kustomize-mutating-webhook
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# Default values for kustomize-mutating-webhook.
2
3
# -- Number of webhook pod replicas
4
replicas: 2
5
image:
6
# -- Container image repository
7
repository: cgr.dev/chainguard-private/kustomize-mutating-webhook-fips
8
# -- Image pull policy
9
pullPolicy: Always
10
# -- Image tag (overrides the image tag whose default is the chart appVersion)
11
tag: latest@sha256:987d7b5552fd86bf905f452a96ef2711ae9ae86f072916e0f4aced35a7863fab
12
# -- Secrets for pulling images from private registries
13
imagePullSecrets: []
14
# -- Override the name of the chart
15
nameOverride: ""
16
# -- Override the full name of the release
17
fullnameOverride: ""
18
serviceAccount:
19
# -- Specifies whether a service account should be created
20
create: true
21
# -- Automatically mount service account token (required for auto-update feature)
22
automountServiceAccountToken: true
23
# -- The name of the service account to use. If not set and create is true, a name is generated using the fullname template
24
name: ""
25
# -- Annotations to add to the service account (e.g. for AWS IRSA or GKE Workload Identity)
26
annotations: {}
27
rbac:
28
# -- Create RBAC resources (ClusterRole and ClusterRoleBinding)
29
# Required for auto-update feature to list and update Kustomizations
30
create: true
31
podSecurityContext:
32
# -- Run container as non-root user
33
runAsNonRoot: true
34
# -- User ID to run the container as
35
runAsUser: 1000
36
# -- Group ID to run the container as
37
runAsGroup: 1000
38
securityContext:
39
# -- Prevent privilege escalation
40
allowPrivilegeEscalation: false
41
# -- Mount root filesystem as read-only
42
readOnlyRootFilesystem: true
43
capabilities:
44
# -- Drop all capabilities
45
drop:
46
- ALL
47
service:
48
# -- Kubernetes service type
49
type: ClusterIP
50
# -- Service port for webhook server
51
port: 8443
52
# -- Create a headless service (no cluster IP)
53
headless: true
54
resources:
55
requests:
56
# -- CPU resource requests
57
cpu: 100m
58
# -- Memory resource requests
59
memory: 128Mi
60
limits:
61
# -- CPU resource limits
62
cpu: 500m
63
# -- Memory resource limits
64
memory: 256Mi
65
# -- Additional labels to add to all resources
66
additionalLabels: {}
67
# custom-label: "example"
68
# -- Annotations to add to all resources
69
annotations: {}
70
# -- Annotations to add to the pod
71
podAnnotations: {}
72
# -- Node selector for pod assignment
73
nodeSelector: {}
74
# -- Tolerations for pod assignment
75
tolerations: []
76
# -- Affinity rules for pod assignment
77
affinity: {}
78
# -- Topology spread constraints for pod scheduling
79
topologySpreadConstraints: []
80
webhook:
81
# -- Failure policy for the mutating webhook (Fail or Ignore)
82
failurePolicy: Fail
83
# -- Timeout in seconds for the webhook
84
timeoutSeconds: 10
85
namespaceSelector:
86
# -- Match expressions to select namespaces where the webhook should apply
87
matchExpressions:
88
- key: kubernetes.io/metadata.name
89
operator: NotIn
90
values:
91
- "flux-system"
92
certManager:
93
# -- Enable cert-manager integration for TLS certificate management
94
enabled: true
95
# -- Certificate duration (90 days default)
96
certificateDuration: "2160h" # 90d
97
# -- Certificate renewal threshold (15 days before expiry)
98
certificateRenewBefore: "360h" # 15d
99
CASClusterIssuer:
100
# -- Enable AWS Private CA or Google CAS cluster issuer
101
enabled: false
102
# -- API group for the CAS issuer (awspca.cert-manager.io or cas-issuer.jetstack.io)
103
group: "awspca.cert-manager.io" # cas-issuer.jetstack.io|awspca.cert-manager.io
104
# -- Kind of CAS issuer (AWSPCAClusterIssuer or GoogleCASClusterIssuer)
105
kind: "AWSPCAClusterIssuer" # GoogleCASClusterIssuer|AWSPCAClusterIssuer
106
# -- Name of the CAS cluster issuer
107
name: casissuer-name
108
# -- ConfigMaps watched via the Kubernetes API for substitution variables (names passed to WATCH_CONFIGMAPS env var)
109
configMaps:
110
- create: false
111
name: cluster-config
112
data: {}
113
# -- Secrets watched via the Kubernetes API for substitution variables (names passed to WATCH_SECRETS env var)
114
secrets: []
115
# - name: my-cluster-secrets
116
117
env:
118
# -- Log level (debug, info, warn, error, fatal, panic)
119
LOG_LEVEL: info
120
# -- Rate limit for webhook requests per second
121
RATE_LIMIT: "100"
122
# -- Enable automatic triggering of Kustomization updates when ConfigMaps/Secrets change
123
AUTO_UPDATE_KUSTOMIZATIONS: "true"
124
# -- Comma-separated list of namespaces to exclude from auto-update (default: flux-system)
125
AUTO_UPDATE_EXCLUDE_NAMESPACES: "flux-system"
126
podDisruptionBudget:
127
# -- Enable pod disruption budget
128
enabled: true
129
# -- Minimum number of available pods during disruptions
130
minAvailable: 1
131
networkpolicy:
132
# -- Create a NetworkPolicy to restrict traffic to the webhook
133
create: true
134
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.