cert-manager pods.
36
priorityClassName: ""
37
# Set all pods to run in a user namespace without host access.
38
# Experimental: may be removed once the Kubernetes User Namespaces feature is GA.
39
#
40
# Requirements:
41
# - Kubernetes ≥ 1.33, or
42
# - Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.
43
#
44
# Set to false to run pods in a user namespace without host access.
45
#
46
# See [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.
47
# +docs:property
48
# hostUsers: false
49
rbac:
50
# Create required ClusterRoles and ClusterRoleBindings for cert-manager.
51
create: true
52
# Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
53
aggregateClusterRoles: true
54
podSecurityPolicy:
55
# Create PodSecurityPolicy for cert-manager.
56
#
57
# Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.
58
enabled: false
59
# Configure the PodSecurityPolicy to use AppArmor.
60
useAppArmor: true
61
# Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose.
62
logLevel: 2
63
leaderElection:
64
# Override the namespace used for the leader election lease.
65
namespace: "kube-system"
66
# The duration that non-leader candidates will wait after observing a
67
# leadership renewal until attempting to acquire leadership of a led but
68
# unrenewed leader slot. This is effectively the maximum duration that a
69
# leader can be stopped before it is replaced by another candidate.
70
# +docs:property
71
# leaseDuration: 60s
72
# The interval between attempts by the acting master to renew a leadership
73
# slot before it stops leading. This must be less than or equal to the
74
# lease duration.
75
# +docs:property
76
# renewDeadline: 40s
77
78
# The duration the clients should wait between attempting acquisition and
79
# renewal of a leadership.
80
# +docs:property
81
# retryPeriod: 15s
82
83
# This option is equivalent to setting crds.enabled=true and crds.keep=true.
84
# Deprecated: use crds.enabled and crds.keep instead.
85
installCRDs: false
86
crds:
87
# This option decides if the CRDs should be installed
88
# as part of the Helm installation.
89
enabled: false
90
# This option makes it so that the "helm.sh/resource-policy": keep
91
# annotation is added to the CRD. This will prevent Helm from uninstalling
92
# the CRD when the Helm release is uninstalled.
93
# WARNING: when the CRDs are removed, all cert-manager custom resources
94
# (Certificates, Issuers, ...) will be removed too by the garbage collector.
95
keep: true
96
# +docs:section=Controller
97
98
# The number of replicas of the cert-manager controller to run.
99
#
100
# The default is 1, but in production set this to 2 or 3 to provide high
101
# availability.
102
#
103
# If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.
104
#
105
# Note that cert-manager uses leader election to ensure that there can
106
# only be a single instance active at a time.
107
replicaCount: 1
108
# Deployment update strategy for the cert-manager controller deployment.
109
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
110
#
111
# For example:
112
# strategy:
113
# type: RollingUpdate
114
# rollingUpdate:
115
# maxSurge: 0
116
# maxUnavailable: 1
117
strategy: {}
118
podDisruptionBudget:
119
# Enable or disable the PodDisruptionBudget resource.
120
#
121
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
122
# For example, the PodDisruptionBudget will block `kubectl drain`
123
# if it is used on the Node where the only remaining cert-manager
124
# Pod is currently running.
125
enabled: false
126
# This configures the minimum available pods for disruptions. It can either be set to
127
# an integer (e.g., 1) or a percentage value (e.g., 25%).
128
# It cannot be used if `maxUnavailable` is set.
129
# +docs:property
130
# +docs:type=unknown
131
# minAvailable: 1
132
# This configures the maximum unavailable pods for disruptions. It can either be set to
133
# an integer (e.g., 1) or a percentage value (e.g., 25%).
134
# it cannot be used if `minAvailable` is set.
135
# +docs:property
136
# +docs:type=unknown
137
# maxUnavailable: 1
138
139
# A comma-separated list of feature gates that should be enabled on the
140
# controller pod.
141
featureGates: ""
142
# The maximum number of challenges that can be scheduled as 'processing' at once.
143
maxConcurrentChallenges: 60
144
image:
145
# The container registry to pull the manager image from.
146
# +docs:property
147
# registry: quay.io
148
149
# The container image for the cert-manager controller.
150
# +docs:property
151
repository: chainguard-private/cert-manager-controller
152
# Override the image tag to deploy by setting this variable.
153
# If no value is set, the chart's appVersion is used.
154
# +docs:property
155
# tag: vX.Y.Z
156
157
# Setting a digest will override any tag.
158
# +docs:property
159
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
160
161
# Kubernetes imagePullPolicy on Deployment.
162
pullPolicy: IfNotPresent
163
registry: cgr.dev
164
tag: "1.19"
165
digest: sha256:1b447f90c535ea6fe23eb67879e7ac0b8f7dc2ac4258b4f5dc041c7809cb57cd
166
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
167
# resources. By default, the same namespace as cert-manager is deployed within is
168
# used. This namespace will not be automatically created by the Helm chart.
169
clusterResourceNamespace: ""
170
# This namespace allows you to define where the services are installed into.
171
# If not set then they use the namespace of the release.
172
# This is helpful when installing cert manager as a chart dependency (sub chart).
173
namespace: ""
174
# Override the "cert-manager.fullname" value. This value is used as part of
175
# most of the names of the resources created by this Helm chart.
176
# +docs:property
177
# fullnameOverride: "my-cert-manager"
178
179
# Override the "cert-manager.name" value, which is used to annotate some of
180
# the resources that are created by this Chart (using "app.kubernetes.io/name").
181
# NOTE: There are some inconsistencies in the Helm chart when it comes to
182
# these annotations (some resources use, e.g., "cainjector.name" which resolves
183
# to the value "cainjector").
184
# +docs:property
185
# nameOverride: "my-cert-manager"
186
serviceAccount:
187
# Specifies whether a service account should be created.
188
create: true
189
# The name of the service account to use.
190
# If not set and create is true, a name is generated using the fullname template.
191
# +docs:property
192
# name: ""
193
194
# Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.
195
# Example using templating:
196
# annotations:
197
# "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}"
198
# +docs:property
199
# annotations: {}
200
201
# Optional additional labels to add to the controller's Service Account.
202
# +docs:property
203
# labels: {}
204
205
# Automount API credentials for a Service Account.
206
automountServiceAccountToken: true
207
# Automounting API credentials for a particular pod.
208
# +docs:property
209
# automountServiceAccountToken: true
210
211
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted.
212
enableCertificateOwnerRef: false
213
# This property is used to configure options for the controller pod.
214
# This allows setting options that would usually be provided using flags.
215
#
216
# If `apiVersion` and `kind` are unspecified they default to the current latest
217
# version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin
218
# the version by specifying the `apiVersion` yourself.
219
#
220
# For example:
221
# config:
222
# apiVersion: controller.config.cert-manager.io/v1alpha1
223
# kind: ControllerConfiguration
224
# logging:
225
# verbosity: 2
226
# format: text
227
# leaderElectionConfig:
228
# namespace: kube-system
229
# kubernetesAPIQPS: 9000
230
# kubernetesAPIBurst: 9000
231
# numberOfConcurrentWorkers: 200
232
# enableGatewayAPI: true
233
# # Feature gates as of v1.18.1. Listed with their default values.
234
# # See https://cert-manager.io/docs/cli/controller/
235
# featureGates:
236
# AdditionalCertificateOutputFormats: true # GA - default=true
237
# AllAlpha: false # ALPHA - default=false
238
# AllBeta: false # BETA - default=false
239
# ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
240
# ExperimentalGatewayAPISupport: true # BETA - default=true
241
# LiteralCertificateSubject: true # BETA - default=true
242
# NameConstraints: true # BETA - default=true
243
# OtherNames: false # ALPHA - default=false
244
# SecretsFilteredCaching: true # BETA - default=true
245
# ServerSideApply: false # ALPHA - default=false
246
# StableCertificateRequestName: true # BETA - default=true
247
# UseCertificateRequestBasicConstraints: false # ALPHA - default=false
248
# UseDomainQualifiedFinalizer: true # GA - default=true
249
# ValidateCAA: false # ALPHA - default=false
250
# DefaultPrivateKeyRotationPolicyAlways: true # BETA - default=true
251
# ACMEHTTP01IngressPathTypeExact: true # BETA - default=true
252
# # Configure the metrics server for TLS
253
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
254
# metricsTLSConfig:
255
# dynamic:
256
# secretNamespace: "cert-manager"
257
# secretName: "cert-manager-metrics-ca"
258
# dnsNames:
259
# - cert-manager-metrics
260
config: {}
261
# Setting Nameservers for DNS01 Self Check.
262
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check).
263
264
# A comma-separated string with the host and port of the recursive nameservers cert-manager should query.
265
dns01RecursiveNameservers: ""
266
# Forces cert-manager to use only the recursive nameservers for verification.
267
# Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.
268
dns01RecursiveNameserversOnly: false
269
# Option to disable cert-manager's build-in auto-approver. The auto-approver
270
# approves all CertificateRequests that reference issuers matching the 'approveSignerNames'
271
# option. This 'disableAutoApproval' option is useful when you want to make all approval decisions
272
# using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy).
273
disableAutoApproval: false
274
# List of signer names that cert-manager will approve by default. CertificateRequests
275
# referencing these signer names will be auto-approved by cert-manager. Defaults to just
276
# approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty
277
# array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval,
278
# because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.
279
# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
280
# +docs:property
281
approveSignerNames:
282
- issuers.cert-manager.io/*
283
- clusterissuers.cert-manager.io/*
284
# Additional command line flags to pass to cert-manager controller binary.
285
# To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
286
#
287
# Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.
288
#
289
# For example:
290
# extraArgs:
291
# - --controllers=*,-certificaterequests-approver
292
extraArgs: []
293
# Additional environment variables to pass to cert-manager controller binary.
294
# For example:
295
# extraEnv:
296
# - name: SOME_VAR
297
# value: 'some value'
298
extraEnv: []
299
# Resources to provide to the cert-manager controller pod.
300
#
301
# For example:
302
# requests:
303
# cpu: 10m
304
# memory: 32Mi
305
#
306
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
307
resources: {}
308
# Pod Security Context.
309
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
310
# +docs:property
311
securityContext:
312
runAsNonRoot: true
313
seccompProfile:
314
type: RuntimeDefault
315
# Container Security Context to be set on the controller component container.
316
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
317
# +docs:property
318
containerSecurityContext:
319
allowPrivilegeEscalation: false
320
capabilities:
321
drop:
322
- ALL
323
readOnlyRootFilesystem: true
324
# Additional volumes to add to the cert-manager controller pod.
325
volumes: []
326
# Additional volume mounts to add to the cert-manager controller container.
327
volumeMounts: []
328
# Optional additional annotations to add to the controller Deployment.
329
# +docs:property
330
# deploymentAnnotations: {}
331
332
# Optional additional annotations to add to the controller Pods.
333
# +docs:property
334
# podAnnotations: {}
335
336
# Optional additional labels to add to the controller Pods.
337
podLabels: {}
338
# Optional annotations to add to the controller Service.
339
# +docs:property
340
# serviceAnnotations: {}
341
342
# Optional additional labels to add to the controller Service.
343
# +docs:property
344
# serviceLabels: {}
345
346
# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
347
# +docs:property
348
# serviceIPFamilyPolicy: ""
349
350
# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
351
# +docs:property
352
# serviceIPFamilies: []
353
354
# Optional DNS settings. These are useful if you have a public and private DNS zone for
355
# the same domain on Route 53. The following is an example of ensuring
356
# cert-manager can access an ingress or DNS TXT records at all times.
357
# Note that this requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
358
# the cluster to work.
359
360
# Pod DNS policy.
361
# For more information, see [Pod's DNS Policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
362
# +docs:property
363
# podDnsPolicy: "None"
364
365
# Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy
366
# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified.
367
# For more information, see [Pod's DNS Config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config).
368
# +docs:property
369
# podDnsConfig:
370
# nameservers:
371
# - "1.1.1.1"
372
# - "8.8.8.8"
373
374
# Optional hostAliases for cert-manager-controller pods. May be useful when performing ACME DNS-01 self checks.
375
hostAliases: []
376
# - ip: 127.0.0.1
377
# hostnames:
378
# - foo.local
379
# - bar.local
380
# - ip: 10.1.2.3
381
# hostnames:
382
# - foo.remote
383
# - bar.remote
384
385
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
386
# matching labels.
387
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
388
#
389
# This default ensures that Pods are only scheduled to Linux nodes.
390
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
391
# +docs:property
392
nodeSelector:
393
kubernetes.io/os: linux
394
# +docs:ignore
395
ingressShim: {}
396
# Optional default issuer to use for ingress resources.
397
# +docs:property=ingressShim.defaultIssuerName
398
# defaultIssuerName: ""
399
400
# Optional default issuer kind to use for ingress resources.
401
# +docs:property=ingressShim.defaultIssuerKind
402
# defaultIssuerKind: ""
403
404
# Optional default issuer group to use for ingress resources.
405
# +docs:property=ingressShim.defaultIssuerGroup
406
# defaultIssuerGroup: ""
407
408
# Use these variables to configure the HTTP_PROXY environment variables.
409
410
# Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
411
# +docs:property
412
# http_proxy: "http://proxy:8080"
413
414
# Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
415
# +docs:property
416
# https_proxy: "https://proxy:8080"
417
418
# Configures the NO_PROXY environment variable where a HTTP proxy is required,
419
# but certain domains should be excluded.
420
# +docs:property
421
# no_proxy: 127.0.0.1,localhost
422
423
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
424
#
425
# For example:
426
# affinity:
427
# nodeAffinity:
428
# requiredDuringSchedulingIgnoredDuringExecution:
429
# nodeSelectorTerms:
430
# - matchExpressions:
431
# - key: foo.bar.com/role
432
# operator: In
433
# values:
434
# - master
435
affinity: {}
436
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
437
#
438
# For example:
439
# tolerations:
440
# - key: foo.bar.com/role
441
# operator: Equal
442
# value: master
443
# effect: NoSchedule
444
tolerations: []
445
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
446
#
447
# For example:
448
# topologySpreadConstraints:
449
# - maxSkew: 2
450
# topologyKey: topology.kubernetes.io/zone
451
# whenUnsatisfiable: ScheduleAnyway
452
# labelSelector:
453
# matchLabels:
454
# app.kubernetes.io/instance: cert-manager
455
# app.kubernetes.io/component: controller
456
topologySpreadConstraints: []
457
# LivenessProbe settings for the controller container of the controller Pod.
458
#
459
# This is enabled by default, in order to enable the clock-skew liveness probe that
460
# restarts the controller in case of a skew between the system clock and the monotonic clock.
461
# LivenessProbe durations and thresholds are based on those used for the Kubernetes
462
# controller-manager. For more information see the following on the
463
# [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245)
464
# +docs:property
465
livenessProbe:
466
enabled: true
467
initialDelaySeconds: 10
468
periodSeconds: 10
469
timeoutSeconds: 15
470
successThreshold: 1
471
failureThreshold: 8
472
# enableServiceLinks indicates whether information about services should be
473
# injected into the pod's environment variables, matching the syntax of Docker
474
# links.
475
enableServiceLinks: false
476
# +docs:section=Prometheus
477
prometheus:
478
# Enable Prometheus monitoring for the cert-manager controller and webhook.
479
# If you use the Prometheus Operator, set prometheus.podmonitor.enabled or
480
# prometheus.servicemonitor.enabled, to create a PodMonitor or a
481
# ServiceMonitor resource.
482
# Otherwise, 'prometheus.io' annotations are added to the cert-manager and
483
# cert-manager-webhook Deployments.
484
# Note that you cannot enable both PodMonitor and ServiceMonitor as they are
485
# mutually exclusive. Enabling both will result in an error.
486
enabled: true
487
servicemonitor:
488
# Create a ServiceMonitor to add cert-manager to Prometheus.
489
enabled: false
490
# The namespace that the service monitor should live in, defaults
491
# to the cert-manager namespace.
492
# +docs:property
493
# namespace: cert-manager
494
495
# Specifies the `prometheus` label on the created ServiceMonitor. This is
496
# used when different Prometheus instances have label selectors matching
497
# different ServiceMonitors.
498
prometheusInstance: default
499
# The target port to set on the ServiceMonitor. This must match the port that the
500
# cert-manager controller is listening on for metrics.
501
# +docs:type=string,integer
502
targetPort: http-metrics
503
# The path to scrape for metrics.
504
path: /metrics
505
# The interval to scrape metrics.
506
interval: 60s
507
# The timeout before a metrics scrape fails.
508
scrapeTimeout: 30s
509
# Additional labels to add to the ServiceMonitor.
510
labels: {}
511
# Additional annotations to add to the ServiceMonitor.
512
annotations: {}
513
# Keep labels from scraped data, overriding server-side labels.
514
honorLabels: false
515
# EndpointAdditionalProperties allows setting additional properties on the
516
# endpoint such as relabelings, metricRelabelings etc.
517
#
518
# For example:
519
# endpointAdditionalProperties:
520
# relabelings:
521
# - action: replace
522
# sourceLabels:
523
# - __meta_kubernetes_pod_node_name
524
# targetLabel: instance
525
#
526
# +docs:property
527
endpointAdditionalProperties: {}
528
# Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
529
podmonitor:
530
# Create a PodMonitor to add cert-manager to Prometheus.
531
enabled: false
532
# The namespace that the pod monitor should live in, defaults
533
# to the cert-manager namespace.
534
# +docs:property
535
# namespace: cert-manager
536
537
# Specifies the `prometheus` label on the created PodMonitor. This is
538
# used when different Prometheus instances have label selectors matching
539
# different PodMonitors.
540
prometheusInstance: default
541
# The path to scrape for metrics.
542
path: /metrics
543
# The interval to scrape metrics.
544
interval: 60s
545
# The timeout before a metrics scrape fails.
546
scrapeTimeout: 30s
547
# Additional labels to add to the PodMonitor.
548
labels: {}
549
# Additional annotations to add to the PodMonitor.
550
annotations: {}
551
# Keep labels from scraped data, overriding server-side labels.
552
honorLabels: false
553
# EndpointAdditionalProperties allows setting additional properties on the
554
# endpoint such as relabelings, metricRelabelings etc.
555
#
556
# For example:
557
# endpointAdditionalProperties:
558
# relabelings:
559
# - action: replace
560
# sourceLabels:
561
# - __meta_kubernetes_pod_node_name
562
# targetLabel: instance
563
# # Configure the PodMonitor for TLS connections
564
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
565
# scheme: https
566
# tlsConfig:
567
# serverName: cert-manager-metrics
568
# ca:
569
# secret:
570
# name: cert-manager-metrics-ca
571
# key: "tls.crt"
572
#
573
# +docs:property
574
endpointAdditionalProperties: {}
575
# +docs:section=Webhook
576
webhook:
577
# Number of replicas of the cert-manager webhook to run.
578
#
579
# The default is 1, but in production set this to 2 or 3 to provide high
580
# availability.
581
#
582
# If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
583
replicaCount: 1
584
# The number of seconds the API server should wait for the webhook to respond before treating the call as a failure.
585
# The value must be between 1 and 30 seconds. For more information, see
586
# [Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).
587
#
588
# The default is set to the maximum value of 30 seconds as
589
# users sometimes report that the connection between the K8S API server and
590
# the cert-manager webhook server times out.
591
# If *this* timeout is reached, the error message will be "context deadline exceeded",
592
# which doesn't help the user diagnose what phase of the HTTPS connection timed out.
593
# For example, it could be during DNS resolution, TCP connection, TLS
594
# negotiation, HTTP negotiation, or slow HTTP response from the webhook
595
# server.
596
# By setting this timeout to its maximum value the underlying timeout error
597
# message has more chance of being returned to the end user.
598
timeoutSeconds: 30
599
# This is used to configure options for the webhook pod.
600
# This allows setting options that would usually be provided using flags.
601
#
602
# If `apiVersion` and `kind` are unspecified they default to the current latest
603
# version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin
604
# the version by specifying the `apiVersion` yourself.
605
#
606
# For example:
607
# apiVersion: webhook.config.cert-manager.io/v1alpha1
608
# kind: WebhookConfiguration
609
# # The port that the webhook listens on for requests.
610
# # In GKE private clusters, by default Kubernetes apiservers are allowed to
611
# # talk to the cluster nodes only on 443 and 10250. Configuring
612
# # securePort: 10250 therefore will work out-of-the-box without needing to add firewall
613
# # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
614
# # This should be uncommented and set as a default by the chart once
615
# # the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
616
# securePort: 10250
617
# # Configure the metrics server for TLS
618
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
619
# metricsTLSConfig:
620
# dynamic:
621
# secretNamespace: "cert-manager"
622
# secretName: "cert-manager-metrics-ca"
623
# dnsNames:
624
# - cert-manager-metrics
625
config: {}
626
# The update strategy for the cert-manager webhook deployment.
627
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)
628
#
629
# For example:
630
# strategy:
631
# type: RollingUpdate
632
# rollingUpdate:
633
# maxSurge: 0
634
# maxUnavailable: 1
635
strategy: {}
636
# Pod Security Context to be set on the webhook component Pod.
637
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
638
# +docs:property
639
securityContext:
640
runAsNonRoot: true
641
seccompProfile:
642
type: RuntimeDefault
643
# Container Security Context to be set on the webhook component container.
644
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
645
# +docs:property
646
containerSecurityContext:
647
allowPrivilegeEscalation: false
648
capabilities:
649
drop:
650
- ALL
651
readOnlyRootFilesystem: true
652
podDisruptionBudget:
653
# Enable or disable the PodDisruptionBudget resource.
654
#
655
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
656
# For example, the PodDisruptionBudget will block `kubectl drain`
657
# if it is used on the Node where the only remaining cert-manager
658
# Pod is currently running.
659
enabled: false
660
# This property configures the minimum available pods for disruptions. Can either be set to
661
# an integer (e.g., 1) or a percentage value (e.g., 25%).
662
# It cannot be used if `maxUnavailable` is set.
663
# +docs:property
664
# +docs:type=unknown
665
# minAvailable: 1
666
# This property configures the maximum unavailable pods for disruptions. Can either be set to
667
# an integer (e.g., 1) or a percentage value (e.g., 25%).
668
# It cannot be used if `minAvailable` is set.
669
# +docs:property
670
# +docs:type=unknown
671
# maxUnavailable: 1
672
673
# Optional additional annotations to add to the webhook Deployment.
674
# +docs:property
675
# deploymentAnnotations: {}
676
677
# Optional additional annotations to add to the webhook Pods.
678
# +docs:property
679
# podAnnotations: {}
680
681
# Optional additional annotations to add to the webhook Service.
682
# +docs:property
683
# serviceAnnotations: {}
684
685
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration.
686
# +docs:property
687
# mutatingWebhookConfigurationAnnotations: {}
688
689
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration.
690
# +docs:property
691
# validatingWebhookConfigurationAnnotations: {}
692
validatingWebhookConfiguration:
693
# Configure spec.namespaceSelector for validating webhooks.
694
# +docs:property
695
namespaceSelector:
696
matchExpressions:
697
- key: "cert-manager.io/disable-validation"
698
operator: "NotIn"
699
values:
700
- "true"
701
mutatingWebhookConfiguration:
702
# Configure spec.namespaceSelector for mutating webhooks.
703
# +docs:property
704
namespaceSelector: {}
705
# matchLabels:
706
# key: value
707
# matchExpressions:
708
# - key: kubernetes.io/metadata.name
709
# operator: NotIn
710
# values:
711
# - kube-system
712
# Additional command line flags to pass to cert-manager webhook binary.
713
# To see all available flags run `docker run quay.io/jetstack/cert-manager-webhook:<version> --help`.
714
extraArgs: []
715
# Path to a file containing a WebhookConfiguration object used to configure the webhook.
716
# - --config=<path-to-config-file>
717
718
# Additional environment variables to pass to cert-manager webhook binary.
719
# For example:
720
# extraEnv:
721
# - name: SOME_VAR
722
# value: 'some value'
723
extraEnv: []
724
# Comma separated list of feature gates that should be enabled on the
725
# webhook pod.
726
featureGates: ""
727
# Resources to provide to the cert-manager webhook pod.
728
#
729
# For example:
730
# requests:
731
# cpu: 10m
732
# memory: 32Mi
733
#
734
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
735
resources: {}
736
# Liveness probe values.
737
# For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
738
#
739
# +docs:property
740
livenessProbe:
741
failureThreshold: 3
742
initialDelaySeconds: 60
743
periodSeconds: 10
744
successThreshold: 1
745
timeoutSeconds: 1
746
# Readiness probe values.
747
# For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
748
#
749
# +docs:property
750
readinessProbe:
751
failureThreshold: 3
752
initialDelaySeconds: 5
753
periodSeconds: 5
754
successThreshold: 1
755
timeoutSeconds: 1
756
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
757
# matching labels.
758
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
759
#
760
# This default ensures that Pods are only scheduled to Linux nodes.
761
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
762
# +docs:property
763
nodeSelector:
764
kubernetes.io/os: linux
765
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
766
#
767
# For example:
768
# affinity:
769
# nodeAffinity:
770
# requiredDuringSchedulingIgnoredDuringExecution:
771
# nodeSelectorTerms:
772
# - matchExpressions:
773
# - key: foo.bar.com/role
774
# operator: In
775
# values:
776
# - master
777
affinity: {}
778
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
779
#
780
# For example:
781
# tolerations:
782
# - key: foo.bar.com/role
783
# operator: Equal
784
# value: master
785
# effect: NoSchedule
786
tolerations: []
787
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
788
#
789
# For example:
790
# topologySpreadConstraints:
791
# - maxSkew: 2
792
# topologyKey: topology.kubernetes.io/zone
793
# whenUnsatisfiable: ScheduleAnyway
794
# labelSelector:
795
# matchLabels:
796
# app.kubernetes.io/instance: cert-manager
797
# app.kubernetes.io/component: controller
798
topologySpreadConstraints: []
799
# Optional additional labels to add to the Webhook Pods.
800
podLabels: {}
801
# Optional additional labels to add to the Webhook Service.
802
serviceLabels: {}
803
# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
804
serviceIPFamilyPolicy: ""
805
# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
806
serviceIPFamilies: []
807
image:
808
# The container registry to pull the webhook image from.
809
# +docs:property
810
# registry: quay.io
811
812
# The container image for the cert-manager webhook
813
# +docs:property
814
repository: chainguard-private/cert-manager-webhook
815
# Override the image tag to deploy by setting this variable.
816
# If no value is set, the chart's appVersion will be used.
817
# +docs:property
818
# tag: vX.Y.Z
819
820
# Setting a digest will override any tag
821
# +docs:property
822
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
823
824
# Kubernetes imagePullPolicy on Deployment.
825
pullPolicy: IfNotPresent
826
registry: cgr.dev
827
tag: "1.19"
828
digest: sha256:223de8fafb153429003a7d6e3a8e68374a7c8cb5b1491d186a77a77ca0915aee
829
serviceAccount:
830
# Specifies whether a service account should be created.
831
create: true
832
# The name of the service account to use.
833
# If not set and create is true, a name is generated using the fullname template.
834
# +docs:property
835
# name: ""
836
837
# Optional additional annotations to add to the webhook's Service Account.
838
# +docs:property
839
# annotations: {}
840
841
# Optional additional labels to add to the webhook's Service Account.
842
# +docs:property
843
# labels: {}
844
845
# Automount API credentials for a Service Account.
846
automountServiceAccountToken: true
847
# Automounting API credentials for a particular pod.
848
# +docs:property
849
# automountServiceAccountToken: true
850
851
# The port that the webhook listens on for requests.
852
# In GKE private clusters, by default Kubernetes apiservers are allowed to
853
# talk to the cluster nodes only on 443 and 10250. Configuring
854
# securePort: 10250, therefore will work out-of-the-box without needing to add firewall
855
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
856
securePort: 10250
857
# Specifies if the webhook should be started in hostNetwork mode.
858
#
859
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
860
# CNI (such as calico), because control-plane managed by AWS cannot communicate
861
# with pods' IP CIDR and admission webhooks are not working
862
#
863
# Since the default port for the webhook conflicts with kubelet on the host
864
# network, `webhook.securePort` should be changed to an available port if
865
# running in hostNetwork mode.
866
hostNetwork: false
867
# Specifies how the service should be handled. Useful if you want to expose the
868
# webhook outside of the cluster. In some cases, the control plane cannot
869
# reach internal services.
870
serviceType: ClusterIP
871
# Specify the load balancer IP for the created service.
872
# +docs:property
873
# loadBalancerIP: "10.10.10.10"
874
875
# Overrides the mutating webhook and validating webhook so they reach the webhook
876
# service using the `url` field instead of a service.
877
url: {}
878
# host:
879
880
# Enables default network policies for webhooks.
881
networkPolicy:
882
# Create network policies for the webhooks.
883
enabled: false
884
# Ingress rule for the webhook network policy. By default, it allows all
885
# inbound traffic.
886
# +docs:property
887
ingress:
888
- from:
889
- ipBlock:
890
cidr: 0.0.0.0/0
891
- ipBlock:
892
cidr: "::/0"
893
# Egress rule for the webhook network policy. By default, it allows all
894
# outbound traffic to ports 80 and 443, as well as DNS ports.
895
# +docs:property
896
egress:
897
- ports:
898
- port: 80
899
protocol: TCP
900
- port: 443
901
protocol: TCP
902
- port: 53
903
protocol: TCP
904
- port: 53
905
protocol: UDP
906
# On OpenShift and OKD, the Kubernetes API server listens on.
907
# port 6443.
908
- port: 6443
909
protocol: TCP
910
to:
911
- ipBlock:
912
cidr: 0.0.0.0/0
913
- ipBlock:
914
cidr: "::/0"
915
# Additional volumes to add to the cert-manager controller pod.
916
volumes: []
917
# Additional volume mounts to add to the cert-manager controller container.
918
volumeMounts: []
919
# enableServiceLinks indicates whether information about services should be
920
# injected into the pod's environment variables, matching the syntax of Docker
921
# links.
922
enableServiceLinks: false
923
# +docs:section=CA Injector
924
cainjector:
925
# Create the CA Injector deployment
926
enabled: true
927
# The number of replicas of the cert-manager cainjector to run.
928
#
929
# The default is 1, but in production set this to 2 or 3 to provide high
930
# availability.
931
#
932
# If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`.
933
#
934
# Note that cert-manager uses leader election to ensure that there can
935
# only be a single instance active at a time.
936
replicaCount: 1
937
# This is used to configure options for the cainjector pod.
938
# It allows setting options that are usually provided via flags.
939
#
940
# If `apiVersion` and `kind` are unspecified they default to the current latest
941
# version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin
942
# the version by specifying the `apiVersion` yourself.
943
#
944
# For example:
945
# apiVersion: cainjector.config.cert-manager.io/v1alpha1
946
# kind: CAInjectorConfiguration
947
# logging:
948
# verbosity: 2
949
# format: text
950
# leaderElectionConfig:
951
# namespace: kube-system
952
# # Configure the metrics server for TLS
953
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
954
# metricsTLSConfig:
955
# dynamic:
956
# secretNamespace: "cert-manager"
957
# secretName: "cert-manager-metrics-ca"
958
# dnsNames:
959
# - cert-manager-metrics
960
config: {}
961
# Deployment update strategy for the cert-manager cainjector deployment.
962
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
963
#
964
# For example:
965
# strategy:
966
# type: RollingUpdate
967
# rollingUpdate:
968
# maxSurge: 0
969
# maxUnavailable: 1
970
strategy: {}
971
# Pod Security Context to be set on the cainjector component Pod
972
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
973
# +docs:property
974
securityContext:
975
runAsNonRoot: true
976
seccompProfile:
977
type: RuntimeDefault
978
# Container Security Context to be set on the cainjector component container
979
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
980
# +docs:property
981
containerSecurityContext:
982
allowPrivilegeEscalation: false
983
capabilities:
984
drop:
985
- ALL
986
readOnlyRootFilesystem: true
987
podDisruptionBudget:
988
# Enable or disable the PodDisruptionBudget resource.
989
#
990
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
991
# For example, the PodDisruptionBudget will block `kubectl drain`
992
# if it is used on the Node where the only remaining cert-manager
993
# Pod is currently running.
994
enabled: false
995
# `minAvailable` configures the minimum available pods for disruptions. It can either be set to
996
# an integer (e.g., 1) or a percentage value (e.g., 25%).
997
# Cannot be used if `maxUnavailable` is set.
998
# +docs:property
999
# +docs:type=unknown
1000
# minAvailable: 1
1001
# `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
1002
# an integer (e.g., 1) or a percentage value (e.g., 25%).
1003
# Cannot be used if `minAvailable` is set.
1004
# +docs:property
1005
# +docs:type=unknown
1006
# maxUnavailable: 1
1007
1008
# Optional additional annotations to add to the cainjector Deployment.
1009
# +docs:property
1010
# deploymentAnnotations: {}
1011
1012
# Optional additional annotations to add to the cainjector Pods.
1013
# +docs:property
1014
# podAnnotations: {}
1015
1016
# Optional additional annotations to add to the cainjector metrics Service.
1017
# +docs:property
1018
# serviceAnnotations: {}
1019
1020
# Additional command line flags to pass to cert-manager cainjector binary.
1021
# To see all available flags run `docker run quay.io/jetstack/cert-manager-cainjector:<version> --help`.
1022
extraArgs: []
1023
# Enable profiling for cainjector.
1024
# - --enable-profiling=true
1025
1026
# Additional environment variables to pass to cert-manager cainjector binary.
1027
# For example:
1028
# extraEnv:
1029
# - name: SOME_VAR
1030
# value: 'some value'
1031
extraEnv: []
1032
# Comma separated list of feature gates that should be enabled on the
1033
# cainjector pod.
1034
featureGates: ""
1035
# Resources to provide to the cert-manager cainjector pod.
1036
#
1037
# For example:
1038
# requests:
1039
# cpu: 10m
1040
# memory: 32Mi
1041
#
1042
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
1043
resources: {}
1044
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
1045
# matching labels.
1046
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
1047
#
1048
# This default ensures that Pods are only scheduled to Linux nodes.
1049
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
1050
# +docs:property
1051
nodeSelector:
1052
kubernetes.io/os: linux
1053
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
1054
#
1055
# For example:
1056
# affinity:
1057
# nodeAffinity:
1058
# requiredDuringSchedulingIgnoredDuringExecution:
1059
# nodeSelectorTerms:
1060
# - matchExpressions:
1061
# - key: foo.bar.com/role
1062
# operator: In
1063
# values:
1064
# - master
1065
affinity: {}
1066
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
1067
#
1068
# For example:
1069
# tolerations:
1070
# - key: foo.bar.com/role
1071
# operator: Equal
1072
# value: master
1073
# effect: NoSchedule
1074
tolerations: []
1075
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
1076
#
1077
# For example:
1078
# topologySpreadConstraints:
1079
# - maxSkew: 2
1080
# topologyKey: topology.kubernetes.io/zone
1081
# whenUnsatisfiable: ScheduleAnyway
1082
# labelSelector:
1083
# matchLabels:
1084
# app.kubernetes.io/instance: cert-manager
1085
# app.kubernetes.io/component: controller
1086
topologySpreadConstraints: []
1087
# Optional additional labels to add to the CA Injector Pods.
1088
podLabels: {}
1089
# Optional additional labels to add to the CA Injector metrics Service.
1090
serviceLabels: {}
1091
image:
1092
# The container registry to pull the cainjector image from.
1093
# +docs:property
1094
# registry: quay.io
1095
1096
# The container image for the cert-manager cainjector
1097
# +docs:property
1098
repository: chainguard-private/cert-manager-cainjector
1099
# Override the image tag to deploy by setting this variable.
1100
# If no value is set, the chart's appVersion will be used.
1101
# +docs:property
1102
# tag: vX.Y.Z
1103
1104
# Setting a digest will override any tag.
1105
# +docs:property
1106
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
1107
1108
# Kubernetes imagePullPolicy on Deployment.
1109
pullPolicy: IfNotPresent
1110
registry: cgr.dev
1111
tag: "1.19"
1112
digest: sha256:9a895c2d98bda14886dda637ee16f845175684538fe7093fd89cdbcc36f043ae
1113
serviceAccount:
1114
# Specifies whether a service account should be created.
1115
create: true
1116
# The name of the service account to use.
1117
# If not set and create is true, a name is generated using the fullname template
1118
# +docs:property
1119
# name: ""
1120
1121
# Optional additional annotations to add to the cainjector's Service Account.
1122
# +docs:property
1123
# annotations: {}
1124
1125
# Optional additional labels to add to the cainjector's Service Account.
1126
# +docs:property
1127
# labels: {}
1128
1129
# Automount API credentials for a Service Account.
1130
automountServiceAccountToken: true
1131
# Automounting API credentials for a particular pod.
1132
# +docs:property
1133
# automountServiceAccountToken: true
1134
1135
# Additional volumes to add to the cert-manager controller pod.
1136
volumes: []
1137
# Additional volume mounts to add to the cert-manager controller container.
1138
volumeMounts: []
1139
# enableServiceLinks indicates whether information about services should be
1140
# injected into the pod's environment variables, matching the syntax of Docker
1141
# links.
1142
enableServiceLinks: false
1143
# +docs:section=ACME Solver
1144
acmesolver:
1145
image:
1146
# The container registry to pull the acmesolver image from.
1147
# +docs:property
1148
# registry: quay.io
1149
1150
# The container image for the cert-manager acmesolver.
1151
# +docs:property
1152
repository: chainguard-private/cert-manager-acmesolver
1153
# Override the image tag to deploy by setting this variable.
1154
# If no value is set, the chart's appVersion is used.
1155
# +docs:property
1156
# tag: vX.Y.Z
1157
1158
# Setting a digest will override any tag.
1159
# +docs:property
1160
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
1161
1162
# Kubernetes imagePullPolicy on Deployment.
1163
pullPolicy: IfNotPresent
1164
registry: cgr.dev
1165
tag: "1.19"
1166
digest: sha256:96919b7376a3846b51421275c0f41b34ce81acdb18227ad8d0571bedfcec646d
1167
# +docs:section=Startup API Check
1168
# This startupapicheck is a Helm post-install hook that waits for the webhook
1169
# endpoints to become available.
1170
# The check is implemented using a Kubernetes Job - if you are injecting mesh
1171
# sidecar proxies into cert-manager pods, ensure that they
1172
# are not injected into this Job's pod. Otherwise, the installation may time out
1173
# owing to the Job never being completed because the sidecar proxy does not exit.
1174
# For more information, see [this note](https://github.com/cert-manager/cert-manager/pull/4414).
1175
startupapicheck:
1176
# Enables the startup api check.
1177
enabled: true
1178
# Pod Security Context to be set on the startupapicheck component Pod.
1179
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
1180
# +docs:property
1181
securityContext:
1182
runAsNonRoot: true
1183
seccompProfile:
1184
type: RuntimeDefault
1185
# Container Security Context to be set on the controller component container.
1186
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
1187
# +docs:property
1188
containerSecurityContext:
1189
allowPrivilegeEscalation: false
1190
capabilities:
1191
drop:
1192
- ALL
1193
readOnlyRootFilesystem: true
1194
# Timeout for 'kubectl check api' command.
1195
timeout: 1m
1196
# Job backoffLimit
1197
backoffLimit: 4
1198
# Optional additional annotations to add to the startupapicheck Job.
1199
# +docs:property
1200
jobAnnotations:
1201
helm.sh/hook: post-install
1202
helm.sh/hook-weight: "1"
1203
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
1204
# Optional additional annotations to add to the startupapicheck Pods.
1205
# +docs:property
1206
# podAnnotations: {}
1207
1208
# Additional command line flags to pass to startupapicheck binary.
1209
# To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help`.
1210
#
1211
# Verbose logging is enabled by default so that if startupapicheck fails, you
1212
# can know what exactly caused the failure. Verbose logs include details of
1213
# the webhook URL, IP address and TCP connect errors for example.
1214
# +docs:property
1215
extraArgs:
1216
- -v
1217
# Additional environment variables to pass to cert-manager startupapicheck binary.
1218
# For example:
1219
# extraEnv:
1220
# - name: SOME_VAR
1221
# value: 'some value'
1222
extraEnv: []
1223
# Resources to provide to the cert-manager controller pod.
1224
#
1225
# For example:
1226
# requests:
1227
# cpu: 10m
1228
# memory: 32Mi
1229
#
1230
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
1231
resources: {}
1232
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
1233
# matching labels.
1234
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
1235
#
1236
# This default ensures that Pods are only scheduled to Linux nodes.
1237
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
1238
# +docs:property
1239
nodeSelector:
1240
kubernetes.io/os: linux
1241
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
1242
# For example:
1243
# affinity:
1244
# nodeAffinity:
1245
# requiredDuringSchedulingIgnoredDuringExecution:
1246
# nodeSelectorTerms:
1247
# - matchExpressions:
1248
# - key: foo.bar.com/role
1249
# operator: In
1250
# values:
1251
# - master
1252
affinity: {}
1253
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
1254
#
1255
# For example:
1256
# tolerations:
1257
# - key: foo.bar.com/role
1258
# operator: Equal
1259
# value: master
1260
# effect: NoSchedule
1261
tolerations: []
1262
# Optional additional labels to add to the startupapicheck Pods.
1263
podLabels: {}
1264
image:
1265
# The container registry to pull the startupapicheck image from.
1266
# +docs:property
1267
# registry: quay.io
1268
1269
# The container image for the cert-manager startupapicheck.
1270
# +docs:property
1271
repository: chainguard-private/cert-manager-startupapicheck
1272
# Override the image tag to deploy by setting this variable.
1273
# If no value is set, the chart's appVersion is used.
1274
# +docs:property
1275
# tag: vX.Y.Z
1276
1277
# Setting a digest will override any tag.
1278
# +docs:property
1279
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
1280
1281
# Kubernetes imagePullPolicy on Deployment.
1282
pullPolicy: IfNotPresent
1283
registry: cgr.dev
1284
tag: "1.19"
1285
digest: sha256:f566e87b88862d26efd05492fd845266c3f3ab631f88e449d1d2508bfe04c39b
1286
rbac:
1287
# annotations for the startup API Check job RBAC and PSP resources.
1288
# +docs:property
1289
annotations:
1290
helm.sh/hook: post-install
1291
helm.sh/hook-weight: "-5"
1292
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
1293
# Automounting API credentials for a particular pod.
1294
# +docs:property
1295
# automountServiceAccountToken: true
1296
serviceAccount:
1297
# Specifies whether a service account should be created.
1298
create: true
1299
# The name of the service account to use.
1300
# If not set and create is true, a name is generated using the fullname template.
1301
# +docs:property
1302
# name: ""
1303
1304
# Optional additional annotations to add to the Job's Service Account.
1305
# +docs:property
1306
annotations:
1307
helm.sh/hook: post-install
1308
helm.sh/hook-weight: "-5"
1309
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
1310
# Automount API credentials for a Service Account.
1311
# +docs:property
1312
automountServiceAccountToken: true
1313
# Optional additional labels to add to the startupapicheck's Service Account.
1314
# +docs:property
1315
# labels: {}
1316
# Additional volumes to add to the cert-manager controller pod.
1317
volumes: []
1318
# Additional volume mounts to add to the cert-manager controller container.
1319
volumeMounts: []
1320
# enableServiceLinks indicates whether information about services should be
1321
# injected into pod's environment variables, matching the syntax of Docker
1322
# links.
1323
enableServiceLinks: false
1324
# Create dynamic manifests via values.
1325
#
1326
# For example:
1327
# extraObjects:
1328
# - |
1329
# apiVersion: v1
1330
# kind: ConfigMap
1331
# metadata:
1332
# name: '{{ template "cert-manager.fullname" . }}-extra-configmap'
1333
extraObjects: []
1334
# Field used by our release pipeline to produce the static manifests.
1335
# The field defaults to "helm" but is set to "static" when we render
1336
# the static YAML manifests.
1337
# +docs:hidden
1338
creator: "helm"
1339
# Field that can be used as a condition when cert-manager is a dependency.
1340
# This definition is only here as a placeholder such that it is included in
1341
# the json schema.
1342
# See https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags
1343
# for more info.
1344
# +docs:hidden
1345
enabled: true
1346
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.