| Property | -Description | -Type | -Default | -
|---|---|---|---|
| global.imagePullSecrets | -- -Reference to one or more secrets to be used when pulling images - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ -``` - +Reference to one or more secrets to be used when pulling images +ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + For example: ```yaml imagePullSecrets: - name: "image-pull-secret" ``` - - | -array | -- -```yaml -[] -``` - - | -
| global.commonLabels | -+#### **global.commonLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Labels to apply to all resources -Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress - -```yaml -ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress -``` - -eg. secretTemplate in CertificateSpec - -```yaml -ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec -``` - - | -object | -- -```yaml -{} -``` - - | -
| global.revisionHistoryLimit | -+Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress + ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress +eg. secretTemplate in CertificateSpec + ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec +#### **global.revisionHistoryLimit** ~ `number` The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10) - - | -number | -- -```yaml -undefined -``` - - | -
| global.priorityClassName | -+#### **global.priorityClassName** ~ `string` +> Default value: +> ```yaml +> "" +> ``` Optional priority class to be used for the cert-manager pods - - | -string | -- -```yaml -"" -``` - - | -
| global.rbac.create | -+#### **global.rbac.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Create required ClusterRoles and ClusterRoleBindings for cert-manager - - | -bool | -- -```yaml -true -``` - - | -
| global.rbac.aggregateClusterRoles | -+#### **global.rbac.aggregateClusterRoles** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles - - | -bool | -- -```yaml -true -``` - - | -
| global.podSecurityPolicy.enabled | -+#### **global.podSecurityPolicy.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Create PodSecurityPolicy for cert-manager NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25 - - | -bool | -- -```yaml -false -``` - - | -
| global.podSecurityPolicy.useAppArmor | -+#### **global.podSecurityPolicy.useAppArmor** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Configure the PodSecurityPolicy to use AppArmor - - | -bool | -- -```yaml -true -``` - - | -
| global.logLevel | -+#### **global.logLevel** ~ `number` +> Default value: +> ```yaml +> 2 +> ``` Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. - - | -number | -- -```yaml -2 -``` - - | -
| global.leaderElection.namespace | -+#### **global.leaderElection.namespace** ~ `string` +> Default value: +> ```yaml +> kube-system +> ``` Override the namespace used for the leader election lease - - | -string | -- -```yaml -kube-system -``` - - | -
| global.leaderElection.leaseDuration | -+#### **global.leaderElection.leaseDuration** ~ `string` The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. - - | -string | -- -```yaml -undefined -``` - - | -
| global.leaderElection.renewDeadline | -+#### **global.leaderElection.renewDeadline** ~ `string` The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. - - | -string | -- -```yaml -undefined -``` - - | -
| global.leaderElection.retryPeriod | -+#### **global.leaderElection.retryPeriod** ~ `string` The duration the clients should wait between attempting acquisition and renewal of a leadership. - - | -string | -- -```yaml -undefined -``` - - | -
| installCRDs | -+#### **installCRDs** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs - - | -bool | -- -```yaml -false -``` - - | -
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| replicaCount | -+#### **replicaCount** ~ `number` +> Default value: +> ```yaml +> 1 +> ``` Number of replicas of the cert-manager controller to run. The default is 1, but in production you should set this to 2 or 3 to provide high availability. -If `replicas > 1` you should also consider setting podDisruptionBudget.enabled=true. +If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`. Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - | -number | -- -```yaml -1 -``` - - | -
| strategy | -+#### **strategy** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Deployment update strategy for the cert-manager controller deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy @@ -313,323 +134,124 @@ strategy: maxSurge: 0 maxUnavailable: 1 ``` - - | -object | -- -```yaml -{} -``` - - | -
| podDisruptionBudget.enabled | -+#### **podDisruptionBudget.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Enable or disable the PodDisruptionBudget resource This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager Pod is currently running. - - | -bool | -- -```yaml -false -``` - - | -
| podDisruptionBudget.minAvailable | -+#### **podDisruptionBudget.minAvailable** ~ `number` Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). Cannot be used if `maxUnavailable` is set. - - | -number | -- -```yaml -undefined -``` - - | -
| podDisruptionBudget.maxUnavailable | -+#### **podDisruptionBudget.maxUnavailable** ~ `number` Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). Cannot be used if `minAvailable` is set. - - | -number | -- -```yaml -undefined -``` - - | -
| featureGates | -+#### **featureGates** ~ `string` +> Default value: +> ```yaml +> "" +> ``` Comma separated list of feature gates that should be enabled on the controller pod. - - | -string | -- -```yaml -"" -``` - - | -
| maxConcurrentChallenges | -+#### **maxConcurrentChallenges** ~ `number` +> Default value: +> ```yaml +> 60 +> ``` The maximum number of challenges that can be scheduled as 'processing' at once - - | -number | -- -```yaml -60 -``` - - | -
| image.registry | -+#### **image.registry** ~ `string` The container registry to pull the manager image from - - | -string | -- -```yaml -undefined -``` - - | -
| image.repository | -+#### **image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-controller +> ``` The container image for the cert-manager controller - - | -string | -- -```yaml -quay.io/jetstack/cert-manager-controller -``` - - | -
| image.tag | -+#### **image.tag** ~ `string` Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - | -string | -- -```yaml -undefined -``` - - | -
| image.digest | -+#### **image.digest** ~ `string` Setting a digest will override any tag - - | -string | -- -```yaml -undefined -``` - - | -
| image.pullPolicy | -+#### **image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` Kubernetes imagePullPolicy on Deployment. - - | -string | -- -```yaml -IfNotPresent -``` - - | -
| clusterResourceNamespace | -+#### **clusterResourceNamespace** ~ `string` +> Default value: +> ```yaml +> "" +> ``` Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. - - | -string | -- -```yaml -"" -``` - - | -
| namespace | -+#### **namespace** ~ `string` +> Default value: +> ```yaml +> "" +> ``` This namespace allows you to define where the services will be installed into if not set then they will use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart) - - | -string | -- -```yaml -"" -``` - - | -
| serviceAccount.create | -+#### **serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Specifies whether a service account should be created - - | -bool | -- -```yaml -true -``` - - | -
| serviceAccount.name | -+#### **serviceAccount.name** ~ `string` The name of the service account to use. If not set and create is true, a name is generated using the fullname template - - | -string | -- -```yaml -undefined -``` - - | -
| serviceAccount.annotations | -+#### **serviceAccount.annotations** ~ `object` Optional additional annotations to add to the controller's ServiceAccount - - | -object | -- -```yaml -undefined -``` - - | -
| serviceAccount.labels | -+#### **serviceAccount.labels** ~ `object` Optional additional labels to add to the controller's ServiceAccount - - | -object | -- -```yaml -undefined -``` - - | -
| serviceAccount.automountServiceAccountToken | -+#### **serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Automount API credentials for a Service Account. +#### **automountServiceAccountToken** ~ `bool` - | -bool | -- -```yaml -true -``` +Automounting API credentials for a particular pod - | -
| enableCertificateOwnerRef | -+#### **enableCertificateOwnerRef** ~ `bool` +> Default value: +> ```yaml +> false +> ``` When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted - - | -bool | -- -```yaml -false -``` - - | -
| config | -+#### **config** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Used to configure options for the controller pod. This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. @@ -669,52 +291,25 @@ config: - cert-manager-metrics.cert-manager - cert-manager-metrics.cert-manager.svc ``` - - | -object | -- -```yaml -{} -``` - - | -
| dns01RecursiveNameservers | -+#### **dns01RecursiveNameservers** ~ `string` +> Default value: +> ```yaml +> "" +> ``` Comma separated string with host and port of the recursive nameservers cert-manager should query - - | -string | -- -```yaml -"" -``` - - | -
| dns01RecursiveNameserversOnly | -+#### **dns01RecursiveNameserversOnly** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers - - | -bool | -- -```yaml -false -``` - - | -
| extraArgs | -
+#### **extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller: |
-array | -- -```yaml -[] -``` - - | -
| extraEnv | -+#### **extraEnv** ~ `array` +> Default value: +> ```yaml +> [] +> ``` Additional environment variables to pass to cert-manager controller binary. - - | -array | -- -```yaml -[] -``` - - | -
| resources | -+#### **resources** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Resources to provide to the cert-manager controller pod @@ -767,305 +344,121 @@ requests: memory: 32Mi ``` - - -```yaml ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -``` +#### **securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` + +Pod Security Context +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - | -object | -+#### **containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the controller component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -```yaml -{} -``` +#### **volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` - | -
| securityContext | -+Additional volumes to add to the cert-manager controller pod. +#### **volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` -Pod Security Context +Additional volume mounts to add to the cert-manager controller container. +#### **deploymentAnnotations** ~ `object` -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` +Optional additional annotations to add to the controller Deployment + +#### **podAnnotations** ~ `object` +Optional additional annotations to add to the controller Pods - | -object | -+#### **podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` -```yaml -runAsNonRoot: true -seccompProfile: - type: RuntimeDefault -``` +Optional additional labels to add to the controller Pods +#### **serviceAnnotations** ~ `object` - | -
| containerSecurityContext | -+Optional annotations to add to the controller Service -Container Security Context to be set on the controller component container +#### **serviceLabels** ~ `object` -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` +Optional additional labels to add to the controller Service +#### **podDnsPolicy** ~ `string` - | -object | -+Pod DNS policy +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -```yaml -allowPrivilegeEscalation: false -capabilities: - drop: - - ALL -readOnlyRootFilesystem: true -``` +#### **podDnsConfig** ~ `object` - | -
| volumes | -+Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config -Additional volumes to add to the cert-manager controller pod. +#### **nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` - | -array | -+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. -```yaml -[] -``` +#### **ingressShim.defaultIssuerName** ~ `string` - | -
| volumeMounts | -+Optional default issuer to use for ingress resources -Additional volume mounts to add to the cert-manager controller container. +#### **ingressShim.defaultIssuerKind** ~ `string` - | -array | -+Optional default issuer kind to use for ingress resources -```yaml -[] -``` +#### **ingressShim.defaultIssuerGroup** ~ `string` - | -
| deploymentAnnotations | -+Optional default issuer group to use for ingress resources -Optional additional annotations to add to the controller Deployment +#### **http_proxy** ~ `string` +Configures the HTTP_PROXY environment variable for where a HTTP proxy is required - | -object | -+#### **https_proxy** ~ `string` -```yaml -undefined -``` +Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required - | -
| podAnnotations | -+#### **no_proxy** ~ `string` -Optional additional annotations to add to the controller Pods +Configures the NO_PROXY environment variable for where a HTTP proxy is required, but certain domains should be excluded +#### **affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` - | -object | -- -```yaml -undefined -``` - - | -
| podLabels | -- -Optional additional labels to add to the controller Pods - - | -object | -- -```yaml -{} -``` - - | -
| serviceAnnotations | -- -Optional annotations to add to the controller Service - - - | -object | -- -```yaml -undefined -``` - - | -
| serviceLabels | -- -Optional additional labels to add to the controller Service - - - | -object | -- -```yaml -undefined -``` - - | -
| podDnsPolicy | -- -Pod DNS policy - -```yaml -ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy -``` - - - | -string | -- -```yaml -undefined -``` - - | -
| podDnsConfig | -- -Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. - -```yaml -ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config -``` - - - | -object | -- -```yaml -undefined -``` - - | -
| nodeSelector | -- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -- -```yaml -kubernetes.io/os: linux -``` - - | -
| ingressShim.defaultIssuerName | -- -Optional default issuer to use for ingress resources - - - | -string | -- -```yaml -undefined -``` - - | -
| ingressShim.defaultIssuerKind | -- -Optional default issuer kind to use for ingress resources - - - | -string | -- -```yaml -undefined -``` - - | -
| ingressShim.defaultIssuerGroup | -- -Optional default issuer group to use for ingress resources - - - | -string | -- -```yaml -undefined -``` - - | -
| affinity | -- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -For example: +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: ```yaml affinity: @@ -1078,20 +471,11 @@ affinity: values: - master ``` - - | -object | -- -```yaml -{} -``` - - | -
| tolerations | -+#### **tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core @@ -1104,20 +488,11 @@ tolerations: value: master effect: NoSchedule ``` - - | -array | -- -```yaml -[] -``` - - | -
| topologySpreadConstraints | -+#### **topologySpreadConstraints** ~ `array` +> Default value: +> ```yaml +> [] +> ``` A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core @@ -1133,222 +508,105 @@ topologySpreadConstraints: app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: controller ``` - - | -array | -- -```yaml -[] -``` - - | -
| livenessProbe | -+#### **livenessProbe** ~ `object` +> Default value: +> ```yaml +> enabled: true +> failureThreshold: 8 +> initialDelaySeconds: 10 +> periodSeconds: 10 +> successThreshold: 1 +> timeoutSeconds: 15 +> ``` LivenessProbe settings for the controller container of the controller Pod. Enabled by default, because we want to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. See: https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 - - | -object | -- -```yaml -enabled: true -failureThreshold: 8 -initialDelaySeconds: 10 -periodSeconds: 10 -successThreshold: 1 -timeoutSeconds: 15 -``` - - | -
| enableServiceLinks | -+#### **enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -- -```yaml -false -``` - - | -
| prometheus.enabled | -+#### **prometheus.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Enable prometheus monitoring for the cert-manager controller, to use with. Prometheus Operator either `prometheus.servicemonitor.enabled` or `prometheus.podmonitor.enabled` can be used to create a ServiceMonitor/PodMonitor resource - - | -bool | -- -```yaml -true -``` - - | -
| prometheus.servicemonitor.enabled | -+#### **prometheus.servicemonitor.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Create a ServiceMonitor to add cert-manager to Prometheus - - | -bool | -- -```yaml -false -``` - - | -
| prometheus.servicemonitor.prometheusInstance | -+#### **prometheus.servicemonitor.prometheusInstance** ~ `string` +> Default value: +> ```yaml +> default +> ``` Specifies the `prometheus` label on the created ServiceMonitor, this is used when different Prometheus instances have label selectors matching different ServiceMonitors. - - | -string | -- -```yaml -default -``` - - | -
| prometheus.servicemonitor.targetPort | -+#### **prometheus.servicemonitor.targetPort** ~ `number` +> Default value: +> ```yaml +> 9402 +> ``` The target port to set on the ServiceMonitor, should match the port that cert-manager controller is listening on for metrics - - | -number | -- -```yaml -9402 -``` - - | -
| prometheus.servicemonitor.path | -+#### **prometheus.servicemonitor.path** ~ `string` +> Default value: +> ```yaml +> /metrics +> ``` The path to scrape for metrics - - | -string | -- -```yaml -/metrics -``` - - | -
| prometheus.servicemonitor.interval | -+#### **prometheus.servicemonitor.interval** ~ `string` +> Default value: +> ```yaml +> 60s +> ``` The interval to scrape metrics - - | -string | -- -```yaml -60s -``` - - | -
| prometheus.servicemonitor.scrapeTimeout | -+#### **prometheus.servicemonitor.scrapeTimeout** ~ `string` +> Default value: +> ```yaml +> 30s +> ``` The timeout before a metrics scrape fails - - | -string | -- -```yaml -30s -``` - - | -
| prometheus.servicemonitor.labels | -+#### **prometheus.servicemonitor.labels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Additional labels to add to the ServiceMonitor - - | -object | -- -```yaml -{} -``` - - | -
| prometheus.servicemonitor.annotations | -+#### **prometheus.servicemonitor.annotations** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Additional annotations to add to the ServiceMonitor - - | -object | -- -```yaml -{} -``` - - | -
| prometheus.servicemonitor.honorLabels | -+#### **prometheus.servicemonitor.honorLabels** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Keep labels from scraped data, overriding server-side labels. - - | -bool | -- -```yaml -false -``` - - | -
| prometheus.servicemonitor.endpointAdditionalProperties | -+#### **prometheus.servicemonitor.endpointAdditionalProperties** ~ `object` +> Default value: +> ```yaml +> {} +> ``` EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. @@ -1365,148 +623,67 @@ endpointAdditionalProperties: - - | -object | -- -```yaml -{} -``` - - | -
| prometheus.podmonitor.enabled | -+#### **prometheus.podmonitor.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Create a PodMonitor to add cert-manager to Prometheus - - | -bool | -- -```yaml -false -``` - - | -
| prometheus.podmonitor.prometheusInstance | -+#### **prometheus.podmonitor.prometheusInstance** ~ `string` +> Default value: +> ```yaml +> default +> ``` Specifies the `prometheus` label on the created PodMonitor, this is used when different Prometheus instances have label selectors matching different PodMonitor. - - | -string | -- -```yaml -default -``` - - | -
| prometheus.podmonitor.path | -+#### **prometheus.podmonitor.path** ~ `string` +> Default value: +> ```yaml +> /metrics +> ``` The path to scrape for metrics - - | -string | -- -```yaml -/metrics -``` - - | -
| prometheus.podmonitor.interval | -+#### **prometheus.podmonitor.interval** ~ `string` +> Default value: +> ```yaml +> 60s +> ``` The interval to scrape metrics - - | -string | -- -```yaml -60s -``` - - | -
| prometheus.podmonitor.scrapeTimeout | -+#### **prometheus.podmonitor.scrapeTimeout** ~ `string` +> Default value: +> ```yaml +> 30s +> ``` The timeout before a metrics scrape fails - - | -string | -- -```yaml -30s -``` - - | -
| prometheus.podmonitor.labels | -+#### **prometheus.podmonitor.labels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Additional labels to add to the PodMonitor - - | -object | -- -```yaml -{} -``` - - | -
| prometheus.podmonitor.annotations | -+#### **prometheus.podmonitor.annotations** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Additional annotations to add to the PodMonitor - - | -object | -- -```yaml -{} -``` - - | -
| prometheus.podmonitor.honorLabels | -+#### **prometheus.podmonitor.honorLabels** ~ `bool` +> Default value: +> ```yaml +> false +> ``` Keep labels from scraped data, overriding server-side labels. - - | -bool | -- -```yaml -false -``` - - | -
| prometheus.podmonitor.endpointAdditionalProperties | -+#### **prometheus.podmonitor.endpointAdditionalProperties** ~ `object` +> Default value: +> ```yaml +> {} +> ``` EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. @@ -1523,72 +700,35 @@ endpointAdditionalProperties: - - | -object | -- -```yaml -{} -``` - - | -
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| webhook.replicaCount | -+#### **webhook.replicaCount** ~ `number` +> Default value: +> ```yaml +> 1 +> ``` Number of replicas of the cert-manager webhook to run. The default is 1, but in production you should set this to 2 or 3 to provide high availability. -If `replicas > 1` you should also consider setting webhook.podDisruptionBudget.enabled=true. - - | -number | -- -```yaml -1 -``` - - | -
| webhook.timeoutSeconds | -+If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`. +#### **webhook.timeoutSeconds** ~ `number` +> Default value: +> ```yaml +> 30 +> ``` Seconds the API server should wait for the webhook to respond before treating the call as a failure. Value must be between 1 and 30 seconds. See: https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/ We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user. - - | -number | -- -```yaml -30 -``` - - | -
| webhook.config | -+#### **webhook.config** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Used to configure options for the webhook pod. This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. @@ -1608,20 +748,11 @@ kind: WebhookConfiguration # the apiVersion of WebhookConfiguration past v1alpha1. securePort: 10250 ``` - - | -object | -- -```yaml -{} -``` - - | -
| webhook.strategy | -+#### **webhook.strategy** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy @@ -1634,343 +765,520 @@ strategy: maxSurge: 0 maxUnavailable: 1 ``` +#### **webhook.securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` - | -object | -+Pod Security Context to be set on the webhook component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -```yaml -{} -``` +#### **webhook.containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the webhook component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - | -
| webhook.securityContext | -+#### **webhook.podDisruptionBudget.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` -Pod Security Context to be set on the webhook component Pod +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. +#### **webhook.podDisruptionBudget.minAvailable** ~ `number` -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. +#### **webhook.podDisruptionBudget.maxUnavailable** ~ `number` - | -object | -+Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. -```yaml -runAsNonRoot: true -seccompProfile: - type: RuntimeDefault -``` +#### **webhook.deploymentAnnotations** ~ `object` - | -
| webhook.containerSecurityContext | -+Optional additional annotations to add to the webhook Deployment -Container Security Context to be set on the webhook component container +#### **webhook.podAnnotations** ~ `object` -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` +Optional additional annotations to add to the webhook Pods +#### **webhook.serviceAnnotations** ~ `object` - | -object | -+Optional additional annotations to add to the webhook Service -```yaml -allowPrivilegeEscalation: false -capabilities: - drop: - - ALL -readOnlyRootFilesystem: true -``` +#### **webhook.mutatingWebhookConfigurationAnnotations** ~ `object` - | -
| webhook.podDisruptionBudget.enabled | -
+Optional additional annotations to add to the webhook MutatingWebhookConfiguration
-Enable or disable the PodDisruptionBudget resource
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
-Pod is currently running.
+#### **webhook.validatingWebhookConfigurationAnnotations** ~ `object`
+
+Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
+
+#### **webhook.extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: |
-bool | -+Comma separated list of feature gates that should be enabled on the webhook pod. +#### **webhook.resources** ~ `object` +> Default value: +> ```yaml +> {} +> ``` + +Resources to provide to the cert-manager webhook pod + +For example: ```yaml -false +requests: + cpu: 10m + memory: 32Mi ``` - | -
| webhook.podDisruptionBudget.minAvailable | -+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#### **webhook.livenessProbe** ~ `object` +> Default value: +> ```yaml +> failureThreshold: 3 +> initialDelaySeconds: 60 +> periodSeconds: 10 +> successThreshold: 1 +> timeoutSeconds: 1 +> ``` + +Liveness probe values +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes -Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `maxUnavailable` is set. +#### **webhook.readinessProbe** ~ `object` +> Default value: +> ```yaml +> failureThreshold: 3 +> initialDelaySeconds: 5 +> periodSeconds: 5 +> successThreshold: 1 +> timeoutSeconds: 1 +> ``` + +Readiness probe values +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes + +#### **webhook.nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. +#### **webhook.affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` - | -number | -+A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: ```yaml -undefined +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master ``` +#### **webhook.tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` - | -
| webhook.podDisruptionBudget.maxUnavailable | -- -Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `minAvailable` is set. +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` +#### **webhook.topologySpreadConstraints** ~ `array` +> Default value: +> ```yaml +> [] +> ``` - | -number | -+A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: ```yaml -undefined +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller ``` +#### **webhook.podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` - | -
| webhook.deploymentAnnotations | -+Optional additional labels to add to the Webhook Pods +#### **webhook.serviceLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` -Optional additional annotations to add to the webhook Deployment +Optional additional labels to add to the Webhook Service +#### **webhook.image.registry** ~ `string` +The container registry to pull the webhook image from - | -object | -+#### **webhook.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-webhook +> ``` -```yaml -undefined -``` +The container image for the cert-manager webhook - | -
| webhook.podAnnotations | -+#### **webhook.image.tag** ~ `string` -Optional additional annotations to add to the webhook Pods +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. +#### **webhook.image.digest** ~ `string` - | -object | -+Setting a digest will override any tag -```yaml -undefined -``` +#### **webhook.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` - | -
| webhook.serviceAnnotations | -+Kubernetes imagePullPolicy on Deployment. +#### **webhook.serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` -Optional additional annotations to add to the webhook Service +Specifies whether a service account should be created +#### **webhook.serviceAccount.name** ~ `string` +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template - | -object | -+#### **webhook.serviceAccount.annotations** ~ `object` -```yaml -undefined -``` +Optional additional annotations to add to the controller's ServiceAccount - | -
| webhook.mutatingWebhookConfigurationAnnotations | -+#### **webhook.serviceAccount.labels** ~ `object` -Optional additional annotations to add to the webhook MutatingWebhookConfiguration +Optional additional labels to add to the webhook's ServiceAccount +#### **webhook.serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` - | -object | -+Automount API credentials for a Service Account. +#### **webhook.automountServiceAccountToken** ~ `bool` -```yaml -undefined -``` +Automounting API credentials for a particular pod - | -
| webhook.validatingWebhookConfigurationAnnotations | -+#### **webhook.securePort** ~ `number` +> Default value: +> ```yaml +> 10250 +> ``` -Optional additional annotations to add to the webhook ValidatingWebhookConfiguration +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 +#### **webhook.hostNetwork** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +Specifies if the webhook should be started in hostNetwork mode. + +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. +#### **webhook.serviceType** ~ `string` +> Default value: +> ```yaml +> ClusterIP +> ``` +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. +#### **webhook.loadBalancerIP** ~ `string` - | -object | -+Specify the load balancer IP for the created service -```yaml -undefined -``` +#### **webhook.url** ~ `object` +> Default value: +> ```yaml +> {} +> ``` - | -
| webhook.extraArgs | -
+Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service.
+#### **webhook.networkPolicy.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
-Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: |
-array | -+Ingress rule for the webhook network policy, by default will allow all inbound traffic -```yaml -[] -``` +#### **webhook.networkPolicy.egress** ~ `array` +> Default value: +> ```yaml +> - ports: +> - port: 80 +> protocol: TCP +> - port: 443 +> protocol: TCP +> - port: 53 +> protocol: TCP +> - port: 53 +> protocol: UDP +> - port: 6443 +> protocol: TCP +> to: +> - ipBlock: +> cidr: 0.0.0.0/0 +> ``` - | -
| webhook.featureGates | -+Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports -Comma separated list of feature gates that should be enabled on the webhook pod. +#### **webhook.volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` - | -string | -+Additional volumes to add to the cert-manager controller pod. +#### **webhook.volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` -```yaml -"" -``` +Additional volume mounts to add to the cert-manager controller container. +#### **webhook.enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` - | -
| webhook.resources | -+enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. +### CA Injector -Resources to provide to the cert-manager webhook pod - -For example: +#### **cainjector.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` -```yaml -requests: - cpu: 10m - memory: 32Mi -``` +Create the CA Injector deployment +#### **cainjector.replicaCount** ~ `number` +> Default value: +> ```yaml +> 1 +> ``` +Number of replicas of the cert-manager cainjector to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. +#### **cainjector.config** ~ `object` +> Default value: +> ```yaml +> {} +> ``` +Used to configure options for the cainjector pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: ```yaml -ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +apiVersion: cainjector.config.cert-manager.io/v1alpha1 +kind: CAInjectorConfiguration +logging: + verbosity: 2 + format: text +leaderElectionConfig: + namespace: kube-system ``` +#### **cainjector.strategy** ~ `object` +> Default value: +> ```yaml +> {} +> ``` - | -object | -+Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: ```yaml -{} +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 ``` +#### **cainjector.securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` - | -
| webhook.livenessProbe | -+Pod Security Context to be set on the cainjector component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -Liveness probe values +#### **cainjector.containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the cainjector component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -```yaml -ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes -``` +#### **cainjector.podDisruptionBudget.enabled** ~ `bool` +> Default value: +> ```yaml +> false +> ``` +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. +#### **cainjector.podDisruptionBudget.minAvailable** ~ `number` +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. +#### **cainjector.podDisruptionBudget.maxUnavailable** ~ `number` - | -object | -+Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. -```yaml -failureThreshold: 3 -initialDelaySeconds: 60 -periodSeconds: 10 -successThreshold: 1 -timeoutSeconds: 1 -``` +#### **cainjector.deploymentAnnotations** ~ `object` - | -
| webhook.readinessProbe | -
+Optional additional annotations to add to the cainjector Deployment
-Readiness probe values
+#### **cainjector.podAnnotations** ~ `object`
-```yaml
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-```
+Optional additional annotations to add to the cainjector Pods
+#### **cainjector.extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-object | -+Resources to provide to the cert-manager cainjector pod + +For example: ```yaml -failureThreshold: 3 -initialDelaySeconds: 5 -periodSeconds: 5 -successThreshold: 1 -timeoutSeconds: 1 +requests: + cpu: 10m + memory: 32Mi ``` - | -
| webhook.nodeSelector | -+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +#### **cainjector.nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - | -object | -- -```yaml -kubernetes.io/os: linux -``` - - | -
| webhook.affinity | -+#### **cainjector.affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core @@ -1987,20 +1295,11 @@ affinity: values: - master ``` - - | -object | -- -```yaml -{} -``` - - | -
| webhook.tolerations | -+#### **cainjector.tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core @@ -2013,20 +1312,11 @@ tolerations: value: master effect: NoSchedule ``` - - | -array | -- -```yaml -[] -``` - - | -
| webhook.topologySpreadConstraints | -+#### **cainjector.topologySpreadConstraints** ~ `array` +> Default value: +> ```yaml +> [] +> ``` A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core @@ -2042,15595 +1332,232 @@ topologySpreadConstraints: app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: controller ``` +#### **cainjector.podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` - | -array | -+Optional additional labels to add to the CA Injector Pods +#### **cainjector.image.registry** ~ `string` -```yaml -[] -``` +The container registry to pull the cainjector image from - | -
| webhook.podLabels | -+#### **cainjector.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-controller +> ``` -Optional additional labels to add to the Webhook Pods +The container image for the cert-manager cainjector - | -object | -+#### **cainjector.image.tag** ~ `string` -```yaml -{} -``` +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - | -
| webhook.serviceLabels | -+#### **cainjector.image.digest** ~ `string` -Optional additional labels to add to the Webhook Service +Setting a digest will override any tag - | -object | -+#### **cainjector.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` -```yaml -{} -``` +Kubernetes imagePullPolicy on Deployment. +#### **cainjector.serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` - | -
| webhook.image.registry | -+Specifies whether a service account should be created +#### **cainjector.serviceAccount.name** ~ `string` -The container registry to pull the webhook image from +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template +#### **cainjector.serviceAccount.annotations** ~ `object` - | -string | -+Optional additional annotations to add to the controller's ServiceAccount -```yaml -undefined -``` +#### **cainjector.serviceAccount.labels** ~ `object` - | -
| webhook.image.repository | -+Optional additional labels to add to the cainjector's ServiceAccount -The container image for the cert-manager webhook +#### **cainjector.serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` +Automount API credentials for a Service Account. +#### **cainjector.automountServiceAccountToken** ~ `bool` - | -string | -+Automounting API credentials for a particular pod -```yaml -quay.io/jetstack/cert-manager-webhook -``` +#### **cainjector.volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` - | -
| webhook.image.tag | -+Additional volumes to add to the cert-manager controller pod. +#### **cainjector.volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. +Additional volume mounts to add to the cert-manager controller container. +#### **cainjector.enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. +### ACME Solver - | -string | -+#### **acmesolver.image.registry** ~ `string` -```yaml -undefined -``` +The container registry to pull the acmesolver image from - | -
| webhook.image.digest | -+#### **acmesolver.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-acmesolver +> ``` -Setting a digest will override any tag +The container image for the cert-manager acmesolver + +#### **acmesolver.image.tag** ~ `string` +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - | -string | -+#### **acmesolver.image.digest** ~ `string` -```yaml -undefined -``` +Setting a digest will override any tag - | -
| webhook.image.pullPolicy | -+#### **acmesolver.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` Kubernetes imagePullPolicy on Deployment. +### Startup API Check - | -string | -- -```yaml -IfNotPresent -``` - | -
| webhook.serviceAccount.create | -+This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. +#### **startupapicheck.enabled** ~ `bool` +> Default value: +> ```yaml +> true +> ``` -Specifies whether a service account should be created +Enables the startup api check +#### **startupapicheck.securityContext** ~ `object` +> Default value: +> ```yaml +> runAsNonRoot: true +> seccompProfile: +> type: RuntimeDefault +> ``` + +Pod Security Context to be set on the startupapicheck component Pod +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ - | -bool | -+#### **startupapicheck.containerSecurityContext** ~ `object` +> Default value: +> ```yaml +> allowPrivilegeEscalation: false +> capabilities: +> drop: +> - ALL +> readOnlyRootFilesystem: true +> ``` + +Container Security Context to be set on the controller component container +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -```yaml -true -``` +#### **startupapicheck.timeout** ~ `string` +> Default value: +> ```yaml +> 1m +> ``` - | -
| webhook.serviceAccount.name | -+Timeout for 'kubectl check api' command +#### **startupapicheck.backoffLimit** ~ `number` +> Default value: +> ```yaml +> 4 +> ``` -The name of the service account to use. -If not set and create is true, a name is generated using the fullname template +Job backoffLimit +#### **startupapicheck.jobAnnotations** ~ `object` +> Default value: +> ```yaml +> helm.sh/hook: post-install +> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +> helm.sh/hook-weight: "1" +> ``` +Optional additional annotations to add to the startupapicheck Job - | -string | -+#### **startupapicheck.podAnnotations** ~ `object` -```yaml -undefined -``` +Optional additional annotations to add to the startupapicheck Pods - | -
| webhook.serviceAccount.annotations | -
+#### **startupapicheck.extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> - -v
+> ```
-Optional additional annotations to add to the controller's ServiceAccount
+Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: |
-object | -- -```yaml -undefined -``` - - | -
| webhook.serviceAccount.labels | -- -Optional additional labels to add to the webhook's ServiceAccount - - - | -object | -- -```yaml -undefined -``` - - | -
| webhook.serviceAccount.automountServiceAccountToken | -- -Automount API credentials for a Service Account. - - | -bool | -- -```yaml -true -``` - - | -
| webhook.automountServiceAccountToken | -- -Automounting API credentials for a particular pod - - - | -bool | -- -```yaml -undefined -``` - - | -
| webhook.securePort | -- -The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 - - | -number | -- -```yaml -10250 -``` - - | -
| webhook.hostNetwork | -- -Specifies if the webhook should be started in hostNetwork mode. - -Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working - -Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. - - | -bool | -- -```yaml -false -``` - - | -
| webhook.serviceType | -- -Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. - - | -string | -- -```yaml -ClusterIP -``` - - | -
| webhook.loadBalancerIP | -- -Specify the load balancer IP for the created service - - - | -string | -- -```yaml -undefined -``` - - | -
| webhook.url | -- -Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. - - | -object | -- -```yaml -{} -``` - - | -
| webhook.networkPolicy.enabled | -- -Create network policies for the webhooks - - | -bool | -- -```yaml -false -``` - - | -
| webhook.networkPolicy.ingress | -- -Ingress rule for the webhook network policy, by default will allow all inbound traffic - - - | -array | -- -```yaml -- from: - - ipBlock: - cidr: 0.0.0.0/0 -``` - - | -
| webhook.networkPolicy.egress | -- -Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports - - - | -array | -- -```yaml -- ports: - - port: 80 - protocol: TCP - - port: 443 - protocol: TCP - - port: 53 - protocol: TCP - - port: 53 - protocol: UDP - - port: 6443 - protocol: TCP - to: - - ipBlock: - cidr: 0.0.0.0/0 -``` - - | -
| webhook.volumes | -- -Additional volumes to add to the cert-manager controller pod. - - | -array | -- -```yaml -[] -``` - - | -
| webhook.volumeMounts | -- -Additional volume mounts to add to the cert-manager controller container. - - | -array | -- -```yaml -[] -``` - - | -
| webhook.enableServiceLinks | -- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -- -```yaml -false -``` - - | -
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| cainjector.enabled | -- -Create the CA Injector deployment - - | -bool | -- -```yaml -true -``` - - | -
| cainjector.replicaCount | -- -Number of replicas of the cert-manager cainjector to run. - -The default is 1, but in production you should set this to 2 or 3 to provide high availability. - -If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. - -Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - | -number | -- -```yaml -1 -``` - - | -
| cainjector.config | -- -Used to configure options for the cainjector pod. -This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. -Flags will override options that are set here. - -For example: - -```yaml -apiVersion: cainjector.config.cert-manager.io/v1alpha1 -kind: CAInjectorConfiguration -logging: - verbosity: 2 - format: text -leaderElectionConfig: - namespace: kube-system -``` - - | -object | -- -```yaml -{} -``` - - | -
| cainjector.strategy | -- -Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - -For example: - -```yaml -strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 -``` - - | -object | -- -```yaml -{} -``` - - | -
| cainjector.securityContext | -- -Pod Security Context to be set on the cainjector component Pod - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -- -```yaml -runAsNonRoot: true -seccompProfile: - type: RuntimeDefault -``` - - | -
| cainjector.containerSecurityContext | -- -Container Security Context to be set on the cainjector component container - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -- -```yaml -allowPrivilegeEscalation: false -capabilities: - drop: - - ALL -readOnlyRootFilesystem: true -``` - - | -
| cainjector.podDisruptionBudget.enabled | -- -Enable or disable the PodDisruptionBudget resource - -This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager -Pod is currently running. - - | -bool | -- -```yaml -false -``` - - | -
| cainjector.podDisruptionBudget.minAvailable | -- -Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `maxUnavailable` is set. - - - | -number | -- -```yaml -undefined -``` - - | -
| cainjector.podDisruptionBudget.maxUnavailable | -- -Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `minAvailable` is set. - - - | -number | -- -```yaml -undefined -``` - - | -
| cainjector.deploymentAnnotations | -- -Optional additional annotations to add to the cainjector Deployment - - - | -object | -- -```yaml -undefined -``` - - | -
| cainjector.podAnnotations | -- -Optional additional annotations to add to the cainjector Pods - - - | -object | -- -```yaml -undefined -``` - - | -
| cainjector.extraArgs | -
-
-Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-array | -- -```yaml -[] -``` - - | -
| cainjector.featureGates | -- -Comma separated list of feature gates that should be enabled on the cainjector pod. - - | -string | -- -```yaml -"" -``` - - | -
| cainjector.resources | -- -Resources to provide to the cert-manager cainjector pod - -For example: - -```yaml -requests: - cpu: 10m - memory: 32Mi -``` - - - -```yaml -ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -``` - - | -object | -- -```yaml -{} -``` - - | -
| cainjector.nodeSelector | -- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -- -```yaml -kubernetes.io/os: linux -``` - - | -
| cainjector.affinity | -- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -For example: - -```yaml -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: foo.bar.com/role - operator: In - values: - - master -``` - - | -object | -- -```yaml -{} -``` - - | -
| cainjector.tolerations | -- -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - -For example: - -```yaml -tolerations: -- key: foo.bar.com/role - operator: Equal - value: master - effect: NoSchedule -``` - - | -array | -- -```yaml -[] -``` - - | -
| cainjector.topologySpreadConstraints | -- -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - -For example: - -```yaml -topologySpreadConstraints: -- maxSkew: 2 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: controller -``` - - | -array | -- -```yaml -[] -``` - - | -
| cainjector.podLabels | -- -Optional additional labels to add to the CA Injector Pods - - | -object | -- -```yaml -{} -``` - - | -
| cainjector.image.registry | -- -The container registry to pull the cainjector image from - - - | -string | -- -```yaml -undefined -``` - - | -
| cainjector.image.repository | -- -The container image for the cert-manager cainjector - - - | -string | -- -```yaml -quay.io/jetstack/cert-manager-controller -``` - - | -
| cainjector.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -- -```yaml -undefined -``` - - | -
| cainjector.image.digest | -- -Setting a digest will override any tag - - - | -string | -- -```yaml -undefined -``` - - | -
| cainjector.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -- -```yaml -IfNotPresent -``` - - | -
| cainjector.serviceAccount.create | -- -Specifies whether a service account should be created - - | -bool | -- -```yaml -true -``` - - | -
| cainjector.serviceAccount.name | -- -The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -- -```yaml -undefined -``` - - | -
| cainjector.serviceAccount.annotations | -- -Optional additional annotations to add to the controller's ServiceAccount - - - | -object | -- -```yaml -undefined -``` - - | -
| cainjector.serviceAccount.labels | -- -Optional additional labels to add to the cainjector's ServiceAccount - - - | -object | -- -```yaml -undefined -``` - - | -
| cainjector.serviceAccount.automountServiceAccountToken | -- -Automount API credentials for a Service Account. - - | -bool | -- -```yaml -true -``` - - | -
| cainjector.automountServiceAccountToken | -- -Automounting API credentials for a particular pod - - - | -bool | -- -```yaml -undefined -``` - - | -
| cainjector.volumes | -- -Additional volumes to add to the cert-manager controller pod. - - | -array | -- -```yaml -[] -``` - - | -
| cainjector.volumeMounts | -- -Additional volume mounts to add to the cert-manager controller container. - - | -array | -- -```yaml -[] -``` - - | -
| cainjector.enableServiceLinks | -- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -- -```yaml -false -``` - - | -
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| acmesolver.image.registry | -- -The container registry to pull the acmesolver image from - - - | -string | -- -```yaml -undefined -``` - - | -
| acmesolver.image.repository | -- -The container image for the cert-manager acmesolver - - - | -string | -- -```yaml -quay.io/jetstack/cert-manager-acmesolver -``` - - | -
| acmesolver.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -- -```yaml -undefined -``` - - | -
| acmesolver.image.digest | -- -Setting a digest will override any tag - - - | -string | -- -```yaml -undefined -``` - - | -
| acmesolver.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -- -```yaml -IfNotPresent -``` - - | -
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| startupapicheck.enabled | -- -Enables the startup api check - - | -bool | -- -```yaml -true -``` - - | -
| startupapicheck.securityContext | -- -Pod Security Context to be set on the startupapicheck component Pod - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -- -```yaml -runAsNonRoot: true -seccompProfile: - type: RuntimeDefault -``` - - | -
| startupapicheck.containerSecurityContext | -- -Container Security Context to be set on the controller component container - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -- -```yaml -allowPrivilegeEscalation: false -capabilities: - drop: - - ALL -readOnlyRootFilesystem: true -``` - - | -
| startupapicheck.timeout | -- -Timeout for 'kubectl check api' command - - | -string | -- -```yaml -1m -``` - - | -
| startupapicheck.backoffLimit | -- -Job backoffLimit - - | -number | -- -```yaml -4 -``` - - | -
| startupapicheck.jobAnnotations | -- -Optional additional annotations to add to the startupapicheck Job - - - | -object | -- -```yaml -helm.sh/hook: post-install -helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded -helm.sh/hook-weight: "1" -``` - - | -
| startupapicheck.extraArgs[0] | -- - | -string | -- -```yaml --v -``` - - | -
| startupapicheck.resources | -- -Resources to provide to the cert-manager controller pod - -For example: - -```yaml -requests: - cpu: 10m - memory: 32Mi -``` - - - -```yaml -ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -``` - - | -object | -- -```yaml -{} -``` - - | -
| startupapicheck.nodeSelector | -- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -- -```yaml -kubernetes.io/os: linux -``` - - | -
| startupapicheck.affinity | -- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -For example: - -```yaml -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: foo.bar.com/role - operator: In - values: - - master -``` - - | -object | -- -```yaml -{} -``` - - | -
| startupapicheck.tolerations | -- -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - -For example: - -```yaml -tolerations: -- key: foo.bar.com/role - operator: Equal - value: master - effect: NoSchedule -``` - - | -array | -- -```yaml -[] -``` - - | -
| startupapicheck.podLabels | -- -Optional additional labels to add to the startupapicheck Pods - - | -object | -- -```yaml -{} -``` - - | -
| startupapicheck.image.registry | -- -The container registry to pull the startupapicheck image from - - - | -string | -- -```yaml -undefined -``` - - | -
| startupapicheck.image.repository | -- -The container image for the cert-manager startupapicheck - - - | -string | -- -```yaml -quay.io/jetstack/cert-manager-startupapicheck -``` - - | -
| startupapicheck.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -- -```yaml -undefined -``` - - | -
| startupapicheck.image.digest | -- -Setting a digest will override any tag - - - | -string | -- -```yaml -undefined -``` - - | -
| startupapicheck.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -- -```yaml -IfNotPresent -``` - - | -
| startupapicheck.rbac.annotations | -- -annotations for the startup API Check job RBAC and PSP resources - - - | -object | -- -```yaml -helm.sh/hook: post-install -helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded -helm.sh/hook-weight: "-5" -``` - - | -
| startupapicheck.automountServiceAccountToken | -- -Automounting API credentials for a particular pod - - - | -bool | -- -```yaml -undefined -``` - - | -
| startupapicheck.serviceAccount.create | -- -Specifies whether a service account should be created - - | -bool | -- -```yaml -true -``` - - | -
| startupapicheck.serviceAccount.name | -- -The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -- -```yaml -undefined -``` - - | -
| startupapicheck.serviceAccount.annotations | -- -Optional additional annotations to add to the Job's ServiceAccount - - - | -object | -- -```yaml -helm.sh/hook: post-install -helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded -helm.sh/hook-weight: "-5" -``` - - | -
| startupapicheck.serviceAccount.automountServiceAccountToken | -- -Automount API credentials for a Service Account. - - - | -bool | -- -```yaml -true -``` - - | -
| startupapicheck.serviceAccount.labels | -- -Optional additional labels to add to the startupapicheck's ServiceAccount - - - | -object | -- -```yaml -undefined -``` - - | -
| startupapicheck.volumes | -- -Additional volumes to add to the cert-manager controller pod. - - | -array | -- -```yaml -[] -``` - - | -
| startupapicheck.volumeMounts | -- -Additional volume mounts to add to the cert-manager controller container. - - | -array | -- -```yaml -[] -``` - - | -
| startupapicheck.enableServiceLinks | -- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -- -```yaml -false -``` - - | -
{}
-
-{}
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
-false
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-[]
-
-""
-
-{}
-
-failureThreshold: 3
-initialDelaySeconds: 60
-periodSeconds: 10
-successThreshold: 1
-timeoutSeconds: 1
-
-failureThreshold: 3
-initialDelaySeconds: 5
-periodSeconds: 5
-successThreshold: 1
-timeoutSeconds: 1
-
-kubernetes.io/os: linux
-
-{}
-
-[]
-
-[]
-
-{}
-
-{}
-
-undefined
-
-quay.io/jetstack/cert-manager-webhook
-
-undefined
-
-undefined
-
-IfNotPresent
-
-true
-
-undefined
-
-undefined
-
-undefined
-
-true
-
-undefined
-
-10250
-
-false
-
-ClusterIP
-
-undefined
-
-{}
-
-false
-
-- from:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- ports:
- - port: 80
- protocol: TCP
- - port: 443
- protocol: TCP
- - port: 53
- protocol: TCP
- - port: 53
- protocol: UDP
- - port: 6443
- protocol: TCP
- to:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-[]
-
-[]
-
-false
-
-| Property | -Description | -Type | -Default | -
|---|---|---|---|
| cainjector.enabled | -- -Create the CA Injector deployment - - | -bool | -
-
-true
-
- |
-
-
| cainjector.replicaCount | -- -Number of replicas of the cert-manager cainjector to run. - -The default is 1, but in production you should set this to 2 or 3 to provide high availability. - -If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. - -Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - | -number | -
-
-1
-
- |
-
-
| cainjector.config | -- -Used to configure options for the cainjector pod. -This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. -Flags will override options that are set here. - -For example: - -```yaml -apiVersion: cainjector.config.cert-manager.io/v1alpha1 -kind: CAInjectorConfiguration -logging: - verbosity: 2 - format: text -leaderElectionConfig: - namespace: kube-system -``` - - | -object | -
-
-{}
-
- |
-
-
| cainjector.strategy | -- -Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - -For example: - -```yaml -strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 0 - maxUnavailable: 1 -``` - - | -object | -
-
-{}
-
- |
-
-
| cainjector.securityContext | -- -Pod Security Context to be set on the cainjector component Pod - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| cainjector.containerSecurityContext | -- -Container Security Context to be set on the cainjector component container - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| cainjector.podDisruptionBudget.enabled | -- -Enable or disable the PodDisruptionBudget resource - -This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager -Pod is currently running. - - | -bool | -
-
-false
-
- |
-
-
| cainjector.podDisruptionBudget.minAvailable | -- -Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `maxUnavailable` is set. - - - | -number | -
-
-undefined
-
- |
-
-
| cainjector.podDisruptionBudget.maxUnavailable | -- -Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `minAvailable` is set. - - - | -number | -
-
-undefined
-
- |
-
-
| cainjector.deploymentAnnotations | -- -Optional additional annotations to add to the cainjector Deployment - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.podAnnotations | -- -Optional additional annotations to add to the cainjector Pods - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.extraArgs | -
-
-Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-array | -
-
-[]
-
- |
-
-
| cainjector.featureGates | -- -Comma separated list of feature gates that should be enabled on the cainjector pod. - - | -string | -
-
-""
-
- |
-
-
| cainjector.resources | -- -Resources to provide to the cert-manager cainjector pod - -For example: - -```yaml -requests: - cpu: 10m - memory: 32Mi -``` - - - -```yaml -ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -``` - - | -object | -
-
-{}
-
- |
-
-
| cainjector.nodeSelector | -- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| cainjector.affinity | -- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -For example: - -```yaml -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: foo.bar.com/role - operator: In - values: - - master -``` - - | -object | -
-
-{}
-
- |
-
-
| cainjector.tolerations | -- -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - -For example: - -```yaml -tolerations: -- key: foo.bar.com/role - operator: Equal - value: master - effect: NoSchedule -``` - - | -array | -
-
-[]
-
- |
-
-
| cainjector.topologySpreadConstraints | -- -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - -For example: - -```yaml -topologySpreadConstraints: -- maxSkew: 2 - topologyKey: topology.kubernetes.io/zone - whenUnsatisfiable: ScheduleAnyway - labelSelector: - matchLabels: - app.kubernetes.io/instance: cert-manager - app.kubernetes.io/component: controller -``` - - | -array | -
-
-[]
-
- |
-
-
| cainjector.podLabels | -- -Optional additional labels to add to the CA Injector Pods - - | -object | -
-
-{}
-
- |
-
-
| cainjector.image.registry | -- -The container registry to pull the cainjector image from - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.repository | -- -The container image for the cert-manager cainjector - - - | -string | -
-
-quay.io/jetstack/cert-manager-controller
-
- |
-
-
| cainjector.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.digest | -- -Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| cainjector.serviceAccount.create | -- -Specifies whether a service account should be created - - | -bool | -
-
-true
-
- |
-
-
| cainjector.serviceAccount.name | -- -The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.annotations | -- -Optional additional annotations to add to the controller's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.labels | -- -Optional additional labels to add to the cainjector's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.automountServiceAccountToken | -- -Automount API credentials for a Service Account. - - | -bool | -
-
-true
-
- |
-
-
| cainjector.automountServiceAccountToken | -- -Automounting API credentials for a particular pod - - - | -bool | -
-
-undefined
-
- |
-
-
| cainjector.volumes | -- -Additional volumes to add to the cert-manager controller pod. - - | -array | -
-
-[]
-
- |
-
-
| cainjector.volumeMounts | -- -Additional volume mounts to add to the cert-manager controller container. - - | -array | -
-
-[]
-
- |
-
-
| cainjector.enableServiceLinks | -- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -
-
-false
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| acmesolver.image.registry | -- -The container registry to pull the acmesolver image from - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.repository | -- -The container image for the cert-manager acmesolver - - - | -string | -
-
-quay.io/jetstack/cert-manager-acmesolver
-
- |
-
-
| acmesolver.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.digest | -- -Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| startupapicheck.enabled | -- -Enables the startup api check - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.securityContext | -- -Pod Security Context to be set on the startupapicheck component Pod - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| startupapicheck.containerSecurityContext | -- -Container Security Context to be set on the controller component container - -```yaml -ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ -``` - - - | -object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| startupapicheck.timeout | -- -Timeout for 'kubectl check api' command - - | -string | -
-
-1m
-
- |
-
-
| startupapicheck.backoffLimit | -- -Job backoffLimit - - | -number | -
-
-4
-
- |
-
-
| startupapicheck.jobAnnotations | -- -Optional additional annotations to add to the startupapicheck Job - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "1"
-
- |
-
-
| startupapicheck.extraArgs[0] | -- - | -string | -
-
--v
-
- |
-
-
| startupapicheck.resources | -- -Resources to provide to the cert-manager controller pod - -For example: - -```yaml -requests: - cpu: 10m - memory: 32Mi -``` - - - -```yaml -ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ -``` - - | -object | -
-
-{}
-
- |
-
-
| startupapicheck.nodeSelector | -- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| startupapicheck.affinity | -- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -For example: - -```yaml -affinity: - nodeAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - nodeSelectorTerms: - - matchExpressions: - - key: foo.bar.com/role - operator: In - values: - - master -``` - - | -object | -
-
-{}
-
- |
-
-
| startupapicheck.tolerations | -- -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - -For example: - -```yaml -tolerations: -- key: foo.bar.com/role - operator: Equal - value: master - effect: NoSchedule -``` - - | -array | -
-
-[]
-
- |
-
-
| startupapicheck.podLabels | -- -Optional additional labels to add to the startupapicheck Pods - - | -object | -
-
-{}
-
- |
-
-
| startupapicheck.image.registry | -- -The container registry to pull the startupapicheck image from - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.repository | -- -The container image for the cert-manager startupapicheck - - - | -string | -
-
-quay.io/jetstack/cert-manager-startupapicheck
-
- |
-
-
| startupapicheck.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.digest | -- -Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| startupapicheck.rbac.annotations | -- -annotations for the startup API Check job RBAC and PSP resources - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.automountServiceAccountToken | -- -Automounting API credentials for a particular pod - - - | -bool | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.create | -- -Specifies whether a service account should be created - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.name | -- -The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.annotations | -- -Optional additional annotations to add to the Job's ServiceAccount - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.serviceAccount.automountServiceAccountToken | -- -Automount API credentials for a Service Account. - - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.labels | -- -Optional additional labels to add to the startupapicheck's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| startupapicheck.volumes | -- -Additional volumes to add to the cert-manager controller pod. - - | -array | -
-
-[]
-
- |
-
-
| startupapicheck.volumeMounts | -- -Additional volume mounts to add to the cert-manager controller container. - - | -array | -
-
-[]
-
- |
-
-
| startupapicheck.enableServiceLinks | -- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -
-
-false
-
- |
-
-
{}
-
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
-{}
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
-false
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-[]
-
-""
-
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-
-
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
-{}
-
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-
-
-
-failureThreshold: 3
-initialDelaySeconds: 60
-periodSeconds: 10
-successThreshold: 1
-timeoutSeconds: 1
-
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-
-
-
-failureThreshold: 3
-initialDelaySeconds: 5
-periodSeconds: 5
-successThreshold: 1
-timeoutSeconds: 1
-
-kubernetes.io/os: linux
-
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
-{}
-
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
-[]
-
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
-[]
-
-{}
-
-{}
-
-undefined
-
-quay.io/jetstack/cert-manager-webhook
-
-undefined
-
-undefined
-
-IfNotPresent
-
-true
-
-undefined
-
-undefined
-
-undefined
-
-true
-
-undefined
-
-10250
-
-false
-
-ClusterIP
-
-undefined
-
-{}
-
-false
-
-- from:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- ports:
- - port: 80
- protocol: TCP
- - port: 443
- protocol: TCP
- - port: 53
- protocol: TCP
- - port: 53
- protocol: UDP
- - port: 6443
- protocol: TCP
- to:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-[]
-
-[]
-
-false
-
-| Property | -Description | -Type | -Default | -
|---|---|---|---|
| cainjector.enabled | -- -Create the CA Injector deployment - - | -bool | -
-
-true
-
- |
-
-
| cainjector.replicaCount | -- -Number of replicas of the cert-manager cainjector to run. - -The default is 1, but in production you should set this to 2 or 3 to provide high availability. - -If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. - -Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - | -number | -
-
-1
-
- |
-
-
| cainjector.config | -
-
-Used to configure options for the cainjector pod.
-This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
-Flags will override options that are set here.
-
-For example:
-
-apiVersion: cainjector.config.cert-manager.io/v1alpha1
-kind: CAInjectorConfiguration
-logging:
- verbosity: 2
- format: text
-leaderElectionConfig:
- namespace: kube-system
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.strategy | -
-
-Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
-
-For example:
-
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.securityContext | -
-
-Pod Security Context to be set on the cainjector component Pod
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| cainjector.containerSecurityContext | -
-
-Container Security Context to be set on the cainjector component container
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| cainjector.podDisruptionBudget.enabled | -- -Enable or disable the PodDisruptionBudget resource - -This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager -Pod is currently running. - - | -bool | -
-
-false
-
- |
-
-
| cainjector.podDisruptionBudget.minAvailable | -- -Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `maxUnavailable` is set. - - - | -number | -
-
-undefined
-
- |
-
-
| cainjector.podDisruptionBudget.maxUnavailable | -- -Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `minAvailable` is set. - - - | -number | -
-
-undefined
-
- |
-
-
| cainjector.deploymentAnnotations | -- -Optional additional annotations to add to the cainjector Deployment - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.podAnnotations | -- -Optional additional annotations to add to the cainjector Pods - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.extraArgs | -
-
-Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-array | -
-
-[]
-
- |
-
-
| cainjector.featureGates | -- -Comma separated list of feature gates that should be enabled on the cainjector pod. - - | -string | -
-
-""
-
- |
-
-
| cainjector.resources | -
-
-Resources to provide to the cert-manager cainjector pod
-
-For example:
-
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-
-
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.nodeSelector | -- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| cainjector.affinity | -
-
-A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
-
-For example:
-
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.tolerations | -
-
-A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
-
-For example:
-
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.topologySpreadConstraints | -
-
-A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
-
-For example:
-
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.podLabels | -- -Optional additional labels to add to the CA Injector Pods - - | -object | -
-
-{}
-
- |
-
-
| cainjector.image.registry | -- -The container registry to pull the cainjector image from - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.repository | -- -The container image for the cert-manager cainjector - - - | -string | -
-
-quay.io/jetstack/cert-manager-controller
-
- |
-
-
| cainjector.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.digest | -- -Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| cainjector.serviceAccount.create | -- -Specifies whether a service account should be created - - | -bool | -
-
-true
-
- |
-
-
| cainjector.serviceAccount.name | -- -The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.annotations | -- -Optional additional annotations to add to the controller's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.labels | -- -Optional additional labels to add to the cainjector's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.automountServiceAccountToken | -- -Automount API credentials for a Service Account. - - | -bool | -
-
-true
-
- |
-
-
| cainjector.automountServiceAccountToken | -- -Automounting API credentials for a particular pod - - - | -bool | -
-
-undefined
-
- |
-
-
| cainjector.volumes | -- -Additional volumes to add to the cert-manager controller pod. - - | -array | -
-
-[]
-
- |
-
-
| cainjector.volumeMounts | -- -Additional volume mounts to add to the cert-manager controller container. - - | -array | -
-
-[]
-
- |
-
-
| cainjector.enableServiceLinks | -- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -
-
-false
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| acmesolver.image.registry | -- -The container registry to pull the acmesolver image from - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.repository | -- -The container image for the cert-manager acmesolver - - - | -string | -
-
-quay.io/jetstack/cert-manager-acmesolver
-
- |
-
-
| acmesolver.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.digest | -- -Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| startupapicheck.enabled | -- -Enables the startup api check - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.securityContext | -
-
-Pod Security Context to be set on the startupapicheck component Pod
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| startupapicheck.containerSecurityContext | -
-
-Container Security Context to be set on the controller component container
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| startupapicheck.timeout | -- -Timeout for 'kubectl check api' command - - | -string | -
-
-1m
-
- |
-
-
| startupapicheck.backoffLimit | -- -Job backoffLimit - - | -number | -
-
-4
-
- |
-
-
| startupapicheck.jobAnnotations | -- -Optional additional annotations to add to the startupapicheck Job - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "1"
-
- |
-
-
| startupapicheck.extraArgs[0] | -- - | -string | -
-
--v
-
- |
-
-
| startupapicheck.resources | -
-
-Resources to provide to the cert-manager controller pod
-
-For example:
-
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-
-
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.nodeSelector | -- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| startupapicheck.affinity | -
-
-A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
-
-For example:
-
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.tolerations | -
-
-A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
-
-For example:
-
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.podLabels | -- -Optional additional labels to add to the startupapicheck Pods - - | -object | -
-
-{}
-
- |
-
-
| startupapicheck.image.registry | -- -The container registry to pull the startupapicheck image from - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.repository | -- -The container image for the cert-manager startupapicheck - - - | -string | -
-
-quay.io/jetstack/cert-manager-startupapicheck
-
- |
-
-
| startupapicheck.image.tag | -- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.digest | -- -Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.pullPolicy | -- -Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| startupapicheck.rbac.annotations | -- -annotations for the startup API Check job RBAC and PSP resources - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.automountServiceAccountToken | -- -Automounting API credentials for a particular pod - - - | -bool | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.create | -- -Specifies whether a service account should be created - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.name | -- -The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.annotations | -- -Optional additional annotations to add to the Job's ServiceAccount - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.serviceAccount.automountServiceAccountToken | -- -Automount API credentials for a Service Account. - - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.labels | -- -Optional additional labels to add to the startupapicheck's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| startupapicheck.volumes | -- -Additional volumes to add to the cert-manager controller pod. - - | -array | -
-
-[]
-
- |
-
-
| startupapicheck.volumeMounts | -- -Additional volume mounts to add to the cert-manager controller container. - - | -array | -
-
-[]
-
- |
-
-
| startupapicheck.enableServiceLinks | -- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -
-
-false
-
- |
-
-
{}
-
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
-{}
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
-false
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-undefined
-
-[]
-
-""
-
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
-{}
-
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-
-
-failureThreshold: 3
-initialDelaySeconds: 60
-periodSeconds: 10
-successThreshold: 1
-timeoutSeconds: 1
-
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-
-
-failureThreshold: 3
-initialDelaySeconds: 5
-periodSeconds: 5
-successThreshold: 1
-timeoutSeconds: 1
-
-kubernetes.io/os: linux
-
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
-{}
-
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
-[]
-
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
-[]
-
-{}
-
-{}
-
-undefined
-
-quay.io/jetstack/cert-manager-webhook
-
-undefined
-
-undefined
-
-IfNotPresent
-
-true
-
-undefined
-
-undefined
-
-undefined
-
-true
-
-undefined
-
-10250
-
-false
-
-ClusterIP
-
-undefined
-
-{}
-
-false
-
-- from:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- ports:
- - port: 80
- protocol: TCP
- - port: 443
- protocol: TCP
- - port: 53
- protocol: TCP
- - port: 53
- protocol: UDP
- - port: 6443
- protocol: TCP
- to:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-[]
-
-[]
-
-false
-
-| Property | -Description | -Type | -Default | -
|---|---|---|---|
| cainjector.enabled | --Create the CA Injector deployment - - | -bool | -
-
-true
-
- |
-
-
| cainjector.replicaCount | --Number of replicas of the cert-manager cainjector to run. - -The default is 1, but in production you should set this to 2 or 3 to provide high availability. - -If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. - -Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - | -number | -
-
-1
-
- |
-
-
| cainjector.config | -
-Used to configure options for the cainjector pod.
-This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
-Flags will override options that are set here.
-
-For example:
-
-apiVersion: cainjector.config.cert-manager.io/v1alpha1
-kind: CAInjectorConfiguration
-logging:
- verbosity: 2
- format: text
-leaderElectionConfig:
- namespace: kube-system
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.strategy | -
-Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
-
-For example:
-
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.securityContext | -
-Pod Security Context to be set on the cainjector component Pod
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| cainjector.containerSecurityContext | -
-Container Security Context to be set on the cainjector component container
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| cainjector.podDisruptionBudget.enabled | --Enable or disable the PodDisruptionBudget resource - -This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager -Pod is currently running. - - | -bool | -
-
-false
-
- |
-
-
| cainjector.podDisruptionBudget.minAvailable | --Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `maxUnavailable` is set. - - - | -number | -
-
-undefined
-
- |
-
-
| cainjector.podDisruptionBudget.maxUnavailable | --Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). -Cannot be used if `minAvailable` is set. - - - | -number | -
-
-undefined
-
- |
-
-
| cainjector.deploymentAnnotations | --Optional additional annotations to add to the cainjector Deployment - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.podAnnotations | --Optional additional annotations to add to the cainjector Pods - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.extraArgs | -
-Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-array | -
-
-[]
-
- |
-
-
| cainjector.featureGates | --Comma separated list of feature gates that should be enabled on the cainjector pod. - - | -string | -
-
-""
-
- |
-
-
| cainjector.resources | -
-Resources to provide to the cert-manager cainjector pod
-
-For example:
-
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.nodeSelector | --The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| cainjector.affinity | -
-A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
-
-For example:
-
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.tolerations | -
-A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
-
-For example:
-
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.topologySpreadConstraints | -
-A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
-
-For example:
-
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.podLabels | --Optional additional labels to add to the CA Injector Pods - - | -object | -
-
-{}
-
- |
-
-
| cainjector.image.registry | --The container registry to pull the cainjector image from - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.repository | --The container image for the cert-manager cainjector - - - | -string | -
-
-quay.io/jetstack/cert-manager-controller
-
- |
-
-
| cainjector.image.tag | --Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.digest | --Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.image.pullPolicy | --Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| cainjector.serviceAccount.create | --Specifies whether a service account should be created - - | -bool | -
-
-true
-
- |
-
-
| cainjector.serviceAccount.name | --The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.annotations | --Optional additional annotations to add to the controller's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.labels | --Optional additional labels to add to the cainjector's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.automountServiceAccountToken | --Automount API credentials for a Service Account. - - | -bool | -
-
-true
-
- |
-
-
| cainjector.automountServiceAccountToken | --Automounting API credentials for a particular pod - - - | -bool | -
-
-undefined
-
- |
-
-
| cainjector.volumes | --Additional volumes to add to the cert-manager controller pod. - - | -array | -
-
-[]
-
- |
-
-
| cainjector.volumeMounts | --Additional volume mounts to add to the cert-manager controller container. - - | -array | -
-
-[]
-
- |
-
-
| cainjector.enableServiceLinks | --enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -
-
-false
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| acmesolver.image.registry | --The container registry to pull the acmesolver image from - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.repository | --The container image for the cert-manager acmesolver - - - | -string | -
-
-quay.io/jetstack/cert-manager-acmesolver
-
- |
-
-
| acmesolver.image.tag | --Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.digest | --Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| acmesolver.image.pullPolicy | --Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| startupapicheck.enabled | --Enables the startup api check - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.securityContext | -
-Pod Security Context to be set on the startupapicheck component Pod
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| startupapicheck.containerSecurityContext | -
-Container Security Context to be set on the controller component container
-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| startupapicheck.timeout | --Timeout for 'kubectl check api' command - - | -string | -
-
-1m
-
- |
-
-
| startupapicheck.backoffLimit | --Job backoffLimit - - | -number | -
-
-4
-
- |
-
-
| startupapicheck.jobAnnotations | --Optional additional annotations to add to the startupapicheck Job - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "1"
-
- |
-
-
| startupapicheck.extraArgs[0] | -- - | -string | -
-
--v
-
- |
-
-
| startupapicheck.resources | -
-Resources to provide to the cert-manager controller pod
-
-For example:
-
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.nodeSelector | --The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - | -object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| startupapicheck.affinity | -
-A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
-
-For example:
-
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.tolerations | -
-A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
-
-For example:
-
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.podLabels | --Optional additional labels to add to the startupapicheck Pods - - | -object | -
-
-{}
-
- |
-
-
| startupapicheck.image.registry | --The container registry to pull the startupapicheck image from - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.repository | --The container image for the cert-manager startupapicheck - - - | -string | -
-
-quay.io/jetstack/cert-manager-startupapicheck
-
- |
-
-
| startupapicheck.image.tag | --Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.digest | --Setting a digest will override any tag - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.pullPolicy | --Kubernetes imagePullPolicy on Deployment. - - | -string | -
-
-IfNotPresent
-
- |
-
-
| startupapicheck.rbac.annotations | --annotations for the startup API Check job RBAC and PSP resources - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.automountServiceAccountToken | --Automounting API credentials for a particular pod - - - | -bool | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.create | --Specifies whether a service account should be created - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.name | --The name of the service account to use. -If not set and create is true, a name is generated using the fullname template - - - | -string | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.annotations | --Optional additional annotations to add to the Job's ServiceAccount - - - | -object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.serviceAccount.automountServiceAccountToken | --Automount API credentials for a Service Account. - - - | -bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.labels | --Optional additional labels to add to the startupapicheck's ServiceAccount - - - | -object | -
-
-undefined
-
- |
-
-
| startupapicheck.volumes | --Additional volumes to add to the cert-manager controller pod. - - | -array | -
-
-[]
-
- |
-
-
| startupapicheck.volumeMounts | --Additional volume mounts to add to the cert-manager controller container. - - | -array | -
-
-[]
-
- |
-
-
| startupapicheck.enableServiceLinks | --enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - | -bool | -
-
-false
-
- |
-
-
{}
-
-- -Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - -
-- -For example: - -
- -
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
-{}
-
-- -Pod Security Context to be set on the webhook component Pod - -
- -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
-- -Container Security Context to be set on the webhook component container - -
- -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
-- -Enable or disable the PodDisruptionBudget resource - -
-
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
-Pod is currently running.
-
-
false
-
-
-
-Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
-Cannot be used if `maxUnavailable` is set.
-
-
undefined
-
-
-
-Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
-Cannot be used if `minAvailable` is set.
-
-
undefined
-
-- -Optional additional annotations to add to the webhook Deployment - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook Pods - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook Service - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook MutatingWebhookConfiguration - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook ValidatingWebhookConfiguration - -
- - -undefined
-
-
-
-Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:
[]
-
-- -Comma separated list of feature gates that should be enabled on the webhook pod. - -
- -""
-
-- -Resources to provide to the cert-manager webhook pod - -
-- -For example: - -
- -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - -
- -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
-{}
-
-- -Liveness probe values - -
- -
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-- - - -
- - -failureThreshold: 3
-initialDelaySeconds: 60
-periodSeconds: 10
-successThreshold: 1
-timeoutSeconds: 1
-
-- -Readiness probe values - -
- -
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-- - - -
- - -failureThreshold: 3
-initialDelaySeconds: 5
-periodSeconds: 5
-successThreshold: 1
-timeoutSeconds: 1
-
-- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -
-- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - -
- - -kubernetes.io/os: linux
-
-- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -
-- -For example: - -
- -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
-{}
-
-- -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - -
-- -For example: - -
- -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
-[]
-
-- -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - -
-- -For example: - -
- -
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
-[]
-
-- -Optional additional labels to add to the Webhook Pods - -
- -{}
-
-- -Optional additional labels to add to the Webhook Service - -
- -{}
-
-- -The container registry to pull the webhook image from - -
- - -undefined
-
-- -The container image for the cert-manager webhook - -
- - -quay.io/jetstack/cert-manager-controller
-
-- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - -
- - -undefined
-
-- -Setting a digest will override any tag - -
- - -undefined
-
-- -Kubernetes imagePullPolicy on Deployment. - -
- -IfNotPresent
-
-- -Specifies whether a service account should be created - -
- -true
-
-
-
-The name of the service account to use.
-If not set and create is true, a name is generated using the fullname template
-
-
undefined
-
-- -Optional additional annotations to add to the controller's ServiceAccount - -
- - -undefined
-
-- -Optional additional labels to add to the webhook's ServiceAccount - -
- - -undefined
-
-- -Automount API credentials for a Service Account. - -
- -true
-
-- -Automounting API credentials for a particular pod - -
- - -undefined
-
-- -The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 - -
- -10250
-
-- -Specifies if the webhook should be started in hostNetwork mode. - -
-- -Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working - -
-- -Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. - -
- -false
-
-- -Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. - -
- -ClusterIP
-
-- -Specify the load balancer IP for the created service - -
- - -undefined
-
-- -Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. - -
- -{}
-
-- -Create network policies for the webhooks - -
- -false
-
-- -Ingress rule for the webhook network policy, by default will allow all inbound traffic - -
- - -- from:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- -Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports - -
- - -- ports:
- - port: 80
- protocol: TCP
- - port: 443
- protocol: TCP
- - port: 53
- protocol: TCP
- - port: 53
- protocol: UDP
- - port: 6443
- protocol: TCP
- to:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- -Additional volumes to add to the cert-manager controller pod. - -
- -[]
-
-- -Additional volume mounts to add to the cert-manager controller container. - -
- -[]
-
-- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - -
- -false
-
-| Property | -Description | -Type | -Default | -
|---|---|---|---|
| cainjector.enabled | -
-
- - -Create the CA Injector deployment - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.replicaCount | -
-
- - -Number of replicas of the cert-manager cainjector to run. - - -- -The default is 1, but in production you should set this to 2 or 3 to provide high availability. - - -- -If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. - - -- -Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - - - |
-number | -
-
-1
-
- |
-
-
| cainjector.config | -
-
-
-
-Used to configure options for the cainjector pod. - -For example: - - - -
-apiVersion: cainjector.config.cert-manager.io/v1alpha1
-kind: CAInjectorConfiguration
-logging:
- verbosity: 2
- format: text
-leaderElectionConfig:
- namespace: kube-system
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.strategy | -
-
- - -Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - - -- -For example: - - - -
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.securityContext | -
-
- - -Pod Security Context to be set on the cainjector component Pod - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| cainjector.containerSecurityContext | -
-
- - -Container Security Context to be set on the cainjector component container - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| cainjector.podDisruptionBudget.enabled | -
-
- - -Enable or disable the PodDisruptionBudget resource - - -
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager |
-bool | -
-
-false
-
- |
-
-
| cainjector.podDisruptionBudget.minAvailable | -
-
-
-
-Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). |
-number | -
-
-undefined
-
- |
-
-
| cainjector.podDisruptionBudget.maxUnavailable | -
-
-
-
-Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). |
-number | -
-
-undefined
-
- |
-
-
| cainjector.deploymentAnnotations | -
-
- - -Optional additional annotations to add to the cainjector Deployment - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.podAnnotations | -
-
- - -Optional additional annotations to add to the cainjector Pods - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.extraArgs | -
-
-
-
-Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-array | -
-
-[]
-
- |
-
-
| cainjector.featureGates | -
-
- - -Comma separated list of feature gates that should be enabled on the cainjector pod. - - - - |
-string | -
-
-""
-
- |
-
-
| cainjector.resources | -
-
- - -Resources to provide to the cert-manager cainjector pod - - -- -For example: - - - -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - - - -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.nodeSelector | -
-
- - -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - - -- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - - - |
-object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| cainjector.affinity | -
-
- - -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - - -- -For example: - - - -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.tolerations | -
-
- - -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - - -- -For example: - - - -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.topologySpreadConstraints | -
-
- - -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - - -- -For example: - - - -
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.podLabels | -
-
- - -Optional additional labels to add to the CA Injector Pods - - - - |
-object | -
-
-{}
-
- |
-
-
| cainjector.image.registry | -
-
- - -The container registry to pull the cainjector image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.repository | -
-
- - -The container image for the cert-manager cainjector - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-controller
-
- |
-
-
| cainjector.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
| cainjector.serviceAccount.create | -
-
- - -Specifies whether a service account should be created - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.serviceAccount.name | -
-
-
-
-The name of the service account to use. |
-string | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.annotations | -
-
- - -Optional additional annotations to add to the controller's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.labels | -
-
- - -Optional additional labels to add to the cainjector's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.automountServiceAccountToken | -
-
- - -Automount API credentials for a Service Account. - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.automountServiceAccountToken | -
-
- - -Automounting API credentials for a particular pod - - - - - |
-bool | -
-
-undefined
-
- |
-
-
| cainjector.volumes | -
-
- - -Additional volumes to add to the cert-manager controller pod. - - - - |
-array | -
-
-[]
-
- |
-
-
| cainjector.volumeMounts | -
-
- - -Additional volume mounts to add to the cert-manager controller container. - - - - |
-array | -
-
-[]
-
- |
-
-
| cainjector.enableServiceLinks | -
-
- - -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - - - |
-bool | -
-
-false
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| acmesolver.image.registry | -
-
- - -The container registry to pull the acmesolver image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.repository | -
-
- - -The container image for the cert-manager acmesolver - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-acmesolver
-
- |
-
-
| acmesolver.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
- -This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. - -
- -| Property | -Description | -Type | -Default | -
|---|---|---|---|
| startupapicheck.enabled | -
-
- - -Enables the startup api check - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.securityContext | -
-
- - -Pod Security Context to be set on the startupapicheck component Pod - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| startupapicheck.containerSecurityContext | -
-
- - -Container Security Context to be set on the controller component container - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| startupapicheck.timeout | -
-
- - -Timeout for 'kubectl check api' command - - - - |
-string | -
-
-1m
-
- |
-
-
| startupapicheck.backoffLimit | -
-
- - -Job backoffLimit - - - - |
-number | -
-
-4
-
- |
-
-
| startupapicheck.jobAnnotations | -
-
- - -Optional additional annotations to add to the startupapicheck Job - - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "1"
-
- |
-
-
| startupapicheck.extraArgs[0] | -- - | -string | -
-
--v
-
- |
-
-
| startupapicheck.resources | -
-
- - -Resources to provide to the cert-manager controller pod - - -- -For example: - - - -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - - - -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.nodeSelector | -
-
- - -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - - -- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - - - |
-object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| startupapicheck.affinity | -
-
- - -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - - -- -For example: - - - -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.tolerations | -
-
- - -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - - -- -For example: - - - -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.podLabels | -
-
- - -Optional additional labels to add to the startupapicheck Pods - - - - |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.image.registry | -
-
- - -The container registry to pull the startupapicheck image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.repository | -
-
- - -The container image for the cert-manager startupapicheck - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-startupapicheck
-
- |
-
-
| startupapicheck.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
| startupapicheck.rbac.annotations | -
-
- - -annotations for the startup API Check job RBAC and PSP resources - - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.automountServiceAccountToken | -
-
- - -Automounting API credentials for a particular pod - - - - - |
-bool | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.create | -
-
- - -Specifies whether a service account should be created - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.name | -
-
-
-
-The name of the service account to use. |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.annotations | -
-
- - -Optional additional annotations to add to the Job's ServiceAccount - - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.serviceAccount.automountServiceAccountToken | -
-
- - -Automount API credentials for a Service Account. - - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.labels | -
-
- - -Optional additional labels to add to the startupapicheck's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| startupapicheck.volumes | -
-
- - -Additional volumes to add to the cert-manager controller pod. - - - - |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.volumeMounts | -
-
- - -Additional volume mounts to add to the cert-manager controller container. - - - - |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.enableServiceLinks | -
-
- - -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - - - |
-bool | -
-
-false
-
- |
-
-
{}
-
-- -Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - -
-- -For example: - -
- -
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
-{}
-
-- -Pod Security Context to be set on the webhook component Pod - -
- -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
-- -Container Security Context to be set on the webhook component container - -
- -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
-- -Enable or disable the PodDisruptionBudget resource - -
-
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
-Pod is currently running.
-
-
false
-
-
-
-Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
-Cannot be used if `maxUnavailable` is set.
-
-
undefined
-
-
-
-Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
-Cannot be used if `minAvailable` is set.
-
-
undefined
-
-- -Optional additional annotations to add to the webhook Deployment - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook Pods - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook Service - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook MutatingWebhookConfiguration - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook ValidatingWebhookConfiguration - -
- - -undefined
-
-
-
-Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:
[]
-
-- -Comma separated list of feature gates that should be enabled on the webhook pod. - -
- -""
-
-- -Resources to provide to the cert-manager webhook pod - -
-- -For example: - -
- -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - -
- -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
-{}
-
-- -Liveness probe values - -
- -
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-- - - -
- - -failureThreshold: 3
-initialDelaySeconds: 60
-periodSeconds: 10
-successThreshold: 1
-timeoutSeconds: 1
-
-- -Readiness probe values - -
- -
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-- - - -
- - -failureThreshold: 3
-initialDelaySeconds: 5
-periodSeconds: 5
-successThreshold: 1
-timeoutSeconds: 1
-
-- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -
-- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - -
- - -kubernetes.io/os: linux
-
-- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -
-- -For example: - -
- -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
-{}
-
-- -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - -
-- -For example: - -
- -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
-[]
-
-- -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - -
-- -For example: - -
- -
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
-[]
-
-- -Optional additional labels to add to the Webhook Pods - -
- -{}
-
-- -Optional additional labels to add to the Webhook Service - -
- -{}
-
-- -The container registry to pull the webhook image from - -
- - -undefined
-
-- -The container image for the cert-manager webhook - -
- - -quay.io/jetstack/cert-manager-controller
-
-- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - -
- - -undefined
-
-- -Setting a digest will override any tag - -
- - -undefined
-
-- -Kubernetes imagePullPolicy on Deployment. - -
- -IfNotPresent
-
-- -Specifies whether a service account should be created - -
- -true
-
-
-
-The name of the service account to use.
-If not set and create is true, a name is generated using the fullname template
-
-
undefined
-
-- -Optional additional annotations to add to the controller's ServiceAccount - -
- - -undefined
-
-- -Optional additional labels to add to the webhook's ServiceAccount - -
- - -undefined
-
-- -Automount API credentials for a Service Account. - -
- -true
-
-- -Automounting API credentials for a particular pod - -
- - -undefined
-
-- -The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 - -
- -10250
-
-- -Specifies if the webhook should be started in hostNetwork mode. - -
-- -Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working - -
-- -Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. - -
- -false
-
-- -Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. - -
- -ClusterIP
-
-- -Specify the load balancer IP for the created service - -
- - -undefined
-
-- -Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. - -
- -{}
-
-- -Create network policies for the webhooks - -
- -false
-
-- -Ingress rule for the webhook network policy, by default will allow all inbound traffic - -
- - -- from:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- -Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports - -
- - -- ports:
- - port: 80
- protocol: TCP
- - port: 443
- protocol: TCP
- - port: 53
- protocol: TCP
- - port: 53
- protocol: UDP
- - port: 6443
- protocol: TCP
- to:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- -Additional volumes to add to the cert-manager controller pod. - -
- -[]
-
-- -Additional volume mounts to add to the cert-manager controller container. - -
- -[]
-
-- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - -
- -false
-
-| Property | -Description | -Type | -Default | -
|---|---|---|---|
| cainjector.enabled | -
-
- - -Create the CA Injector deployment - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.replicaCount | -
-
- - -Number of replicas of the cert-manager cainjector to run. - - -- -The default is 1, but in production you should set this to 2 or 3 to provide high availability. - - -- -If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. - - -- -Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - - - |
-number | -
-
-1
-
- |
-
-
| cainjector.config | -
-
-
-
-Used to configure options for the cainjector pod. - -For example: - - - -
-apiVersion: cainjector.config.cert-manager.io/v1alpha1
-kind: CAInjectorConfiguration
-logging:
- verbosity: 2
- format: text
-leaderElectionConfig:
- namespace: kube-system
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.strategy | -
-
- - -Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - - -- -For example: - - - -
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.securityContext | -
-
- - -Pod Security Context to be set on the cainjector component Pod - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| cainjector.containerSecurityContext | -
-
- - -Container Security Context to be set on the cainjector component container - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| cainjector.podDisruptionBudget.enabled | -
-
- - -Enable or disable the PodDisruptionBudget resource - - -
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager |
-bool | -
-
-false
-
- |
-
-
| cainjector.podDisruptionBudget.minAvailable | -
-
-
-
-Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). |
-number | -
-
-undefined
-
- |
-
-
| cainjector.podDisruptionBudget.maxUnavailable | -
-
-
-
-Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). |
-number | -
-
-undefined
-
- |
-
-
| cainjector.deploymentAnnotations | -
-
- - -Optional additional annotations to add to the cainjector Deployment - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.podAnnotations | -
-
- - -Optional additional annotations to add to the cainjector Pods - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.extraArgs | -
-
-
-
-Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-array | -
-
-[]
-
- |
-
-
| cainjector.featureGates | -
-
- - -Comma separated list of feature gates that should be enabled on the cainjector pod. - - - - |
-string | -
-
-""
-
- |
-
-
| cainjector.resources | -
-
- - -Resources to provide to the cert-manager cainjector pod - - -- -For example: - - - -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - - - -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.nodeSelector | -
-
- - -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - - -- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - - - |
-object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| cainjector.affinity | -
-
- - -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - - -- -For example: - - - -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.tolerations | -
-
- - -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - - -- -For example: - - - -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.topologySpreadConstraints | -
-
- - -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - - -- -For example: - - - -
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.podLabels | -
-
- - -Optional additional labels to add to the CA Injector Pods - - - - |
-object | -
-
-{}
-
- |
-
-
| cainjector.image.registry | -
-
- - -The container registry to pull the cainjector image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.repository | -
-
- - -The container image for the cert-manager cainjector - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-controller
-
- |
-
-
| cainjector.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
| cainjector.serviceAccount.create | -
-
- - -Specifies whether a service account should be created - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.serviceAccount.name | -
-
-
-
-The name of the service account to use. |
-string | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.annotations | -
-
- - -Optional additional annotations to add to the controller's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.labels | -
-
- - -Optional additional labels to add to the cainjector's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.automountServiceAccountToken | -
-
- - -Automount API credentials for a Service Account. - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.automountServiceAccountToken | -
-
- - -Automounting API credentials for a particular pod - - - - - |
-bool | -
-
-undefined
-
- |
-
-
| cainjector.volumes | -
-
- - -Additional volumes to add to the cert-manager controller pod. - - - - |
-array | -
-
-[]
-
- |
-
-
| cainjector.volumeMounts | -
-
- - -Additional volume mounts to add to the cert-manager controller container. - - - - |
-array | -
-
-[]
-
- |
-
-
| cainjector.enableServiceLinks | -
-
- - -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - - - |
-bool | -
-
-false
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| acmesolver.image.registry | -
-
- - -The container registry to pull the acmesolver image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.repository | -
-
- - -The container image for the cert-manager acmesolver - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-acmesolver
-
- |
-
-
| acmesolver.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
- -This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. - -
- -| Property | -Description | -Type | -Default | -
|---|---|---|---|
| startupapicheck.enabled | -
-
- - -Enables the startup api check - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.securityContext | -
-
- - -Pod Security Context to be set on the startupapicheck component Pod - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| startupapicheck.containerSecurityContext | -
-
- - -Container Security Context to be set on the controller component container - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| startupapicheck.timeout | -
-
- - -Timeout for 'kubectl check api' command - - - - |
-string | -
-
-1m
-
- |
-
-
| startupapicheck.backoffLimit | -
-
- - -Job backoffLimit - - - - |
-number | -
-
-4
-
- |
-
-
| startupapicheck.jobAnnotations | -
-
- - -Optional additional annotations to add to the startupapicheck Job - - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "1"
-
- |
-
-
| startupapicheck.extraArgs[0] | -- - | -string | -
-
--v
-
- |
-
-
| startupapicheck.resources | -
-
- - -Resources to provide to the cert-manager controller pod - - -- -For example: - - - -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - - - -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.nodeSelector | -
-
- - -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - - -- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - - - |
-object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| startupapicheck.affinity | -
-
- - -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - - -- -For example: - - - -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.tolerations | -
-
- - -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - - -- -For example: - - - -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.podLabels | -
-
- - -Optional additional labels to add to the startupapicheck Pods - - - - |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.image.registry | -
-
- - -The container registry to pull the startupapicheck image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.repository | -
-
- - -The container image for the cert-manager startupapicheck - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-startupapicheck
-
- |
-
-
| startupapicheck.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
| startupapicheck.rbac.annotations | -
-
- - -annotations for the startup API Check job RBAC and PSP resources - - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.automountServiceAccountToken | -
-
- - -Automounting API credentials for a particular pod - - - - - |
-bool | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.create | -
-
- - -Specifies whether a service account should be created - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.name | -
-
-
-
-The name of the service account to use. |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.annotations | -
-
- - -Optional additional annotations to add to the Job's ServiceAccount - - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.serviceAccount.automountServiceAccountToken | -
-
- - -Automount API credentials for a Service Account. - - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.labels | -
-
- - -Optional additional labels to add to the startupapicheck's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| startupapicheck.volumes | -
-
- - -Additional volumes to add to the cert-manager controller pod. - - - - |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.volumeMounts | -
-
- - -Additional volume mounts to add to the cert-manager controller container. - - - - |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.enableServiceLinks | -
-
- - -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - - - |
-bool | -
-
-false
-
- |
-
-
{}
-
-- -Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - -
-- -For example: - -
- -
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
-{}
-
-- -Pod Security Context to be set on the webhook component Pod - -
- -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
-- -Container Security Context to be set on the webhook component container - -
- -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
-- -Enable or disable the PodDisruptionBudget resource - -
-
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
-Pod is currently running.
-
-
false
-
-
-
-Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
-Cannot be used if `maxUnavailable` is set.
-
-
undefined
-
-
-
-Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
-Cannot be used if `minAvailable` is set.
-
-
undefined
-
-- -Optional additional annotations to add to the webhook Deployment - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook Pods - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook Service - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook MutatingWebhookConfiguration - -
- - -undefined
-
-- -Optional additional annotations to add to the webhook ValidatingWebhookConfiguration - -
- - -undefined
-
-
-
-Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:
[]
-
-- -Comma separated list of feature gates that should be enabled on the webhook pod. - -
- -""
-
-- -Resources to provide to the cert-manager webhook pod - -
-- -For example: - -
- -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - -
- -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
-{}
-
-- -Liveness probe values - -
- -
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-- - - -
- - -failureThreshold: 3
-initialDelaySeconds: 60
-periodSeconds: 10
-successThreshold: 1
-timeoutSeconds: 1
-
-- -Readiness probe values - -
- -
-ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
-
-
-- - - -
- - -failureThreshold: 3
-initialDelaySeconds: 5
-periodSeconds: 5
-successThreshold: 1
-timeoutSeconds: 1
-
-- -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - -
-- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - -
- - -kubernetes.io/os: linux
-
-- -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - -
-- -For example: - -
- -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
-{}
-
-- -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - -
-- -For example: - -
- -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
-[]
-
-- -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - -
-- -For example: - -
- -
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
-[]
-
-- -Optional additional labels to add to the Webhook Pods - -
- -{}
-
-- -Optional additional labels to add to the Webhook Service - -
- -{}
-
-- -The container registry to pull the webhook image from - -
- - -undefined
-
-- -The container image for the cert-manager webhook - -
- - -quay.io/jetstack/cert-manager-controller
-
-- -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - -
- - -undefined
-
-- -Setting a digest will override any tag - -
- - -undefined
-
-- -Kubernetes imagePullPolicy on Deployment. - -
- -IfNotPresent
-
-- -Specifies whether a service account should be created - -
- -true
-
-
-
-The name of the service account to use.
-If not set and create is true, a name is generated using the fullname template
-
-
undefined
-
-- -Optional additional annotations to add to the controller's ServiceAccount - -
- - -undefined
-
-- -Optional additional labels to add to the webhook's ServiceAccount - -
- - -undefined
-
-- -Automount API credentials for a Service Account. - -
- -true
-
-- -Automounting API credentials for a particular pod - -
- - -undefined
-
-- -The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 - -
- -10250
-
-- -Specifies if the webhook should be started in hostNetwork mode. - -
-- -Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working - -
-- -Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. - -
- -false
-
-- -Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. - -
- -ClusterIP
-
-- -Specify the load balancer IP for the created service - -
- - -undefined
-
-- -Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. - -
- -{}
-
-- -Create network policies for the webhooks - -
- -false
-
-- -Ingress rule for the webhook network policy, by default will allow all inbound traffic - -
- - -- from:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- -Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports - -
- - -- ports:
- - port: 80
- protocol: TCP
- - port: 443
- protocol: TCP
- - port: 53
- protocol: TCP
- - port: 53
- protocol: UDP
- - port: 6443
- protocol: TCP
- to:
- - ipBlock:
- cidr: 0.0.0.0/0
-
-- -Additional volumes to add to the cert-manager controller pod. - -
- -[]
-
-- -Additional volume mounts to add to the cert-manager controller container. - -
- -[]
-
-- -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - -
- -false
-
-| Property | -Description | -Type | -Default | -
|---|---|---|---|
| cainjector.enabled | -
-
- - -Create the CA Injector deployment - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.replicaCount | -
-
- - -Number of replicas of the cert-manager cainjector to run. - - -- -The default is 1, but in production you should set this to 2 or 3 to provide high availability. - - -- -If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. - - -- -Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. - - - - |
-number | -
-
-1
-
- |
-
-
| cainjector.config | -
-
-
-
-Used to configure options for the cainjector pod. - -For example: - - - -
-apiVersion: cainjector.config.cert-manager.io/v1alpha1
-kind: CAInjectorConfiguration
-logging:
- verbosity: 2
- format: text
-leaderElectionConfig:
- namespace: kube-system
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.strategy | -
-
- - -Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy - - -- -For example: - - - -
-strategy:
- type: RollingUpdate
- rollingUpdate:
- maxSurge: 0
- maxUnavailable: 1
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.securityContext | -
-
- - -Pod Security Context to be set on the cainjector component Pod - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| cainjector.containerSecurityContext | -
-
- - -Container Security Context to be set on the cainjector component container - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| cainjector.podDisruptionBudget.enabled | -
-
- - -Enable or disable the PodDisruptionBudget resource - - -
-
-This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager |
-bool | -
-
-false
-
- |
-
-
| cainjector.podDisruptionBudget.minAvailable | -
-
-
-
-Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). |
-number | -
-
-undefined
-
- |
-
-
| cainjector.podDisruptionBudget.maxUnavailable | -
-
-
-
-Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). |
-number | -
-
-undefined
-
- |
-
-
| cainjector.deploymentAnnotations | -
-
- - -Optional additional annotations to add to the cainjector Deployment - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.podAnnotations | -
-
- - -Optional additional annotations to add to the cainjector Pods - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.extraArgs | -
-
-
-
-Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
-array | -
-
-[]
-
- |
-
-
| cainjector.featureGates | -
-
- - -Comma separated list of feature gates that should be enabled on the cainjector pod. - - - - |
-string | -
-
-""
-
- |
-
-
| cainjector.resources | -
-
- - -Resources to provide to the cert-manager cainjector pod - - -- -For example: - - - -
-requests:
- cpu: 10m
- memory: 32Mi
-
-
-- - - - - -
-ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.nodeSelector | -
-
- - -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - - -- -This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - - - |
-object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| cainjector.affinity | -
-
- - -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - - -- -For example: - - - -
-affinity:
- nodeAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- nodeSelectorTerms:
- - matchExpressions:
- - key: foo.bar.com/role
- operator: In
- values:
- - master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| cainjector.tolerations | -
-
- - -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - - -- -For example: - - - -
-tolerations:
-- key: foo.bar.com/role
- operator: Equal
- value: master
- effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.topologySpreadConstraints | -
-
- - -A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core - - -- -For example: - - - -
-topologySpreadConstraints:
-- maxSkew: 2
- topologyKey: topology.kubernetes.io/zone
- whenUnsatisfiable: ScheduleAnyway
- labelSelector:
- matchLabels:
- app.kubernetes.io/instance: cert-manager
- app.kubernetes.io/component: controller
-
-
- |
-array | -
-
-[]
-
- |
-
-
| cainjector.podLabels | -
-
- - -Optional additional labels to add to the CA Injector Pods - - - - |
-object | -
-
-{}
-
- |
-
-
| cainjector.image.registry | -
-
- - -The container registry to pull the cainjector image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.repository | -
-
- - -The container image for the cert-manager cainjector - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-controller
-
- |
-
-
| cainjector.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| cainjector.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
| cainjector.serviceAccount.create | -
-
- - -Specifies whether a service account should be created - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.serviceAccount.name | -
-
-
-
-The name of the service account to use. |
-string | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.annotations | -
-
- - -Optional additional annotations to add to the controller's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.labels | -
-
- - -Optional additional labels to add to the cainjector's ServiceAccount - - - - - |
-object | -
-
-undefined
-
- |
-
-
| cainjector.serviceAccount.automountServiceAccountToken | -
-
- - -Automount API credentials for a Service Account. - - - - |
-bool | -
-
-true
-
- |
-
-
| cainjector.automountServiceAccountToken | -
-
- - -Automounting API credentials for a particular pod - - - - - |
-bool | -
-
-undefined
-
- |
-
-
| cainjector.volumes | -
-
- - -Additional volumes to add to the cert-manager controller pod. - - - - |
-array | -
-
-[]
-
- |
-
-
| cainjector.volumeMounts | -
-
- - -Additional volume mounts to add to the cert-manager controller container. - - - - |
-array | -
-
-[]
-
- |
-
-
| cainjector.enableServiceLinks | -
-
- - -enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - - - |
-bool | -
-
-false
-
- |
-
-
| Property | -Description | -Type | -Default | -
|---|---|---|---|
| acmesolver.image.registry | -
-
- - -The container registry to pull the acmesolver image from - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.repository | -
-
- - -The container image for the cert-manager acmesolver - - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-acmesolver
-
- |
-
-
| acmesolver.image.tag | -
-
- - -Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.digest | -
-
- - -Setting a digest will override any tag - - - - - |
-string | -
-
-undefined
-
- |
-
-
| acmesolver.image.pullPolicy | -
-
- - -Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
- -This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. - -
- -| Property | -Description | -Type | -Default | -
|---|---|---|---|
| startupapicheck.enabled | -
-
- - -Enables the startup api check - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.securityContext | -
-
- - -Pod Security Context to be set on the startupapicheck component Pod - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-runAsNonRoot: true
-seccompProfile:
- type: RuntimeDefault
-
- |
-
-
| startupapicheck.containerSecurityContext | -
-
- - -Container Security Context to be set on the controller component container - - - -
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
-
-
- |
-object | -
-
-allowPrivilegeEscalation: false
-capabilities:
- drop:
- - ALL
-readOnlyRootFilesystem: true
-
- |
-
-
| startupapicheck.timeout | -
-
- - -Timeout for 'kubectl check api' command - - - - |
-string | -
-
-1m
-
- |
-
-
| startupapicheck.backoffLimit | -
-
- - -Job backoffLimit - - - - |
-number | -
-
-4
-
- |
-
-
| startupapicheck.jobAnnotations | -
-
- - -Optional additional annotations to add to the startupapicheck Job - - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "1"
-
- |
-
-
| startupapicheck.extraArgs[0] | -- - | -string | -
-
--v
-
- |
-
-
| startupapicheck.resources | -
-
- - -Resources to provide to the cert-manager controller pod - - -- +Resources to provide to the cert-manager controller pod + For example: - - -
+```yaml
requests:
cpu: 10m
memory: 32Mi
-
-
-- - - - +``` -
ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.nodeSelector | -
-
- - -The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ - - -+#### **startupapicheck.nodeSelector** ~ `object` +> Default value: +> ```yaml +> kubernetes.io/os: linux +> ``` +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - - - |
-object | -
-
-kubernetes.io/os: linux
-
- |
-
-
| startupapicheck.affinity | -
-
- - -A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core - - -+#### **startupapicheck.affinity** ~ `object` +> Default value: +> ```yaml +> {} +> ``` +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + For example: - - -
+```yaml
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
@@ -17640,384 +1567,125 @@ affinity:
operator: In
values:
- master
-
-
- |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.tolerations | -
-
- - -A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core - - -+``` +#### **startupapicheck.tolerations** ~ `array` +> Default value: +> ```yaml +> [] +> ``` +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + For example: - - -
+```yaml
tolerations:
- key: foo.bar.com/role
operator: Equal
value: master
effect: NoSchedule
-
-
- |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.podLabels | -
-
- +``` +#### **startupapicheck.podLabels** ~ `object` +> Default value: +> ```yaml +> {} +> ``` Optional additional labels to add to the startupapicheck Pods - - - - |
-object | -
-
-{}
-
- |
-
-
| startupapicheck.image.registry | -
-
- +#### **startupapicheck.image.registry** ~ `string` The container registry to pull the startupapicheck image from - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.repository | -
-
- +#### **startupapicheck.image.repository** ~ `string` +> Default value: +> ```yaml +> quay.io/jetstack/cert-manager-startupapicheck +> ``` The container image for the cert-manager startupapicheck - - - - |
-string | -
-
-quay.io/jetstack/cert-manager-startupapicheck
-
- |
-
-
| startupapicheck.image.tag | -
-
- +#### **startupapicheck.image.tag** ~ `string` Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.digest | -
-
- +#### **startupapicheck.image.digest** ~ `string` Setting a digest will override any tag - - - - |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.image.pullPolicy | -
-
- +#### **startupapicheck.image.pullPolicy** ~ `string` +> Default value: +> ```yaml +> IfNotPresent +> ``` Kubernetes imagePullPolicy on Deployment. - - - - |
-string | -
-
-IfNotPresent
-
- |
-
-
| startupapicheck.rbac.annotations | -
-
- +#### **startupapicheck.rbac.annotations** ~ `object` +> Default value: +> ```yaml +> helm.sh/hook: post-install +> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +> helm.sh/hook-weight: "-5" +> ``` annotations for the startup API Check job RBAC and PSP resources - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.automountServiceAccountToken | -
-
- +#### **startupapicheck.automountServiceAccountToken** ~ `bool` Automounting API credentials for a particular pod - - - - |
-bool | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.create | -
-
- +#### **startupapicheck.serviceAccount.create** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Specifies whether a service account should be created +#### **startupapicheck.serviceAccount.name** ~ `string` - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.name | -
-
-
-
-The name of the service account to use. |
-string | -
-
-undefined
-
- |
-
-
| startupapicheck.serviceAccount.annotations | -
-
- +#### **startupapicheck.serviceAccount.annotations** ~ `object` +> Default value: +> ```yaml +> helm.sh/hook: post-install +> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +> helm.sh/hook-weight: "-5" +> ``` Optional additional annotations to add to the Job's ServiceAccount - - - - |
-object | -
-
-helm.sh/hook: post-install
-helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
-helm.sh/hook-weight: "-5"
-
- |
-
-
| startupapicheck.serviceAccount.automountServiceAccountToken | -
-
- +#### **startupapicheck.serviceAccount.automountServiceAccountToken** ~ `bool` +> Default value: +> ```yaml +> true +> ``` Automount API credentials for a Service Account. - - - - |
-bool | -
-
-true
-
- |
-
-
| startupapicheck.serviceAccount.labels | -
-
- +#### **startupapicheck.serviceAccount.labels** ~ `object` Optional additional labels to add to the startupapicheck's ServiceAccount - - - - |
-object | -
-
-undefined
-
- |
-
-
| startupapicheck.volumes | -
-
- +#### **startupapicheck.volumes** ~ `array` +> Default value: +> ```yaml +> [] +> ``` Additional volumes to add to the cert-manager controller pod. - - - - |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.volumeMounts | -
-
- +#### **startupapicheck.volumeMounts** ~ `array` +> Default value: +> ```yaml +> [] +> ``` Additional volume mounts to add to the cert-manager controller container. - - - - |
-array | -
-
-[]
-
- |
-
-
| startupapicheck.enableServiceLinks | -
-
- +#### **startupapicheck.enableServiceLinks** ~ `bool` +> Default value: +> ```yaml +> false +> ``` enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. - - - |
-bool | -
-
-false
-
- |
-
-