cert-manager
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# +docs:section=Global
2
3
# Default values for cert-manager.
4
# This is a YAML-formatted file.
5
# Declare variables to be passed into your templates.
6
global:
7
# Reference to one or more secrets to be used when pulling images.
8
# For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
9
#
10
# For example:
11
# imagePullSecrets:
12
# - name: "image-pull-secret"
13
imagePullSecrets: []
14
# Global node selector
15
#
16
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
17
# matching labels.
18
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
19
#
20
# If a component-specific nodeSelector is also set, it will be merged and take precedence.
21
# +docs:property
22
nodeSelector: {}
23
# Labels to apply to all resources.
24
# Please note that this does not add labels to the resources created dynamically by the controllers.
25
# For these resources, you have to add the labels in the template in the cert-manager custom resource:
26
# For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
27
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).
28
# For example, secretTemplate in CertificateSpec
29
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
30
commonLabels: {}
31
# The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10).
32
# +docs:property
33
# revisionHistoryLimit: 1
34
35
# The optional priority class to be used for the cert-manager pods.
36
priorityClassName: ""
37
# Set all pods to run in a user namespace without host access.
38
# Experimental: may be removed once the Kubernetes User Namespaces feature is GA.
39
#
40
# Requirements:
41
# - Kubernetes ≥ 1.33, or
42
# - Kubernetes 1.27–1.32 with UserNamespacesSupport feature gate enabled.
43
#
44
# Set to false to run pods in a user namespace without host access.
45
#
46
# See [limitations](https://kubernetes.io/docs/concepts/workloads/pods/user-namespaces/#limitations) for details.
47
# +docs:property
48
# hostUsers: false
49
rbac:
50
# Create required ClusterRoles and ClusterRoleBindings for cert-manager.
51
create: true
52
# Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
53
aggregateClusterRoles: true
54
podSecurityPolicy:
55
# Create PodSecurityPolicy for cert-manager.
56
#
57
# Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.
58
enabled: false
59
# Configure the PodSecurityPolicy to use AppArmor.
60
useAppArmor: true
61
# Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose.
62
logLevel: 2
63
leaderElection:
64
# Override the namespace used for the leader election lease.
65
namespace: "kube-system"
66
# The duration that non-leader candidates will wait after observing a
67
# leadership renewal until attempting to acquire leadership of a led but
68
# unrenewed leader slot. This is effectively the maximum duration that a
69
# leader can be stopped before it is replaced by another candidate.
70
# +docs:property
71
# leaseDuration: 60s
72
# The interval between attempts by the acting master to renew a leadership
73
# slot before it stops leading. This must be less than or equal to the
74
# lease duration.
75
# +docs:property
76
# renewDeadline: 40s
77
78
# The duration the clients should wait between attempting acquisition and
79
# renewal of a leadership.
80
# +docs:property
81
# retryPeriod: 15s
82
83
# This option is equivalent to setting crds.enabled=true and crds.keep=true.
84
# Deprecated: use crds.enabled and crds.keep instead.
85
installCRDs: false
86
crds:
87
# This option decides if the CRDs should be installed
88
# as part of the Helm installation.
89
enabled: false
90
# This option makes it so that the "helm.sh/resource-policy": keep
91
# annotation is added to the CRD. This will prevent Helm from uninstalling
92
# the CRD when the Helm release is uninstalled.
93
# WARNING: when the CRDs are removed, all cert-manager custom resources
94
# (Certificates, Issuers, ...) will be removed too by the garbage collector.
95
keep: true
96
# +docs:section=Controller
97
98
# The number of replicas of the cert-manager controller to run.
99
#
100
# The default is 1, but in production set this to 2 or 3 to provide high
101
# availability.
102
#
103
# If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.
104
#
105
# Note that cert-manager uses leader election to ensure that there can
106
# only be a single instance active at a time.
107
replicaCount: 1
108
# Deployment update strategy for the cert-manager controller deployment.
109
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
110
#
111
# For example:
112
# strategy:
113
# type: RollingUpdate
114
# rollingUpdate:
115
# maxSurge: 0
116
# maxUnavailable: 1
117
strategy: {}
118
podDisruptionBudget:
119
# Enable or disable the PodDisruptionBudget resource.
120
#
121
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
122
# For example, the PodDisruptionBudget will block `kubectl drain`
123
# if it is used on the Node where the only remaining cert-manager
124
# Pod is currently running.
125
enabled: false
126
# This configures the minimum available pods for disruptions. It can either be set to
127
# an integer (e.g., 1) or a percentage value (e.g., 25%).
128
# It cannot be used if `maxUnavailable` is set.
129
# +docs:property
130
# +docs:type=unknown
131
# minAvailable: 1
132
# This configures the maximum unavailable pods for disruptions. It can either be set to
133
# an integer (e.g., 1) or a percentage value (e.g., 25%).
134
# it cannot be used if `minAvailable` is set.
135
# +docs:property
136
# +docs:type=unknown
137
# maxUnavailable: 1
138
139
# This configures how to act with unhealthy pods during eviction
140
# Note that this requires Kubernetes 1.31 or `PDBUnhealthyPodEvictionPolicy` feature gate enabled for
141
# the cluster to work.
142
# +docs:property
143
# +docs:type=string
144
# unhealthyPodEvictionPolicy: AlwaysAllow
145
146
# A comma-separated list of feature gates that should be enabled on the
147
# controller pod.
148
featureGates: ""
149
# The maximum number of challenges that can be scheduled as 'processing' at once.
150
maxConcurrentChallenges: 60
151
# The container registry used for all cert-manager images by default.
152
# This can include path prefixes (e.g. `artifactory.example.com/docker`).
153
# +docs:property
154
imageRegistry: quay.io
155
# The repository namespace used for all cert-manager images by default.
156
# Examples:
157
# - jetstack
158
# - cert-manager
159
# +docs:property
160
imageNamespace: jetstack
161
image:
162
# Deprecated: per-component registry prefix.
163
#
164
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
165
# This applies both when `image.repository` is set and when the repository is computed from
166
# `imageRegistry` + `imageNamespace` + `image.name`.
167
#
168
# This can produce "double registry" style references such as `legacy.example.io/quay.io/jetstack/...`.
169
# Prefer using the global `imageRegistry`/`imageNamespace` values.
170
# +docs:property
171
# registry: ""
172
173
# The image name for the cert-manager controller.
174
# This is used (together with `imageRegistry` and `imageNamespace`) to construct the full image reference.
175
# +docs:property
176
name: cert-manager-controller
177
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `image.name`).
178
# Example: quay.io/jetstack/cert-manager-controller
179
# +docs:property
180
repository: chainguard-private/cert-manager-controller
181
# Override the image tag to deploy by setting this variable.
182
# If no value is set, the chart's appVersion is used.
183
# +docs:property
184
# tag: vX.Y.Z
185
186
# Setting a digest pins the image. If a tag is also set, the rendered reference will include
187
# both ("image:tag@digest"), though only the digest will be used for pulling.
188
# +docs:property
189
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
190
191
# Kubernetes imagePullPolicy on Deployment.
192
pullPolicy: IfNotPresent
193
registry: cgr.dev
194
tag: "1.20"
195
digest: sha256:7633d0eb0f3e4de4dd105bd3a770fc476c560d8ae51a7baa9a0e52a01516b4df
196
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
197
# resources. By default, the same namespace as cert-manager is deployed within is
198
# used. This namespace will not be automatically created by the Helm chart.
199
clusterResourceNamespace: ""
200
# This namespace allows you to define where the services are installed into.
201
# If not set then they use the namespace of the release.
202
# This is helpful when installing cert manager as a chart dependency (sub chart).
203
namespace: ""
204
# Override the "cert-manager.fullname" value. This value is used as part of
205
# most of the names of the resources created by this Helm chart.
206
# +docs:property
207
# fullnameOverride: "my-cert-manager"
208
209
# Override the "cert-manager.name" value, which is used to annotate some of
210
# the resources that are created by this Chart (using "app.kubernetes.io/name").
211
# NOTE: There are some inconsistencies in the Helm chart when it comes to
212
# these annotations (some resources use, e.g., "cainjector.name" which resolves
213
# to the value "cainjector").
214
# +docs:property
215
# nameOverride: "my-cert-manager"
216
serviceAccount:
217
# Specifies whether a service account should be created.
218
create: true
219
# The name of the service account to use.
220
# If not set and create is true, a name is generated using the fullname template.
221
# +docs:property
222
# name: ""
223
224
# Optional additional annotations to add to the controller's Service Account. Templates are allowed for both keys and values.
225
# Example using templating:
226
# annotations:
227
# "{{ .Chart.Name }}-helm-chart/version": "{{ .Chart.Version }}"
228
# +docs:property
229
# annotations: {}
230
231
# Optional additional labels to add to the controller's Service Account.
232
# +docs:property
233
# labels: {}
234
235
# Automount API credentials for a Service Account.
236
automountServiceAccountToken: true
237
# Automounting API credentials for a particular pod.
238
# +docs:property
239
# automountServiceAccountToken: true
240
241
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted.
242
enableCertificateOwnerRef: false
243
# This property is used to configure options for the controller pod.
244
# This allows setting options that would usually be provided using flags.
245
#
246
# If `apiVersion` and `kind` are unspecified they default to the current latest
247
# version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin
248
# the version by specifying the `apiVersion` yourself.
249
#
250
# For example:
251
# config:
252
# apiVersion: controller.config.cert-manager.io/v1alpha1
253
# kind: ControllerConfiguration
254
# logging:
255
# verbosity: 2
256
# format: text
257
# leaderElectionConfig:
258
# namespace: kube-system
259
# kubernetesAPIQPS: 9000
260
# kubernetesAPIBurst: 9000
261
# numberOfConcurrentWorkers: 200
262
# enableGatewayAPI: true
263
# # Feature gates as of v1.20.0. Listed with their default values.
264
# # See https://cert-manager.io/docs/cli/controller/
265
# featureGates:
266
# AllAlpha: false # ALPHA - default=false
267
# AllBeta: false # BETA - default=false
268
# ACMEHTTP01IngressPathTypeExact: true # BETA - default=true
269
# ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false
270
# ExperimentalGatewayAPISupport: true # BETA - default=true
271
# LiteralCertificateSubject: true # BETA - default=true
272
# NameConstraints: true # BETA - default=true
273
# OtherNames: true # BETA - default=true
274
# SecretsFilteredCaching: true # BETA - default=true
275
# ServerSideApply: false # ALPHA - default=false
276
# StableCertificateRequestName: true # BETA - default=true
277
# UseCertificateRequestBasicConstraints: false # ALPHA - default=false
278
# # Configure the metrics server for TLS
279
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
280
# metricsTLSConfig:
281
# dynamic:
282
# secretNamespace: "cert-manager"
283
# secretName: "cert-manager-metrics-ca"
284
# dnsNames:
285
# - cert-manager-metrics
286
# # Configure PEM size limits for certificate validation
287
# # Useful for certificates with many DNS names (e.g., Istio gateways with 100+ DNS names)
288
# pemSizeLimitsConfig:
289
# maxCertificateSize: 36500 # Maximum size in bytes for individual certificates (default: 36500)
290
# maxPrivateKeySize: 13000 # Maximum size in bytes for private keys (default: 13000)
291
# maxChainLength: 95000 # Maximum size in bytes for certificate chains (default: 95000)
292
# maxBundleSize: 330000 # Maximum size in bytes for certificate bundles (default: 330000)
293
config: {}
294
# Setting Nameservers for DNS01 Self Check.
295
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check).
296
297
# A comma-separated string with the host and port of the recursive nameservers cert-manager should query.
298
dns01RecursiveNameservers: ""
299
# Forces cert-manager to use only the recursive nameservers for verification.
300
# Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.
301
dns01RecursiveNameserversOnly: false
302
# Option to disable cert-manager's build-in auto-approver. The auto-approver
303
# approves all CertificateRequests that reference issuers matching the 'approveSignerNames'
304
# option. This 'disableAutoApproval' option is useful when you want to make all approval decisions
305
# using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy).
306
disableAutoApproval: false
307
# List of signer names that cert-manager will approve by default. CertificateRequests
308
# referencing these signer names will be auto-approved by cert-manager. Defaults to just
309
# approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty
310
# array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval,
311
# because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.
312
# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
313
# +docs:property
314
approveSignerNames:
315
- issuers.cert-manager.io/*
316
- clusterissuers.cert-manager.io/*
317
# Additional command line flags to pass to cert-manager controller binary.
318
# To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
319
#
320
# Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.
321
#
322
# For example:
323
# extraArgs:
324
# - --controllers=*,-certificaterequests-approver
325
extraArgs: []
326
# Extra containers to add to the pod spec in the deployment of the cert-manager controller.
327
# For example, to deploy the [aws_signing_helper](https://github.com/aws/rolesanywhere-credential-helper) (replacing the ARNs as relevant):
328
#
329
# extraEnv:
330
# - name: AWS_EC2_METADATA_SERVICE_ENDPOINT
331
# - value: http://127.0.0.1:9911
332
# extraContainers:
333
# - name: rolesanywhere-credential-helper
334
# image: public.ecr.aws/rolesanywhere/credential-helper:latest
335
# command: [aws_signing_helper]
336
# args:
337
# - serve
338
# - --private-key
339
# - /etc/cert/tls.key
340
# - --certificate
341
# - /etc/cert/tls.crt
342
# - --role-arn
343
# - $ROLE_ARN
344
# - --profile-arn
345
# - $PROFILE_ARN
346
# - --trust-anchor-arn
347
# - $TRUST_ANCHOR_ARN
348
# volumeMounts:
349
# - name: cert
350
# mountPath: /etc/cert/
351
# readOnly: true
352
# volumes:
353
# - name: cert
354
# secret:
355
# secretName: cert
356
extraContainers: []
357
# Additional environment variables to pass to cert-manager controller binary.
358
# For example:
359
# extraEnv:
360
# - name: SOME_VAR
361
# value: 'some value'
362
extraEnv: []
363
# Resources to provide to the cert-manager controller pod.
364
#
365
# For example:
366
# requests:
367
# cpu: 10m
368
# memory: 32Mi
369
#
370
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
371
resources: {}
372
# Pod Security Context.
373
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
374
# +docs:property
375
securityContext:
376
runAsNonRoot: true
377
seccompProfile:
378
type: RuntimeDefault
379
# Container Security Context to be set on the controller component container.
380
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
381
# +docs:property
382
containerSecurityContext:
383
allowPrivilegeEscalation: false
384
capabilities:
385
drop:
386
- ALL
387
readOnlyRootFilesystem: true
388
# Additional volumes to add to the cert-manager controller pod.
389
volumes: []
390
# Additional volume mounts to add to the cert-manager controller container.
391
volumeMounts: []
392
# Optional additional annotations to add to the controller Deployment.
393
# +docs:property
394
# deploymentAnnotations: {}
395
396
# Optional additional annotations to add to the controller Pods.
397
# +docs:property
398
# podAnnotations: {}
399
400
# Optional additional labels to add to the controller Pods.
401
podLabels: {}
402
# Optional annotations to add to the controller Service.
403
# +docs:property
404
# serviceAnnotations: {}
405
406
# Optional additional labels to add to the controller Service.
407
# +docs:property
408
# serviceLabels: {}
409
410
# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
411
# +docs:property
412
# serviceIPFamilyPolicy: ""
413
414
# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
415
# +docs:property
416
# serviceIPFamilies: []
417
418
# Optional DNS settings. These are useful if you have a public and private DNS zone for
419
# the same domain on Route 53. The following is an example of ensuring
420
# cert-manager can access an ingress or DNS TXT records at all times.
421
# Note that this requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
422
# the cluster to work.
423
424
# Pod DNS policy.
425
# For more information, see [Pod's DNS Policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
426
# +docs:property
427
# podDnsPolicy: "None"
428
429
# Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy
430
# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified.
431
# For more information, see [Pod's DNS Config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config).
432
# +docs:property
433
# podDnsConfig:
434
# nameservers:
435
# - "1.1.1.1"
436
# - "8.8.8.8"
437
438
# Optional hostAliases for cert-manager-controller pods. May be useful when performing ACME DNS-01 self checks.
439
hostAliases: []
440
# - ip: 127.0.0.1
441
# hostnames:
442
# - foo.local
443
# - bar.local
444
# - ip: 10.1.2.3
445
# hostnames:
446
# - foo.remote
447
# - bar.remote
448
449
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
450
# matching labels.
451
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
452
#
453
# This default ensures that Pods are only scheduled to Linux nodes.
454
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
455
# +docs:property
456
nodeSelector:
457
kubernetes.io/os: linux
458
# Enables default network policies for cert-manager.
459
# This provides a way for you to restrict network traffic
460
# between cert-manager components and other pods.
461
# For more information, see [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
462
# NOTE: an incorrect networkPolicy will cause traffic to be dropped
463
networkPolicy:
464
# Create network policies for cert-manager.
465
enabled: false
466
# Ingress rule for the cert-manager network policy.
467
# By default all pods are allowed access to:
468
# http-metrics and http-healthz ports
469
# +docs:property
470
ingress:
471
- ports:
472
- port: http-metrics
473
protocol: TCP
474
- port: http-healthz
475
protocol: TCP
476
# Egress rule for the cert-manager network policy. By default, it allows all
477
# outbound traffic to ports 80 and 443, as well as DNS ports.
478
# +docs:property
479
egress:
480
- ports:
481
- port: 80
482
protocol: TCP
483
- port: 443
484
protocol: TCP
485
- port: 53
486
protocol: TCP
487
- port: 53
488
protocol: UDP
489
# On OpenShift and OKD, the Kubernetes API server listens on.
490
# port 6443.
491
- port: 6443
492
protocol: TCP
493
# +docs:ignore
494
ingressShim: {}
495
# Optional default issuer to use for ingress resources.
496
# +docs:property=ingressShim.defaultIssuerName
497
# defaultIssuerName: ""
498
499
# Optional default issuer kind to use for ingress resources.
500
# +docs:property=ingressShim.defaultIssuerKind
501
# defaultIssuerKind: ""
502
503
# Optional default issuer group to use for ingress resources.
504
# +docs:property=ingressShim.defaultIssuerGroup
505
# defaultIssuerGroup: ""
506
507
# Use these variables to configure the HTTP_PROXY environment variables.
508
509
# Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
510
# +docs:property
511
# http_proxy: "http://proxy:8080"
512
513
# Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
514
# +docs:property
515
# https_proxy: "https://proxy:8080"
516
517
# Configures the NO_PROXY environment variable where a HTTP proxy is required,
518
# but certain domains should be excluded.
519
# +docs:property
520
# no_proxy: 127.0.0.1,localhost
521
522
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
523
#
524
# For example:
525
# affinity:
526
# nodeAffinity:
527
# requiredDuringSchedulingIgnoredDuringExecution:
528
# nodeSelectorTerms:
529
# - matchExpressions:
530
# - key: foo.bar.com/role
531
# operator: In
532
# values:
533
# - master
534
affinity: {}
535
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
536
#
537
# For example:
538
# tolerations:
539
# - key: foo.bar.com/role
540
# operator: Equal
541
# value: master
542
# effect: NoSchedule
543
tolerations: []
544
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
545
#
546
# For example:
547
# topologySpreadConstraints:
548
# - maxSkew: 2
549
# topologyKey: topology.kubernetes.io/zone
550
# whenUnsatisfiable: ScheduleAnyway
551
# labelSelector:
552
# matchLabels:
553
# app.kubernetes.io/instance: cert-manager
554
# app.kubernetes.io/component: controller
555
topologySpreadConstraints: []
556
# LivenessProbe settings for the controller container of the controller Pod.
557
#
558
# This is enabled by default, in order to enable the clock-skew liveness probe that
559
# restarts the controller in case of a skew between the system clock and the monotonic clock.
560
# LivenessProbe durations and thresholds are based on those used for the Kubernetes
561
# controller-manager. For more information see the following on the
562
# [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245)
563
# +docs:property
564
livenessProbe:
565
enabled: true
566
initialDelaySeconds: 10
567
periodSeconds: 10
568
timeoutSeconds: 15
569
successThreshold: 1
570
failureThreshold: 8
571
# enableServiceLinks indicates whether information about services should be
572
# injected into the pod's environment variables, matching the syntax of Docker
573
# links.
574
enableServiceLinks: false
575
# +docs:section=Prometheus
576
prometheus:
577
# Enable Prometheus monitoring for the cert-manager controller and webhook.
578
# If you use the Prometheus Operator, set prometheus.podmonitor.enabled or
579
# prometheus.servicemonitor.enabled, to create a PodMonitor or a
580
# ServiceMonitor resource.
581
# Otherwise, 'prometheus.io' annotations are added to the cert-manager and
582
# cert-manager-webhook Deployments.
583
# Note that you cannot enable both PodMonitor and ServiceMonitor as they are
584
# mutually exclusive. Enabling both will result in an error.
585
enabled: true
586
servicemonitor:
587
# Create a ServiceMonitor to add cert-manager to Prometheus.
588
enabled: false
589
# The namespace that the service monitor should live in, defaults
590
# to the cert-manager namespace.
591
# +docs:property
592
# namespace: cert-manager
593
594
# Specifies the `prometheus` label on the created ServiceMonitor. This is
595
# used when different Prometheus instances have label selectors matching
596
# different ServiceMonitors.
597
prometheusInstance: default
598
# The target port to set on the ServiceMonitor. This must match the port that the
599
# cert-manager controller is listening on for metrics.
600
# +docs:type=string,integer
601
targetPort: http-metrics
602
# The path to scrape for metrics.
603
path: /metrics
604
# The interval to scrape metrics.
605
interval: 60s
606
# The timeout before a metrics scrape fails.
607
scrapeTimeout: 30s
608
# Additional labels to add to the ServiceMonitor.
609
labels: {}
610
# Additional annotations to add to the ServiceMonitor.
611
annotations: {}
612
# Keep labels from scraped data, overriding server-side labels.
613
honorLabels: false
614
# EndpointAdditionalProperties allows setting additional properties on the
615
# endpoint such as relabelings, metricRelabelings etc.
616
#
617
# For example:
618
# endpointAdditionalProperties:
619
# relabelings:
620
# - action: replace
621
# sourceLabels:
622
# - __meta_kubernetes_pod_node_name
623
# targetLabel: instance
624
#
625
# +docs:property
626
endpointAdditionalProperties: {}
627
# Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.
628
podmonitor:
629
# Create a PodMonitor to add cert-manager to Prometheus.
630
enabled: false
631
# The namespace that the pod monitor should live in, defaults
632
# to the cert-manager namespace.
633
# +docs:property
634
# namespace: cert-manager
635
636
# Specifies the `prometheus` label on the created PodMonitor. This is
637
# used when different Prometheus instances have label selectors matching
638
# different PodMonitors.
639
prometheusInstance: default
640
# The path to scrape for metrics.
641
path: /metrics
642
# The interval to scrape metrics.
643
interval: 60s
644
# The timeout before a metrics scrape fails.
645
scrapeTimeout: 30s
646
# Additional labels to add to the PodMonitor.
647
labels: {}
648
# Additional annotations to add to the PodMonitor.
649
annotations: {}
650
# Keep labels from scraped data, overriding server-side labels.
651
honorLabels: false
652
# EndpointAdditionalProperties allows setting additional properties on the
653
# endpoint such as relabelings, metricRelabelings etc.
654
#
655
# For example:
656
# endpointAdditionalProperties:
657
# relabelings:
658
# - action: replace
659
# sourceLabels:
660
# - __meta_kubernetes_pod_node_name
661
# targetLabel: instance
662
# # Configure the PodMonitor for TLS connections
663
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
664
# scheme: https
665
# tlsConfig:
666
# serverName: cert-manager-metrics
667
# ca:
668
# secret:
669
# name: cert-manager-metrics-ca
670
# key: "tls.crt"
671
#
672
# +docs:property
673
endpointAdditionalProperties: {}
674
# +docs:section=Webhook
675
webhook:
676
# Number of replicas of the cert-manager webhook to run.
677
#
678
# The default is 1, but in production set this to 2 or 3 to provide high
679
# availability.
680
#
681
# If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
682
replicaCount: 1
683
# The number of seconds the API server should wait for the webhook to respond before treating the call as a failure.
684
# The value must be between 1 and 30 seconds. For more information, see
685
# [Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).
686
#
687
# The default is set to the maximum value of 30 seconds as
688
# users sometimes report that the connection between the K8S API server and
689
# the cert-manager webhook server times out.
690
# If *this* timeout is reached, the error message will be "context deadline exceeded",
691
# which doesn't help the user diagnose what phase of the HTTPS connection timed out.
692
# For example, it could be during DNS resolution, TCP connection, TLS
693
# negotiation, HTTP negotiation, or slow HTTP response from the webhook
694
# server.
695
# By setting this timeout to its maximum value the underlying timeout error
696
# message has more chance of being returned to the end user.
697
timeoutSeconds: 30
698
# This is used to configure options for the webhook pod.
699
# This allows setting options that would usually be provided using flags.
700
#
701
# If `apiVersion` and `kind` are unspecified they default to the current latest
702
# version (currently `webhook.config.cert-manager.io/v1alpha1`). You can pin
703
# the version by specifying the `apiVersion` yourself.
704
#
705
# For example:
706
# apiVersion: webhook.config.cert-manager.io/v1alpha1
707
# kind: WebhookConfiguration
708
# # The port that the webhook listens on for requests.
709
# # In GKE private clusters, by default Kubernetes apiservers are allowed to
710
# # talk to the cluster nodes only on 443 and 10250. Configuring
711
# # securePort: 10250 therefore will work out-of-the-box without needing to add firewall
712
# # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
713
# # This should be uncommented and set as a default by the chart once
714
# # the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
715
# securePort: 10250
716
# # Configure the metrics server for TLS
717
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
718
# metricsTLSConfig:
719
# dynamic:
720
# secretNamespace: "cert-manager"
721
# secretName: "cert-manager-metrics-ca"
722
# dnsNames:
723
# - cert-manager-metrics
724
config: {}
725
# The update strategy for the cert-manager webhook deployment.
726
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)
727
#
728
# For example:
729
# strategy:
730
# type: RollingUpdate
731
# rollingUpdate:
732
# maxSurge: 0
733
# maxUnavailable: 1
734
strategy: {}
735
# Pod Security Context to be set on the webhook component Pod.
736
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
737
# +docs:property
738
securityContext:
739
runAsNonRoot: true
740
seccompProfile:
741
type: RuntimeDefault
742
# Container Security Context to be set on the webhook component container.
743
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
744
# +docs:property
745
containerSecurityContext:
746
allowPrivilegeEscalation: false
747
capabilities:
748
drop:
749
- ALL
750
readOnlyRootFilesystem: true
751
podDisruptionBudget:
752
# Enable or disable the PodDisruptionBudget resource.
753
#
754
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
755
# For example, the PodDisruptionBudget will block `kubectl drain`
756
# if it is used on the Node where the only remaining cert-manager
757
# Pod is currently running.
758
enabled: false
759
# This property configures the minimum available pods for disruptions. Can either be set to
760
# an integer (e.g., 1) or a percentage value (e.g., 25%).
761
# It cannot be used if `maxUnavailable` is set.
762
# +docs:property
763
# +docs:type=unknown
764
# minAvailable: 1
765
# This property configures the maximum unavailable pods for disruptions. Can either be set to
766
# an integer (e.g., 1) or a percentage value (e.g., 25%).
767
# It cannot be used if `minAvailable` is set.
768
# +docs:property
769
# +docs:type=unknown
770
# maxUnavailable: 1
771
772
# This configures how to act with unhealthy pods during eviction
773
# Note that this requires Kubernetes 1.31 or `PDBUnhealthyPodEvictionPolicy` feature gate enabled for
774
# the cluster to work.
775
# +docs:property
776
# +docs:type=string
777
# unhealthyPodEvictionPolicy: AlwaysAllow
778
779
# Optional additional annotations to add to the webhook Deployment.
780
# +docs:property
781
# deploymentAnnotations: {}
782
783
# Optional additional annotations to add to the webhook Pods.
784
# +docs:property
785
# podAnnotations: {}
786
787
# Optional additional annotations to add to the webhook Service.
788
# +docs:property
789
# serviceAnnotations: {}
790
791
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration.
792
# +docs:property
793
# mutatingWebhookConfigurationAnnotations: {}
794
795
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration.
796
# +docs:property
797
# validatingWebhookConfigurationAnnotations: {}
798
validatingWebhookConfiguration:
799
# Configure spec.namespaceSelector for validating webhooks.
800
# +docs:property
801
namespaceSelector:
802
matchExpressions:
803
- key: "cert-manager.io/disable-validation"
804
operator: "NotIn"
805
values:
806
- "true"
807
mutatingWebhookConfiguration:
808
# Configure spec.namespaceSelector for mutating webhooks.
809
# +docs:property
810
namespaceSelector: {}
811
# matchLabels:
812
# key: value
813
# matchExpressions:
814
# - key: kubernetes.io/metadata.name
815
# operator: NotIn
816
# values:
817
# - kube-system
818
# Additional command line flags to pass to cert-manager webhook binary.
819
# To see all available flags run `docker run quay.io/jetstack/cert-manager-webhook:<version> --help`.
820
extraArgs: []
821
# Path to a file containing a WebhookConfiguration object used to configure the webhook.
822
# - --config=<path-to-config-file>
823
824
# Additional environment variables to pass to cert-manager webhook binary.
825
# For example:
826
# extraEnv:
827
# - name: SOME_VAR
828
# value: 'some value'
829
extraEnv: []
830
# Comma separated list of feature gates that should be enabled on the
831
# webhook pod.
832
featureGates: ""
833
# Resources to provide to the cert-manager webhook pod.
834
#
835
# For example:
836
# requests:
837
# cpu: 10m
838
# memory: 32Mi
839
#
840
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
841
resources: {}
842
# Liveness probe values.
843
# For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
844
#
845
# +docs:property
846
livenessProbe:
847
failureThreshold: 3
848
initialDelaySeconds: 60
849
periodSeconds: 10
850
successThreshold: 1
851
timeoutSeconds: 1
852
# Readiness probe values.
853
# For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
854
#
855
# +docs:property
856
readinessProbe:
857
failureThreshold: 3
858
initialDelaySeconds: 5
859
periodSeconds: 5
860
successThreshold: 1
861
timeoutSeconds: 1
862
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
863
# matching labels.
864
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
865
#
866
# This default ensures that Pods are only scheduled to Linux nodes.
867
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
868
# +docs:property
869
nodeSelector:
870
kubernetes.io/os: linux
871
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
872
#
873
# For example:
874
# affinity:
875
# nodeAffinity:
876
# requiredDuringSchedulingIgnoredDuringExecution:
877
# nodeSelectorTerms:
878
# - matchExpressions:
879
# - key: foo.bar.com/role
880
# operator: In
881
# values:
882
# - master
883
affinity: {}
884
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
885
#
886
# For example:
887
# tolerations:
888
# - key: foo.bar.com/role
889
# operator: Equal
890
# value: master
891
# effect: NoSchedule
892
tolerations: []
893
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
894
#
895
# For example:
896
# topologySpreadConstraints:
897
# - maxSkew: 2
898
# topologyKey: topology.kubernetes.io/zone
899
# whenUnsatisfiable: ScheduleAnyway
900
# labelSelector:
901
# matchLabels:
902
# app.kubernetes.io/instance: cert-manager
903
# app.kubernetes.io/component: controller
904
topologySpreadConstraints: []
905
# Optional additional labels to add to the Webhook Pods.
906
podLabels: {}
907
# Optional additional labels to add to the Webhook Service.
908
serviceLabels: {}
909
# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
910
serviceIPFamilyPolicy: ""
911
# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
912
serviceIPFamilies: []
913
image:
914
# Deprecated: per-component registry prefix.
915
#
916
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
917
# This applies both when `webhook.image.repository` is set and when the repository is computed from
918
# `imageRegistry` + `imageNamespace` + `webhook.image.name`.
919
#
920
# This can produce "double registry" style references such as `legacy.example.io/quay.io/jetstack/...`.
921
# Prefer using the global `imageRegistry`/`imageNamespace` values.
922
# +docs:property
923
# registry: ""
924
925
# The image name for the cert-manager webhook.
926
# +docs:property
927
name: cert-manager-webhook
928
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `webhook.image.name`).
929
# +docs:property
930
repository: chainguard-private/cert-manager-webhook
931
# Override the image tag to deploy by setting this variable.
932
# If no value is set, the chart's appVersion will be used.
933
# +docs:property
934
# tag: vX.Y.Z
935
936
# Setting a digest pins the image. If a tag is also set, the rendered reference will include
937
# both ("image:tag@digest"), though only the digest will be used for pulling.
938
# +docs:property
939
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
940
941
# Kubernetes imagePullPolicy on Deployment.
942
pullPolicy: IfNotPresent
943
registry: cgr.dev
944
tag: "1.20"
945
digest: sha256:21375a2325983993aba4e86bda0f99e53522537d54ccac6d3bcdf18418123188
946
serviceAccount:
947
# Specifies whether a service account should be created.
948
create: true
949
# The name of the service account to use.
950
# If not set and create is true, a name is generated using the fullname template.
951
# +docs:property
952
# name: ""
953
954
# Optional additional annotations to add to the webhook's Service Account.
955
# +docs:property
956
# annotations: {}
957
958
# Optional additional labels to add to the webhook's Service Account.
959
# +docs:property
960
# labels: {}
961
962
# Automount API credentials for a Service Account.
963
automountServiceAccountToken: true
964
# Automounting API credentials for a particular pod.
965
# +docs:property
966
# automountServiceAccountToken: true
967
968
# The port that the webhook listens on for requests.
969
# In GKE private clusters, by default Kubernetes apiservers are allowed to
970
# talk to the cluster nodes only on 443 and 10250. Configuring
971
# securePort: 10250, therefore will work out-of-the-box without needing to add firewall
972
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
973
securePort: 10250
974
# Specifies if the webhook should be started in hostNetwork mode.
975
#
976
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
977
# CNI (such as calico), because control-plane managed by AWS cannot communicate
978
# with pods' IP CIDR and admission webhooks are not working
979
#
980
# Since the default port for the webhook conflicts with kubelet on the host
981
# network, `webhook.securePort` should be changed to an available port if
982
# running in hostNetwork mode.
983
hostNetwork: false
984
# Specifies how the service should be handled. Useful if you want to expose the
985
# webhook outside of the cluster. In some cases, the control plane cannot
986
# reach internal services.
987
serviceType: ClusterIP
988
# Specify the load balancer IP for the created service.
989
# +docs:property
990
# loadBalancerIP: "10.10.10.10"
991
992
# Overrides the mutating webhook and validating webhook so they reach the webhook
993
# service using the `url` field instead of a service.
994
url: {}
995
# host:
996
997
# Enables default network policies for webhooks.
998
# This provides a way for you to restrict network traffic
999
# between cert-manager components and other pods.
1000
# For more information, see [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
1001
# NOTE: an incorrect networkPolicy will cause traffic to be dropped
1002
networkPolicy:
1003
# Create network policies for the webhooks.
1004
enabled: false
1005
# Ingress rule for the webhook network policy.
1006
# By default all pods are allowed access to:
1007
# https, http-metrics, and http-healthz ports
1008
# +docs:property
1009
ingress:
1010
- ports:
1011
- port: https
1012
protocol: TCP
1013
- port: healthcheck
1014
protocol: TCP
1015
- port: http-metrics
1016
protocol: TCP
1017
# Egress rule for the webhook network policy. By default, it allows all
1018
# outbound traffic to ports 80 and 443, as well as DNS ports.
1019
# +docs:property
1020
egress:
1021
- ports:
1022
- port: 80
1023
protocol: TCP
1024
- port: 443
1025
protocol: TCP
1026
- port: 53
1027
protocol: TCP
1028
- port: 53
1029
protocol: UDP
1030
# On OpenShift and OKD, the Kubernetes API server listens on.
1031
# port 6443.
1032
- port: 6443
1033
protocol: TCP
1034
# Additional volumes to add to the cert-manager controller pod.
1035
volumes: []
1036
# Additional volume mounts to add to the cert-manager controller container.
1037
volumeMounts: []
1038
# enableServiceLinks indicates whether information about services should be
1039
# injected into the pod's environment variables, matching the syntax of Docker
1040
# links.
1041
enableServiceLinks: false
1042
# enableClientVerification turns on client verification of requests
1043
# made to the webhook server
1044
enableClientVerification: false
1045
# the client CA file to be used for verification
1046
clientCAFile: ""
1047
# Subject names to verify for the client certificate.
1048
# Multiple values may be supplied as a comma-separated list.
1049
apiserverClientCertSubjects: ""
1050
# +docs:section=CA Injector
1051
cainjector:
1052
# Create the CA Injector deployment
1053
enabled: true
1054
# The number of replicas of the cert-manager cainjector to run.
1055
#
1056
# The default is 1, but in production set this to 2 or 3 to provide high
1057
# availability.
1058
#
1059
# If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`.
1060
#
1061
# Note that cert-manager uses leader election to ensure that there can
1062
# only be a single instance active at a time.
1063
replicaCount: 1
1064
# This is used to configure options for the cainjector pod.
1065
# It allows setting options that are usually provided via flags.
1066
#
1067
# If `apiVersion` and `kind` are unspecified they default to the current latest
1068
# version (currently `cainjector.config.cert-manager.io/v1alpha1`). You can pin
1069
# the version by specifying the `apiVersion` yourself.
1070
#
1071
# For example:
1072
# apiVersion: cainjector.config.cert-manager.io/v1alpha1
1073
# kind: CAInjectorConfiguration
1074
# logging:
1075
# verbosity: 2
1076
# format: text
1077
# leaderElectionConfig:
1078
# namespace: kube-system
1079
# # Configure the metrics server for TLS
1080
# # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
1081
# metricsTLSConfig:
1082
# dynamic:
1083
# secretNamespace: "cert-manager"
1084
# secretName: "cert-manager-metrics-ca"
1085
# dnsNames:
1086
# - cert-manager-metrics
1087
config: {}
1088
# Deployment update strategy for the cert-manager cainjector deployment.
1089
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
1090
#
1091
# For example:
1092
# strategy:
1093
# type: RollingUpdate
1094
# rollingUpdate:
1095
# maxSurge: 0
1096
# maxUnavailable: 1
1097
strategy: {}
1098
# Pod Security Context to be set on the cainjector component Pod
1099
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
1100
# +docs:property
1101
securityContext:
1102
runAsNonRoot: true
1103
seccompProfile:
1104
type: RuntimeDefault
1105
# Container Security Context to be set on the cainjector component container
1106
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
1107
# +docs:property
1108
containerSecurityContext:
1109
allowPrivilegeEscalation: false
1110
capabilities:
1111
drop:
1112
- ALL
1113
readOnlyRootFilesystem: true
1114
# Enables default network policies for cainjector.
1115
# This provides a way for you to restrict network traffic
1116
# between cert-manager components and other pods.
1117
# For more information, see [Network Policies](https://kubernetes.io/docs/concepts/services-networking/network-policies/)
1118
# NOTE: an incorrect networkPolicy will cause traffic to be dropped
1119
networkPolicy:
1120
# Create network policies for the cainjector.
1121
enabled: false
1122
# Ingress rule for the webhook cainjector policy.
1123
# By default all pods are allowed access to:
1124
# http-metrics port
1125
# +docs:property
1126
ingress:
1127
- ports:
1128
- port: http-metrics
1129
protocol: TCP
1130
# Egress rule for the cainjector network policy. By default, it allows all
1131
# outbound traffic to ports 80 and 443, as well as DNS ports.
1132
# +docs:property
1133
egress:
1134
- ports:
1135
- port: 80
1136
protocol: TCP
1137
- port: 443
1138
protocol: TCP
1139
- port: 53
1140
protocol: TCP
1141
- port: 53
1142
protocol: UDP
1143
# On OpenShift and OKD, the Kubernetes API server listens on.
1144
# port 6443.
1145
- port: 6443
1146
protocol: TCP
1147
podDisruptionBudget:
1148
# Enable or disable the PodDisruptionBudget resource.
1149
#
1150
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
1151
# For example, the PodDisruptionBudget will block `kubectl drain`
1152
# if it is used on the Node where the only remaining cert-manager
1153
# Pod is currently running.
1154
enabled: false
1155
# `minAvailable` configures the minimum available pods for disruptions. It can either be set to
1156
# an integer (e.g., 1) or a percentage value (e.g., 25%).
1157
# Cannot be used if `maxUnavailable` is set.
1158
# +docs:property
1159
# +docs:type=unknown
1160
# minAvailable: 1
1161
# `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
1162
# an integer (e.g., 1) or a percentage value (e.g., 25%).
1163
# Cannot be used if `minAvailable` is set.
1164
# +docs:property
1165
# +docs:type=unknown
1166
# maxUnavailable: 1
1167
1168
# This configures how to act with unhealthy pods during eviction
1169
# Note that this requires Kubernetes 1.31 or `PDBUnhealthyPodEvictionPolicy` feature gate enabled for
1170
# the cluster to work.
1171
# +docs:property
1172
# +docs:type=string
1173
# unhealthyPodEvictionPolicy: AlwaysAllow
1174
1175
# Optional additional annotations to add to the cainjector Deployment.
1176
# +docs:property
1177
# deploymentAnnotations: {}
1178
1179
# Optional additional annotations to add to the cainjector Pods.
1180
# +docs:property
1181
# podAnnotations: {}
1182
1183
# Optional additional annotations to add to the cainjector metrics Service.
1184
# +docs:property
1185
# serviceAnnotations: {}
1186
1187
# Additional command line flags to pass to cert-manager cainjector binary.
1188
# To see all available flags run `docker run quay.io/jetstack/cert-manager-cainjector:<version> --help`.
1189
extraArgs: []
1190
# Enable profiling for cainjector.
1191
# - --enable-profiling=true
1192
1193
# Additional environment variables to pass to cert-manager cainjector binary.
1194
# For example:
1195
# extraEnv:
1196
# - name: SOME_VAR
1197
# value: 'some value'
1198
extraEnv: []
1199
# Comma separated list of feature gates that should be enabled on the
1200
# cainjector pod.
1201
featureGates: ""
1202
# Resources to provide to the cert-manager cainjector pod.
1203
#
1204
# For example:
1205
# requests:
1206
# cpu: 10m
1207
# memory: 32Mi
1208
#
1209
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
1210
resources: {}
1211
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
1212
# matching labels.
1213
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
1214
#
1215
# This default ensures that Pods are only scheduled to Linux nodes.
1216
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
1217
# +docs:property
1218
nodeSelector:
1219
kubernetes.io/os: linux
1220
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
1221
#
1222
# For example:
1223
# affinity:
1224
# nodeAffinity:
1225
# requiredDuringSchedulingIgnoredDuringExecution:
1226
# nodeSelectorTerms:
1227
# - matchExpressions:
1228
# - key: foo.bar.com/role
1229
# operator: In
1230
# values:
1231
# - master
1232
affinity: {}
1233
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
1234
#
1235
# For example:
1236
# tolerations:
1237
# - key: foo.bar.com/role
1238
# operator: Equal
1239
# value: master
1240
# effect: NoSchedule
1241
tolerations: []
1242
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
1243
#
1244
# For example:
1245
# topologySpreadConstraints:
1246
# - maxSkew: 2
1247
# topologyKey: topology.kubernetes.io/zone
1248
# whenUnsatisfiable: ScheduleAnyway
1249
# labelSelector:
1250
# matchLabels:
1251
# app.kubernetes.io/instance: cert-manager
1252
# app.kubernetes.io/component: controller
1253
topologySpreadConstraints: []
1254
# Optional additional labels to add to the CA Injector Pods.
1255
podLabels: {}
1256
# Optional additional labels to add to the CA Injector metrics Service.
1257
serviceLabels: {}
1258
image:
1259
# Deprecated: per-component registry prefix.
1260
#
1261
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
1262
# This applies both when `cainjector.image.repository` is set and when the repository is computed from
1263
# `imageRegistry` + `imageNamespace` + `cainjector.image.name`.
1264
#
1265
# This can produce "double registry" style references such as `legacy.example.io/quay.io/jetstack/...`.
1266
# Prefer using the global `imageRegistry`/`imageNamespace` values.
1267
# +docs:property
1268
# registry: ""
1269
1270
# The image name for the cert-manager cainjector.
1271
# +docs:property
1272
name: cert-manager-cainjector
1273
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `cainjector.image.name`).
1274
# +docs:property
1275
repository: chainguard-private/cert-manager-cainjector
1276
# Override the image tag to deploy by setting this variable.
1277
# If no value is set, the chart's appVersion will be used.
1278
# +docs:property
1279
# tag: vX.Y.Z
1280
1281
# Setting a digest pins the image. If a tag is also set, the rendered reference will include
1282
# both ("image:tag@digest"), though only the digest will be used for pulling.
1283
# +docs:property
1284
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
1285
1286
# Kubernetes imagePullPolicy on Deployment.
1287
pullPolicy: IfNotPresent
1288
registry: cgr.dev
1289
tag: "1.20"
1290
digest: sha256:d0224a8cf274a5966b4375e501c873fc77d1124d87b225682eefc29b5ff3a9a2
1291
serviceAccount:
1292
# Specifies whether a service account should be created.
1293
create: true
1294
# The name of the service account to use.
1295
# If not set and create is true, a name is generated using the fullname template
1296
# +docs:property
1297
# name: ""
1298
1299
# Optional additional annotations to add to the cainjector's Service Account.
1300
# +docs:property
1301
# annotations: {}
1302
1303
# Optional additional labels to add to the cainjector's Service Account.
1304
# +docs:property
1305
# labels: {}
1306
1307
# Automount API credentials for a Service Account.
1308
automountServiceAccountToken: true
1309
# Automounting API credentials for a particular pod.
1310
# +docs:property
1311
# automountServiceAccountToken: true
1312
1313
# Additional volumes to add to the cert-manager controller pod.
1314
volumes: []
1315
# Additional volume mounts to add to the cert-manager controller container.
1316
volumeMounts: []
1317
# enableServiceLinks indicates whether information about services should be
1318
# injected into the pod's environment variables, matching the syntax of Docker
1319
# links.
1320
enableServiceLinks: false
1321
# +docs:section=ACME Solver
1322
acmesolver:
1323
image:
1324
# Deprecated: per-component registry prefix.
1325
#
1326
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
1327
# This applies both when `acmesolver.image.repository` is set and when the repository is computed from
1328
# `imageRegistry` + `imageNamespace` + `acmesolver.image.name`.
1329
#
1330
# This can produce "double registry" style references such as `legacy.example.io/quay.io/jetstack/...`.
1331
# Prefer using the global `imageRegistry`/`imageNamespace` values.
1332
# +docs:property
1333
# registry: ""
1334
1335
# The image name for the cert-manager acmesolver.
1336
# +docs:property
1337
name: cert-manager-acmesolver
1338
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `acmesolver.image.name`).
1339
# +docs:property
1340
repository: chainguard-private/cert-manager-acmesolver
1341
# Override the image tag to deploy by setting this variable.
1342
# If no value is set, the chart's appVersion is used.
1343
# +docs:property
1344
# tag: vX.Y.Z
1345
1346
# Setting a digest pins the image. If a tag is also set, the rendered reference will include
1347
# both ("image:tag@digest"), though only the digest will be used for pulling.
1348
# +docs:property
1349
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
1350
1351
# Kubernetes imagePullPolicy on Deployment.
1352
pullPolicy: IfNotPresent
1353
registry: cgr.dev
1354
tag: "1.20"
1355
digest: sha256:285fc11b9235f2315df40a495f28980343fe3493f8cae734973478af9048111f
1356
# +docs:section=Startup API Check
1357
# This startupapicheck is a Helm post-install hook that waits for the webhook
1358
# endpoints to become available.
1359
# The check is implemented using a Kubernetes Job - if you are injecting mesh
1360
# sidecar proxies into cert-manager pods, ensure that they
1361
# are not injected into this Job's pod. Otherwise, the installation may time out
1362
# owing to the Job never being completed because the sidecar proxy does not exit.
1363
# For more information, see [this note](https://github.com/cert-manager/cert-manager/pull/4414).
1364
startupapicheck:
1365
# Enables the startup api check.
1366
enabled: true
1367
# Pod Security Context to be set on the startupapicheck component Pod.
1368
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
1369
# +docs:property
1370
securityContext:
1371
runAsNonRoot: true
1372
seccompProfile:
1373
type: RuntimeDefault
1374
# Container Security Context to be set on the controller component container.
1375
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
1376
# +docs:property
1377
containerSecurityContext:
1378
allowPrivilegeEscalation: false
1379
capabilities:
1380
drop:
1381
- ALL
1382
readOnlyRootFilesystem: true
1383
# Timeout for 'kubectl check api' command.
1384
timeout: 1m
1385
# Job backoffLimit
1386
backoffLimit: 4
1387
# Optional additional annotations to add to the startupapicheck Job.
1388
# +docs:property
1389
jobAnnotations:
1390
helm.sh/hook: post-install
1391
helm.sh/hook-weight: "1"
1392
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
1393
# Optional additional annotations to add to the startupapicheck Pods.
1394
# +docs:property
1395
# podAnnotations: {}
1396
1397
# Additional command line flags to pass to startupapicheck binary.
1398
# To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help`.
1399
#
1400
# Verbose logging is enabled by default so that if startupapicheck fails, you
1401
# can know what exactly caused the failure. Verbose logs include details of
1402
# the webhook URL, IP address and TCP connect errors for example.
1403
# +docs:property
1404
extraArgs:
1405
- -v
1406
# Additional environment variables to pass to cert-manager startupapicheck binary.
1407
# For example:
1408
# extraEnv:
1409
# - name: SOME_VAR
1410
# value: 'some value'
1411
extraEnv: []
1412
# Resources to provide to the cert-manager controller pod.
1413
#
1414
# For example:
1415
# requests:
1416
# cpu: 10m
1417
# memory: 32Mi
1418
#
1419
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
1420
resources: {}
1421
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
1422
# matching labels.
1423
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
1424
#
1425
# This default ensures that Pods are only scheduled to Linux nodes.
1426
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
1427
# +docs:property
1428
nodeSelector:
1429
kubernetes.io/os: linux
1430
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
1431
# For example:
1432
# affinity:
1433
# nodeAffinity:
1434
# requiredDuringSchedulingIgnoredDuringExecution:
1435
# nodeSelectorTerms:
1436
# - matchExpressions:
1437
# - key: foo.bar.com/role
1438
# operator: In
1439
# values:
1440
# - master
1441
affinity: {}
1442
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
1443
#
1444
# For example:
1445
# tolerations:
1446
# - key: foo.bar.com/role
1447
# operator: Equal
1448
# value: master
1449
# effect: NoSchedule
1450
tolerations: []
1451
# Optional additional labels to add to the startupapicheck Pods.
1452
podLabels: {}
1453
image:
1454
# Deprecated: per-component registry prefix.
1455
#
1456
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
1457
# This applies both when `startupapicheck.image.repository` is set and when the repository is computed from
1458
# `imageRegistry` + `imageNamespace` + `startupapicheck.image.name`.
1459
#
1460
# This can produce "double registry" style references such as `legacy.example.io/quay.io/jetstack/...`.
1461
# Prefer using the global `imageRegistry`/`imageNamespace` values.
1462
# +docs:property
1463
# registry: ""
1464
1465
# The image name for the cert-manager startupapicheck.
1466
# +docs:property
1467
name: cert-manager-startupapicheck
1468
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`, and `startupapicheck.image.name`).
1469
# +docs:property
1470
repository: chainguard-private/cert-manager-startupapicheck
1471
# Override the image tag to deploy by setting this variable.
1472
# If no value is set, the chart's appVersion is used.
1473
# +docs:property
1474
# tag: vX.Y.Z
1475
1476
# Setting a digest pins the image. If a tag is also set, the rendered reference will include
1477
# both ("image:tag@digest"), though only the digest will be used for pulling.
1478
# +docs:property
1479
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
1480
1481
# Kubernetes imagePullPolicy on Deployment.
1482
pullPolicy: IfNotPresent
1483
registry: cgr.dev
1484
tag: "1.20"
1485
digest: sha256:c1515e7b67160c8a4ab58644436911cb7da2c86ae795848a32e33c4c06080a4e
1486
rbac:
1487
# annotations for the startup API Check job RBAC and PSP resources.
1488
# +docs:property
1489
annotations:
1490
helm.sh/hook: post-install
1491
helm.sh/hook-weight: "-5"
1492
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
1493
# Automounting API credentials for a particular pod.
1494
# +docs:property
1495
# automountServiceAccountToken: true
1496
serviceAccount:
1497
# Specifies whether a service account should be created.
1498
create: true
1499
# The name of the service account to use.
1500
# If not set and create is true, a name is generated using the fullname template.
1501
# +docs:property
1502
# name: ""
1503
1504
# Optional additional annotations to add to the Job's Service Account.
1505
# +docs:property
1506
annotations:
1507
helm.sh/hook: post-install
1508
helm.sh/hook-weight: "-5"
1509
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
1510
# Automount API credentials for a Service Account.
1511
# +docs:property
1512
automountServiceAccountToken: true
1513
# Optional additional labels to add to the startupapicheck's Service Account.
1514
# +docs:property
1515
# labels: {}
1516
# Additional volumes to add to the cert-manager controller pod.
1517
volumes: []
1518
# Additional volume mounts to add to the cert-manager controller container.
1519
volumeMounts: []
1520
# enableServiceLinks indicates whether information about services should be
1521
# injected into pod's environment variables, matching the syntax of Docker
1522
# links.
1523
enableServiceLinks: false
1524
# Create dynamic manifests via values.
1525
#
1526
# For example:
1527
# extraObjects:
1528
# - |
1529
# apiVersion: v1
1530
# kind: ConfigMap
1531
# metadata:
1532
# name: '{{ template "cert-manager.fullname" . }}-extra-configmap'
1533
extraObjects: []
1534
# Field used by our release pipeline to produce the static manifests.
1535
# The field defaults to "helm" but is set to "static" when we render
1536
# the static YAML manifests.
1537
# +docs:hidden
1538
creator: "helm"
1539
# Field that can be used as a condition when cert-manager is a dependency.
1540
# This definition is only here as a placeholder such that it is included in
1541
# the json schema.
1542
# See https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags
1543
# for more info.
1544
# +docs:hidden
1545
enabled: true
1546
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.