trust-manager
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# +docs:section=Global
2
global:
3
rbac:
4
# Create required ClusterRoles, Roles, ClusterRoleBindings and RoleBindings for trust-manager.
5
create: true
6
# Aggregate read access to Bundles into the "cluster-reader" ClusterRole, mirroring how cert-manager aggregates its cluster-scoped ClusterIssuers. Bundle is a cluster-scoped resource, so this only takes effect for subjects bound via a ClusterRoleBinding.
7
# For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles).
8
aggregateClusterRoles: true
9
# +docs:section=CRDs
10
crds:
11
# This option decides if the CRDs should be installed
12
# as part of the Helm installation.
13
enabled: true
14
# This option makes it so that the "helm.sh/resource-policy": keep
15
# annotation is added to the CRD. This will prevent Helm from uninstalling
16
# the CRD when the Helm release is uninstalled.
17
# WARNING: when the CRDs are removed, all cert-manager custom resources
18
# (Certificates, Issuers, ...) will be removed too by the garbage collector.
19
keep: true
20
# +docs:section=Trust Manager
21
22
# The number of replicas of trust-manager to run.
23
#
24
# For example:
25
# Use integer to set a fixed number of replicas
26
# replicaCount: 2
27
#
28
# Use null, if you want to omit the replicas field and use the Kubernetes default value.
29
# replicaCount: null
30
#
31
# Use a string if you want to insert a variable for post-processing of the rendered template.
32
# replicaCount: ${REPLICAS_OVERRIDE:=3}
33
#
34
# +docs:type=number,string,null
35
replicaCount: 1
36
# The number of old ReplicaSets to retain to allow rollback.
37
# This is used to control the number of old ReplicaSets that are retained to allow rollback.
38
# If set to 0, no old ReplicaSets are retained.
39
# +docs:type=number,null
40
revisionHistoryLimit: 10
41
nameOverride: ""
42
# The namespace to install trust-manager into.
43
# If not set, the namespace of the release is used.
44
# This is helpful when installing trust-manager as a chart dependency (sub chart).
45
namespace: ""
46
# For Private docker registries, authentication is needed. Registry secrets are applied to the service account.
47
imagePullSecrets: []
48
# The container registry used for trust-manager images by default.
49
# This can include path prefixes (e.g. "artifactory.example.com/docker").
50
# +docs:property
51
imageRegistry: quay.io
52
# The repository namespace used for trust-manager images by default.
53
# Examples:
54
# - jetstack
55
# - cert-manager
56
# +docs:property
57
imageNamespace: jetstack
58
image:
59
# Target image registry. This value is prepended to the target image repository, if set.
60
# For example:
61
# registry: legacy.example.io
62
# Deprecated: per-component registry prefix.
63
#
64
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
65
# This applies both when `image.repository` is set and when the repository is computed from
66
# `imageRegistry` + `imageNamespace` + `image.name`.
67
#
68
# This can produce "double registry" style references such as
69
# `legacy.example.io/quay.io/jetstack/...`. Prefer using the global
70
# `imageRegistry`/`imageNamespace` values.
71
# +docs:property
72
# registry: quay.io
73
74
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`,
75
# and `image.name`).
76
# Example: quay.io/jetstack/trust-manager
77
# +docs:property
78
repository: cgr.dev/chainguard-private/trust-manager
79
# The image name for trust-manager.
80
# This is used (together with `imageRegistry` and `imageNamespace`) to construct the full
81
# image reference.
82
# +docs:property
83
name: trust-manager
84
# Override the image tag to deploy by setting this variable.
85
# If no value is set, the chart's appVersion is used.
86
# +docs:property
87
# tag: vX.Y.Z
88
89
# Target image digest. Override any tag, if set.
90
# For example:
91
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
92
# +docs:property
93
# digest: sha256:...
94
95
# Kubernetes imagePullPolicy on Deployment.
96
pullPolicy: IfNotPresent
97
tag: latest
98
digest: sha256:890519dd7875db084c3aa1f6d82ab3bb9fda73321e4141117221a7bca94c1e22
99
defaultPackage:
100
# Whether to load the default trust package during pod initialization, and include it in main container args. This container enables the 'useDefaultCAs' source on Bundles.
101
enabled: true
102
# Kubernetes pod resource limits for default package init container.
103
#
104
# For example:
105
# resources:
106
# limits:
107
# cpu: 100m
108
# memory: 128Mi
109
# requests:
110
# cpu: 100m
111
# memory: 128Mi
112
resources: {}
113
# Security Context to be set on the trust-manager default package init container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
114
# +docs:property
115
securityContext:
116
allowPrivilegeEscalation: false
117
capabilities:
118
drop:
119
- ALL
120
readOnlyRootFilesystem: true
121
runAsNonRoot: true
122
seccompProfile:
123
type: RuntimeDefault
124
defaultPackageImage:
125
# Target image registry. This value is prepended to the target image repository, if set.
126
# For example:
127
# registry: quay.io
128
# repository: jetstack/cert-manager-package-debian
129
# Deprecated: per-component registry prefix.
130
#
131
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
132
# This applies both when `image.repository` is set and when the repository is computed from
133
# `imageRegistry` + `imageNamespace` + `image.name`.
134
#
135
# This can produce "double registry" style references such as
136
# `legacy.example.io/quay.io/jetstack/...`. Prefer using the global
137
# `imageRegistry`/`imageNamespace` values.
138
# +docs:property
139
# registry: quay.io
140
141
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`,
142
# and `image.name`).
143
# Example: quay.io/jetstack/trust-manager
144
# +docs:property
145
repository: cgr.dev/chainguard-private/cert-manager-package-12
146
# The image name for trust-manager.
147
# This is used (together with `imageRegistry` and `imageNamespace`) to construct the full
148
# image reference.
149
# +docs:property
150
name: trust-pkg-debian-trixie
151
# Override the image tag of the default package image.
152
# Is set at chart build time to the version specified in ./make/00_debian_trixie_version.mk.
153
# +docs:property
154
# tag: vX.Y.Z
155
156
# Target image digest. Override any tag, if set.
157
# For example:
158
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
159
# +docs:property
160
# digest: sha256:...
161
162
# WARNING: For internal use only, is overwritten before releasing the chart.
163
# +docs:hidden
164
_defaultReference: :20230311-deb12u1.7
165
# imagePullPolicy for the default package image.
166
pullPolicy: IfNotPresent
167
tag: latest
168
digest: sha256:c854b6be72f01cd1e9fa9a72815eafa25c9ae85fe4b09c7888cc374f70d1b2f2
169
# Automounting API credentials for the trust-manager pod.
170
# +docs:property
171
automountServiceAccountToken: true
172
serviceAccount:
173
# Specifies whether a service account should be created.
174
create: true
175
# The name of the service account to use.
176
# If not set and create is true, a name is generated using the fullname template.
177
# +docs:property
178
# name: ""
179
180
# Automount API credentials for a Service Account.
181
# +docs:property
182
automountServiceAccountToken: true
183
# Additional volumes to add to the trust-manager pod.
184
volumes: []
185
# Additional volume mounts to add to the trust-manager container.
186
volumeMounts: []
187
secretTargets:
188
# If set to true, enable writing trust bundles to Kubernetes Secrets as a target.
189
# trust-manager can only write to secrets which are explicitly allowed via either authorizedSecrets or authorizedSecretsAll.
190
# Note that enabling secret targets will grant trust-manager read access to all secrets in the cluster.
191
enabled: false
192
# If set to true, grant read/write permission to all secrets across the cluster. Use with caution!
193
# If set, ignores the authorizedSecrets list.
194
authorizedSecretsAll: false
195
# A list of secret names which trust-manager will be permitted to read and write across all namespaces.
196
# These are the only allowable Secrets that can be used as targets. If the list is empty (and authorizedSecretsAll is false),
197
# trust-manager can't write to secrets and can only read secrets in the trust namespace for use as sources.
198
authorizedSecrets: []
199
# Kubernetes pod resource limits for trust.
200
#
201
# For example:
202
# resources:
203
# limits:
204
# cpu: 100m
205
# memory: 128Mi
206
# requests:
207
# cpu: 100m
208
# memory: 128Mi
209
resources: {}
210
# Security Context to be set on the trust-manager Pod. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
211
podSecurityContext: {}
212
# Configure the priority class of the pod. For more information, see [PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass).
213
priorityClassName: ""
214
# Configure the nodeSelector; defaults to any Linux node (trust-manager doesn't support Windows nodes)
215
# +docs:property
216
nodeSelector:
217
kubernetes.io/os: linux
218
# Kubernetes Affinity. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
219
# For example:
220
# affinity:
221
# nodeAffinity:
222
# requiredDuringSchedulingIgnoredDuringExecution:
223
# nodeSelectorTerms:
224
# - matchExpressions:
225
# - key: foo.bar.com/role
226
# operator: In
227
# values:
228
# - master
229
affinity: {}
230
# List of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
231
# For example:
232
# tolerations:
233
# - key: foo.bar.com/role
234
# operator: Equal
235
# value: master
236
# effect: NoSchedule
237
tolerations: []
238
# List of Kubernetes TopologySpreadConstraints. For more information, see [TopologySpreadConstraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
239
# For example:
240
# topologySpreadConstraints:
241
# - maxSkew: 2
242
# topologyKey: topology.kubernetes.io/zone
243
# whenUnsatisfiable: ScheduleAnyway
244
# labelSelector:
245
# matchLabels:
246
# app.kubernetes.io/name: trust-manager
247
topologySpreadConstraints: []
248
filterExpiredCertificates:
249
# Whether to filter expired certificates from the trust bundle.
250
enabled: false
251
filterNonCACerts:
252
# Filter non-CA certificates, only CAs are used in the resulting Bundle.
253
enabled: false
254
app:
255
# Minimum TLS version supported. If omitted, the default Go minimum version will be used.
256
minTLSVersion: ""
257
# Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
258
cipherSuites: ""
259
# The format of trust-manager logging. Accepted values are text or json.
260
logFormat: text
261
# The verbosity of trust-manager logging. This takes a value from 1-5, with the higher value being more verbose.
262
logLevel: 1
263
leaderElection:
264
# Whether to enable leader election for trust-manager.
265
enabled: true
266
# The duration that non-leader candidates will wait to force acquire leadership.
267
# The default should be sufficient in a healthy cluster but can be slightly increased to prevent trust-manager from restart-looping when the API server is overloaded.
268
leaseDuration: 15s
269
# The interval between attempts by the acting leader to renew a leadership slot before it stops leading.
270
# This MUST be less than or equal to the lease duration.
271
# The default should be sufficient in a healthy cluster but can be slightly increased to prevent trust-manager from restart-looping when the API server is overloaded.
272
renewDeadline: 10s
273
readinessProbe:
274
# The container port on which to expose the trust-manager HTTP readiness probe using the default network interface.
275
port: 6060
276
# The path on which to expose the trust-manager HTTP readiness probe using the default network interface.
277
path: "/readyz"
278
trust:
279
# The namespace used as the trust source. Note that the namespace _must_ exist
280
# before installing trust-manager.
281
namespace: cert-manager
282
# List of target namespaces that trust-manager can write to. By default, trust-manager can write targets in any namespace.
283
# +docs:property
284
# targetNamespaces: ["ns-1", "ns-2"]
285
286
# Security Context to be set on the trust-manager app container. For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
287
# +docs:property
288
securityContext:
289
allowPrivilegeEscalation: false
290
capabilities:
291
drop:
292
- ALL
293
readOnlyRootFilesystem: true
294
runAsNonRoot: true
295
seccompProfile:
296
type: RuntimeDefault
297
# Pod labels to add to trust-manager pods.
298
podLabels: {}
299
# Pod annotations to add to trust-manager pods.
300
podAnnotations: {}
301
# +docs:section=Webhook
302
webhook:
303
# Host that the webhook listens on.
304
host: 0.0.0.0
305
# Port that the webhook listens on.
306
port: 6443
307
# Timeout of webhook HTTP request.
308
timeoutSeconds: 5
309
service:
310
# The type of Kubernetes Service used by the Webhook.
311
type: ClusterIP
312
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
313
ipFamilyPolicy: ""
314
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
315
ipFamilies: []
316
# The nodePort set on the Service used by the webhook.
317
# +docs:property
318
# nodePort: 8080
319
tls:
320
helmCert:
321
# Whether to issue a webhook cert using Helm, which removes the need to install cert-manager.
322
# Helm-issued certificates can be challenging to rotate and maintain, and the issued cert will have a duration of 10 years and be modified when trust-manager is updated.
323
# It's safer and easier to rely on cert-manager for issuing the webhook cert - avoid using Helm-generated certs in production.
324
enabled: false
325
approverPolicy:
326
# Whether to create an approver-policy CertificateRequestPolicy allowing auto-approval of the trust-manager webhook certificate. If you have approver-policy installed, you almost certainly want to enable this.
327
enabled: false
328
# The namespace in which cert-manager was installed. Only used if `app.webhook.tls.approverPolicy.enabled` is true.
329
certManagerNamespace: "cert-manager"
330
# The name of cert-manager's Service Account. Only used if `app.webhook.tls.approverPolicy.enabled` is true.
331
certManagerServiceAccount: "cert-manager"
332
# Configure certificate duration and add labels/annotations to secrets created by Certificate resources when using cert-manager provisioned TLS certificate.
333
certificate:
334
# Certificate duration, if unset/empty the default from cert-manager will be used. Example configuration to set 1 year: duration: 8766h
335
duration: ""
336
secretTemplate: {}
337
# For example:
338
# annotations:
339
# my-secret-annotation-1: "foo"
340
# my-secret-annotation-2: "bar"
341
# labels:
342
# my-secret-label: foo
343
# This value specifies if the app should be started in hostNetwork mode. It is required for use in some managed Kubernetes clusters (such as AWS EKS) with custom CNI.
344
hostNetwork: false
345
# +docs:section=Metrics
346
metrics:
347
# The port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
348
port: 9402
349
# The service to expose metrics endpoint.
350
service:
351
# Create a Service resource to expose the metrics endpoint.
352
enabled: true
353
# The Service type to expose metrics.
354
type: ClusterIP
355
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
356
ipFamilyPolicy: ""
357
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
358
ipFamilies: []
359
# The ServiceMonitor resource for this Service.
360
servicemonitor:
361
# Create a Prometheus ServiceMonitor for trust-manager.
362
enabled: false
363
# Sets the value of the "prometheus" label on the ServiceMonitor.
364
# This is used so that separate Prometheus instances can select different ServiceMonitors using labels.
365
prometheusInstance: default
366
# The interval to scrape the metrics.
367
interval: 10s
368
# The timeout for a metrics scrape.
369
scrapeTimeout: 5s
370
# Additional labels to add to the ServiceMonitor.
371
labels: {}
372
# EndpointAdditionalProperties allows setting additional properties on the
373
# endpoint such as relabelings, metricRelabelings etc.
374
#
375
# For example:
376
# endpointAdditionalProperties:
377
# relabelings:
378
# - action: replace
379
# sourceLabels:
380
# - __meta_kubernetes_pod_node_name
381
# targetLabel: instance
382
#
383
# +docs:property
384
endpointAdditionalProperties: {}
385
podDisruptionBudget:
386
# Enable or disable the PodDisruptionBudget resource.
387
#
388
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
389
# For example, the PodDisruptionBudget will block `kubectl drain`
390
# if it is used on the Node where the only remaining trust-manager
391
# Pod is currently running.
392
enabled: false
393
# This configures the minimum available pods for disruptions. It can either be set to
394
# an integer (e.g. 1) or a percentage value (e.g. 25%).
395
# It cannot be used if `maxUnavailable` is set.
396
# +docs:type=unknown
397
# +docs:property
398
# minAvailable: 1
399
# This configures the maximum unavailable pods for disruptions. It can either be set to
400
# an integer (e.g. 1) or a percentage value (e.g. 25%).
401
# it cannot be used if `minAvailable` is set.
402
# +docs:type=unknown
403
# +docs:property
404
# maxUnavailable: 1
405
406
# Labels to apply to all resources
407
commonLabels: {}
408
# Annotations to apply to all resources
409
# NOTE: These annotations won't be added to the CRDs.
410
commonAnnotations: {}
411
# Extra manifests to be deployed. This is useful for deploying additional resources that are not part of the chart.
412
# For example:
413
# extraObjects:
414
# - apiVersion: cilium.io/v2
415
# kind: CiliumNetworkPolicy
416
# metadata:
417
# name: trust-manager
418
# namespace: trust-manager
419
# spec:
420
# endpointSelector:
421
# matchLabels:
422
# io.cilium.k8s.policy.serviceaccount: trust-manager
423
# egress:
424
# - toEntities:
425
# - kube-apiserver
426
extraObjects: []
427
# Field to optionally disable installation of the chart when wrapping it as a
428
# dependency in another chart.
429
# This matched the helm best practices:
430
# https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags
431
# +docs:hidden
432
enabled: true
433
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.