From e0c66d478a3db6637f8cbc5030508f7d3659ed1c Mon Sep 17 00:00:00 2001 From: Adam Talbot Date: Fri, 12 Jan 2024 15:16:13 +0000 Subject: [PATCH] feat: add vertical table layout Signed-off-by: Adam Talbot --- examples/cert-manager/README.md | 15315 ++++++++++++++++++++++++++-- examples/cert-manager/values.yaml | 660 +- go.mod | 12 +- go.sum | 21 +- main.go | 8 +- render/markdown-table | 31 +- render/markdown-table-vertical | 57 + render/render.go | 5 +- 8 files changed, 15214 insertions(+), 895 deletions(-) create mode 100644 render/markdown-table-vertical diff --git a/examples/cert-manager/README.md b/examples/cert-manager/README.md index 253f955..cca5abb 100644 --- a/examples/cert-manager/README.md +++ b/examples/cert-manager/README.md @@ -13,251 +13,256 @@ Default - global.imagePullSecrets -

- Reference to one or more secrets to be used when pulling images -

- -
+```yaml
 ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
-
+``` + +For example: + +```yaml +imagePullSecrets: + - name: "image-pull-secret" +``` array -
[]
+```yaml +[] +``` - - global.commonLabels -

- -Labels to apply to all resources
-Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: - -

-

- -eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress - -

+Labels to apply to all resources +Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress -
+```yaml
 ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
-
- -

+``` eg. secretTemplate in CertificateSpec -

- -
+```yaml
 ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
-
+``` object -
{}
+```yaml +{} +``` - +global.revisionHistoryLimit + -global.priorityClassName +The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10) + + + +number -

+```yaml +undefined +``` -Optional priority class to be used for the cert-manager pods + + + +global.priorityClassName + -

+Optional priority class to be used for the cert-manager pods string -
""
+```yaml +"" +``` - - global.rbac.create -

+Create required ClusterRoles and ClusterRoleBindings for cert-manager -Create RBAC rules + +bool + -

+```yaml +true +``` -bool + + +global.rbac.aggregateClusterRoles -
true
+Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles +bool + + +```yaml +true +``` + +global.podSecurityPolicy.enabled + -global.rbac.aggregateClusterRoles +Create PodSecurityPolicy for cert-manager + +NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25 + + +bool -

+```yaml +false +``` -Aggregate ClusterRoles to Kubernetes default user-facing roles. ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + + + +global.podSecurityPolicy.useAppArmor + -

+Configure the PodSecurityPolicy to use AppArmor bool -
true
+```yaml +true +``` - - global.logLevel -

- Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. -

- number -
2
+```yaml +2 +``` - - global.leaderElection.namespace -

- Override the namespace used for the leader election lease -

- string -
kube-system
+```yaml +kube-system +``` - - global.leaderElection.leaseDuration -

- The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. -

- string -
undefined
+```yaml +undefined +``` - - global.leaderElection.renewDeadline -

- The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. -

- string -
undefined
+```yaml +undefined +``` - - global.leaderElection.retryPeriod -

- The duration the clients should wait between attempting acquisition and renewal of a leadership. -

- string -
undefined
+```yaml +undefined +``` - - installCRDs -

- -Install the CRDs - -

+Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs bool -
false
+```yaml +false +``` - @@ -272,388 +277,13228 @@ Install the CRDs Default - replicaCount -

- -Number of replicas to run of the cert-manager controller - -

+Number of replicas of the cert-manager controller to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting podDisruptionBudget.enabled=true. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. number -
1
+```yaml +1 +``` - - strategy -

- -Update strategy to use, for example: - -

+Deployment update strategy for the cert-manager controller deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: -
-type: RollingUpdate
-rollingUpdate:
-  maxSurge: 0
-  maxUnavailable: 1
-
+```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` object -
{}
+```yaml +{} +``` - +podDisruptionBudget.enabled + -podDisruptionBudget.minAvailable +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + + +bool +```yaml +false +``` -

+ + + +podDisruptionBudget.minAvailable + -minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. -

number -
undefined
+```yaml +undefined +``` - - podDisruptionBudget.maxUnavailable +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. -

- -maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) - -

number -
undefined
+```yaml +undefined +``` - - featureGates -

- Comma separated list of feature gates that should be enabled on the controller pod. -

- string -
""
+```yaml +"" +``` - - maxConcurrentChallenges -

- The maximum number of challenges that can be scheduled as 'processing' at once -

- number -
60
+```yaml +60 +``` - - image.registry -

- -Registry to pull the image from - -

+The container registry to pull the manager image from string -
undefined
+```yaml +undefined +``` - - image.repository -

- -Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property +The container image for the cert-manager controller -

string -
quay.io/jetstack/cert-manager-controller
+```yaml +quay.io/jetstack/cert-manager-controller +``` - - image.tag -

- Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. -

- string -
undefined
+```yaml +undefined +``` - - image.digest -

- Setting a digest will override any tag -

- string -
undefined
+```yaml +undefined +``` - - image.pullPolicy -

- -Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy - -

+Kubernetes imagePullPolicy on Deployment. string -
IfNotPresent
+```yaml +IfNotPresent +``` - - clusterResourceNamespace -

- Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. -

- string -
""
+```yaml +"" +``` - - namespace -

- This namespace allows you to define where the services will be installed into if not set then they will use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart) -

- string -
""
+```yaml +"" +``` - - serviceAccount.create -

- Specifies whether a service account should be created -

- bool -
true
+```yaml +true +``` - - serviceAccount.name -

- -The name of the service account to use.
+The name of the service account to use. If not set and create is true, a name is generated using the fullname template -

- string -
undefined
+```yaml +undefined +``` - - serviceAccount.annotations -

- Optional additional annotations to add to the controller's ServiceAccount -

- object -
undefined
+```yaml +undefined +``` - - serviceAccount.labels -

- -Automount API credentials for a Service Account.
Optional additional labels to add to the controller's ServiceAccount -

- object -
undefined
+```yaml +undefined +``` - - serviceAccount.automountServiceAccountToken -

- -Service account token wil be automatically mounted in Pods - -

+Automount API credentials for a Service Account. bool -
true
+```yaml +true +``` - - -automountServiceAccountToken +enableCertificateOwnerRef -

+When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted + + +bool + + +```yaml +false +``` + + + + +config + + +Used to configure options for the controller pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +config: + apiVersion: controller.config.cert-manager.io/v1alpha1 + kind: ControllerConfiguration + logging: + verbosity: 2 + format: text + leaderElectionConfig: + namespace: kube-system + kubernetesAPIQPS: 9000 + kubernetesAPIBurst: 9000 + numberOfConcurrentWorkers: 200 + featureGates: + AdditionalCertificateOutputFormats: true + DisallowInsecureCSRUsageDefinition: true + ExperimentalCertificateSigningRequestControllers: true + ExperimentalGatewayAPISupport: true + LiteralCertificateSubject: true + SecretsFilteredCaching: true + ServerSideApply: true + StableCertificateRequestName: true + UseCertificateRequestBasicConstraints: true + ValidateCAA: true + metricsTLSConfig: + dynamic: + secretNamespace: "cert-manager" + secretName: "cert-manager-metrics-ca" + dnsNames: + - cert-manager-metrics + - cert-manager-metrics.cert-manager + - cert-manager-metrics.cert-manager.svc +``` + + +object + + +```yaml +{} +``` + + + + +dns01RecursiveNameservers + + +Comma separated string with host and port of the recursive nameservers cert-manager should query + + +string + + +```yaml +"" +``` + + + + +dns01RecursiveNameserversOnly + + +Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers + + +bool + + +```yaml +false +``` + + + + +extraArgs + + +Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help + +Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver + +For example: + +```yaml +extraArgs: + - --controllers=*,-certificaterequests-approver +``` + + +array + + +```yaml +[] +``` + + + + +extraEnv + + +Additional environment variables to pass to cert-manager controller binary. + + +array + + +```yaml +[] +``` + + + + +resources + + +Resources to provide to the cert-manager controller pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + + + +```yaml +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +``` + + +object + + +```yaml +{} +``` + + + + +securityContext + + +Pod Security Context + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + + +object + + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + + + + +containerSecurityContext + + +Container Security Context to be set on the controller component container + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + + +object + + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + + + + +volumes + + +Additional volumes to add to the cert-manager controller pod. + + +array + + +```yaml +[] +``` + + + + +volumeMounts + + +Additional volume mounts to add to the cert-manager controller container. + + +array + + +```yaml +[] +``` + + + + +deploymentAnnotations + + +Optional additional annotations to add to the controller Deployment + + + +object + + +```yaml +undefined +``` + + + + +podAnnotations + + +Optional additional annotations to add to the controller Pods + + + +object + + +```yaml +undefined +``` + + + + +podLabels + + +Optional additional labels to add to the controller Pods + + +object + + +```yaml +{} +``` + + + + +serviceAnnotations + + +Optional annotations to add to the controller Service + + + +object + + +```yaml +undefined +``` + + + + +serviceLabels + + +Optional additional labels to add to the controller Service + + + +object + + +```yaml +undefined +``` + + + + +podDnsPolicy + + +Pod DNS policy + +```yaml +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +``` + + + +string + + +```yaml +undefined +``` + + + + +podDnsConfig + + +Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. + +```yaml +ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config +``` + + + +object + + +```yaml +undefined +``` + + + + +nodeSelector + + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + + +object + + +```yaml +kubernetes.io/os: linux +``` + + + + +ingressShim.defaultIssuerName + + +Optional default issuer to use for ingress resources + + + +string + + +```yaml +undefined +``` + + + + +ingressShim.defaultIssuerKind + + +Optional default issuer kind to use for ingress resources + + + +string + + +```yaml +undefined +``` + + + + +ingressShim.defaultIssuerGroup + + +Optional default issuer group to use for ingress resources + + + +string + + +```yaml +undefined +``` + + + + +affinity + + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + + +object + + +```yaml +{} +``` + + + + +tolerations + + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + + +array + + +```yaml +[] +``` + + + + +topologySpreadConstraints + + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + + +array + + +```yaml +[] +``` + + + + +livenessProbe + + +LivenessProbe settings for the controller container of the controller Pod. + +Enabled by default, because we want to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. See: https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 + + + +object + + +```yaml +enabled: true +failureThreshold: 8 +initialDelaySeconds: 10 +periodSeconds: 10 +successThreshold: 1 +timeoutSeconds: 15 +``` + + + + +enableServiceLinks + + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + +bool + + +```yaml +false +``` + + + + +prometheus.enabled + + +Enable prometheus monitoring for the cert-manager controller, to use with. Prometheus Operator either `prometheus.servicemonitor.enabled` or +`prometheus.podmonitor.enabled` can be used to create a ServiceMonitor/PodMonitor +resource + + +bool + + +```yaml +true +``` + + + + +prometheus.servicemonitor.enabled + + +Create a ServiceMonitor to add cert-manager to Prometheus + + +bool + + +```yaml +false +``` + + + + +prometheus.servicemonitor.prometheusInstance + + +Specifies the `prometheus` label on the created ServiceMonitor, this is used when different Prometheus instances have label selectors matching different ServiceMonitors. + + +string + + +```yaml +default +``` + + + + +prometheus.servicemonitor.targetPort + + +The target port to set on the ServiceMonitor, should match the port that cert-manager controller is listening on for metrics + + +number + + +```yaml +9402 +``` + + + + +prometheus.servicemonitor.path + + +The path to scrape for metrics + + +string + + +```yaml +/metrics +``` + + + + +prometheus.servicemonitor.interval + + +The interval to scrape metrics + + +string + + +```yaml +60s +``` + + + + +prometheus.servicemonitor.scrapeTimeout + + +The timeout before a metrics scrape fails + + +string + + +```yaml +30s +``` + + + + +prometheus.servicemonitor.labels + + +Additional labels to add to the ServiceMonitor + + +object + + +```yaml +{} +``` + + + + +prometheus.servicemonitor.annotations + + +Additional annotations to add to the ServiceMonitor + + +object + + +```yaml +{} +``` + + + + +prometheus.servicemonitor.honorLabels + + +Keep labels from scraped data, overriding server-side labels. + + +bool + + +```yaml +false +``` + + + + +prometheus.servicemonitor.endpointAdditionalProperties + + +EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. + +For example: + +```yaml +endpointAdditionalProperties: + relabelings: + - action: replace + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: instance +``` + + + + + +object + + +```yaml +{} +``` + + + + +prometheus.podmonitor.enabled + + +Create a PodMonitor to add cert-manager to Prometheus + + +bool + + +```yaml +false +``` + + + + +prometheus.podmonitor.prometheusInstance + + +Specifies the `prometheus` label on the created PodMonitor, this is used when different Prometheus instances have label selectors matching different PodMonitor. + + +string + + +```yaml +default +``` + + + + +prometheus.podmonitor.path + + +The path to scrape for metrics + + +string + + +```yaml +/metrics +``` + + + + +prometheus.podmonitor.interval + + +The interval to scrape metrics + + +string + + +```yaml +60s +``` + + + + +prometheus.podmonitor.scrapeTimeout + + +The timeout before a metrics scrape fails + + +string + + +```yaml +30s +``` + + + + +prometheus.podmonitor.labels + + +Additional labels to add to the PodMonitor + + +object + + +```yaml +{} +``` + + + + +prometheus.podmonitor.annotations + + +Additional annotations to add to the PodMonitor + + +object + + +```yaml +{} +``` + + + + +prometheus.podmonitor.honorLabels + + +Keep labels from scraped data, overriding server-side labels. + + +bool + + +```yaml +false +``` + + + + +prometheus.podmonitor.endpointAdditionalProperties + + +EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. + +For example: + +```yaml +endpointAdditionalProperties: + relabelings: + - action: replace + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: instance +``` + + + + + +object + + +```yaml +{} +``` + + + + + +### Webhook + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
webhook.replicaCount + +Number of replicas of the cert-manager webhook to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting webhook.podDisruptionBudget.enabled=true. + +number + +```yaml +1 +``` + +
webhook.timeoutSeconds + +Seconds the API server should wait for the webhook to respond before treating the call as a failure. +Value must be between 1 and 30 seconds. See: +https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/ + +We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user. + +number + +```yaml +30 +``` + +
webhook.config + +Used to configure options for the webhook pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +apiVersion: webhook.config.cert-manager.io/v1alpha1 +kind: WebhookConfiguration +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 +``` + +object + +```yaml +{} +``` + +
webhook.strategy + +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` + +object + +```yaml +{} +``` + +
webhook.securityContext + +Pod Security Context to be set on the webhook component Pod + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +
webhook.containerSecurityContext + +Container Security Context to be set on the webhook component container + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + +
webhook.podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +```yaml +false +``` + +
webhook.podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +```yaml +undefined +``` + +
webhook.podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +```yaml +undefined +``` + +
webhook.deploymentAnnotations + +Optional additional annotations to add to the webhook Deployment + + +object + +```yaml +undefined +``` + +
webhook.podAnnotations + +Optional additional annotations to add to the webhook Pods + + +object + +```yaml +undefined +``` + +
webhook.serviceAnnotations + +Optional additional annotations to add to the webhook Service + + +object + +```yaml +undefined +``` + +
webhook.mutatingWebhookConfigurationAnnotations + +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + + +object + +```yaml +undefined +``` + +
webhook.validatingWebhookConfigurationAnnotations + +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + + +object + +```yaml +undefined +``` + +
webhook.extraArgs + +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + +array + +```yaml +[] +``` + +
webhook.featureGates + +Comma separated list of feature gates that should be enabled on the webhook pod. + +string + +```yaml +"" +``` + +
webhook.resources + +Resources to provide to the cert-manager webhook pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + + + +```yaml +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +``` + +object + +```yaml +{} +``` + +
webhook.livenessProbe + +Liveness probe values + +```yaml +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +``` + + + + +object + +```yaml +failureThreshold: 3 +initialDelaySeconds: 60 +periodSeconds: 10 +successThreshold: 1 +timeoutSeconds: 1 +``` + +
webhook.readinessProbe + +Readiness probe values + +```yaml +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +``` + + + + +object + +```yaml +failureThreshold: 3 +initialDelaySeconds: 5 +periodSeconds: 5 +successThreshold: 1 +timeoutSeconds: 1 +``` + +
webhook.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +```yaml +kubernetes.io/os: linux +``` + +
webhook.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
webhook.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +```yaml +[] +``` + +
webhook.topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + +array + +```yaml +[] +``` + +
webhook.podLabels + +Optional additional labels to add to the Webhook Pods + +object + +```yaml +{} +``` + +
webhook.serviceLabels + +Optional additional labels to add to the Webhook Service + +object + +```yaml +{} +``` + +
webhook.image.registry + +The container registry to pull the webhook image from + + +string + +```yaml +undefined +``` + +
webhook.image.repository + +The container image for the cert-manager webhook + + +string + +```yaml +quay.io/jetstack/cert-manager-webhook +``` + +
webhook.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml +undefined +``` + +
webhook.image.digest + +Setting a digest will override any tag + + +string + +```yaml +undefined +``` + +
webhook.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
webhook.serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
webhook.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +```yaml +undefined +``` + +
webhook.serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + +object + +```yaml +undefined +``` + +
webhook.serviceAccount.labels + +Optional additional labels to add to the webhook's ServiceAccount + + +object + +```yaml +undefined +``` + +
webhook.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + +bool + +```yaml +true +``` + +
webhook.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +```yaml +undefined +``` + +
webhook.securePort + +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + +number + +```yaml +10250 +``` + +
webhook.hostNetwork + +Specifies if the webhook should be started in hostNetwork mode. + +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + +bool + +```yaml +false +``` + +
webhook.serviceType + +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + +string + +```yaml +ClusterIP +``` + +
webhook.loadBalancerIP + +Specify the load balancer IP for the created service + + +string + +```yaml +undefined +``` + +
webhook.url + +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + +object + +```yaml +{} +``` + +
webhook.networkPolicy.enabled + +Create network policies for the webhooks + +bool + +```yaml +false +``` + +
webhook.networkPolicy.ingress + +Ingress rule for the webhook network policy, by default will allow all inbound traffic + + +array + +```yaml +- from: + - ipBlock: + cidr: 0.0.0.0/0 +``` + +
webhook.networkPolicy.egress + +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + + +array + +```yaml +- ports: + - port: 80 + protocol: TCP + - port: 443 + protocol: TCP + - port: 53 + protocol: TCP + - port: 53 + protocol: UDP + - port: 6443 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 +``` + +
webhook.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +```yaml +[] +``` + +
webhook.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +```yaml +[] +``` + +
webhook.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +```yaml +false +``` + +
+ +### CA Injector + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
cainjector.enabled + +Create the CA Injector deployment + +bool + +```yaml +true +``` + +
cainjector.replicaCount + +Number of replicas of the cert-manager cainjector to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +number + +```yaml +1 +``` + +
cainjector.config + +Used to configure options for the cainjector pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +apiVersion: cainjector.config.cert-manager.io/v1alpha1 +kind: CAInjectorConfiguration +logging: + verbosity: 2 + format: text +leaderElectionConfig: + namespace: kube-system +``` + +object + +```yaml +{} +``` + +
cainjector.strategy + +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` + +object + +```yaml +{} +``` + +
cainjector.securityContext + +Pod Security Context to be set on the cainjector component Pod + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +
cainjector.containerSecurityContext + +Container Security Context to be set on the cainjector component container + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + +
cainjector.podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +```yaml +false +``` + +
cainjector.podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +```yaml +undefined +``` + +
cainjector.podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +```yaml +undefined +``` + +
cainjector.deploymentAnnotations + +Optional additional annotations to add to the cainjector Deployment + + +object + +```yaml +undefined +``` + +
cainjector.podAnnotations + +Optional additional annotations to add to the cainjector Pods + + +object + +```yaml +undefined +``` + +
cainjector.extraArgs + +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + +array + +```yaml +[] +``` + +
cainjector.featureGates + +Comma separated list of feature gates that should be enabled on the cainjector pod. + +string + +```yaml +"" +``` + +
cainjector.resources + +Resources to provide to the cert-manager cainjector pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + + + +```yaml +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +``` + +object + +```yaml +{} +``` + +
cainjector.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +```yaml +kubernetes.io/os: linux +``` + +
cainjector.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
cainjector.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +```yaml +[] +``` + +
cainjector.topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + +array + +```yaml +[] +``` + +
cainjector.podLabels + +Optional additional labels to add to the CA Injector Pods + +object + +```yaml +{} +``` + +
cainjector.image.registry + +The container registry to pull the cainjector image from + + +string + +```yaml +undefined +``` + +
cainjector.image.repository + +The container image for the cert-manager cainjector + + +string + +```yaml +quay.io/jetstack/cert-manager-controller +``` + +
cainjector.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml +undefined +``` + +
cainjector.image.digest + +Setting a digest will override any tag + + +string + +```yaml +undefined +``` + +
cainjector.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
cainjector.serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
cainjector.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +```yaml +undefined +``` + +
cainjector.serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + +object + +```yaml +undefined +``` + +
cainjector.serviceAccount.labels + +Optional additional labels to add to the cainjector's ServiceAccount + + +object + +```yaml +undefined +``` + +
cainjector.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + +bool + +```yaml +true +``` + +
cainjector.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +```yaml +undefined +``` + +
cainjector.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +```yaml +[] +``` + +
cainjector.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +```yaml +[] +``` + +
cainjector.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +```yaml +false +``` + +
+ +### ACME Solver + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
acmesolver.image.registry + +The container registry to pull the acmesolver image from + + +string + +```yaml +undefined +``` + +
acmesolver.image.repository + +The container image for the cert-manager acmesolver + + +string + +```yaml +quay.io/jetstack/cert-manager-acmesolver +``` + +
acmesolver.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml +undefined +``` + +
acmesolver.image.digest + +Setting a digest will override any tag + + +string + +```yaml +undefined +``` + +
acmesolver.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
+ +### Startup API Check + + +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
startupapicheck.enabled + +Enables the startup api check + +bool + +```yaml +true +``` + +
startupapicheck.securityContext + +Pod Security Context to be set on the startupapicheck component Pod + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +```yaml +runAsNonRoot: true +seccompProfile: + type: RuntimeDefault +``` + +
startupapicheck.containerSecurityContext + +Container Security Context to be set on the controller component container + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +```yaml +allowPrivilegeEscalation: false +capabilities: + drop: + - ALL +readOnlyRootFilesystem: true +``` + +
startupapicheck.timeout + +Timeout for 'kubectl check api' command + +string + +```yaml +1m +``` + +
startupapicheck.backoffLimit + +Job backoffLimit + +number + +```yaml +4 +``` + +
startupapicheck.jobAnnotations + +Optional additional annotations to add to the startupapicheck Job + + +object + +```yaml +helm.sh/hook: post-install +helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +helm.sh/hook-weight: "1" +``` + +
startupapicheck.extraArgs[0] + +string + +```yaml +-v +``` + +
startupapicheck.resources + +Resources to provide to the cert-manager controller pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + + + +```yaml +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +``` + +object + +```yaml +{} +``` + +
startupapicheck.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +```yaml +kubernetes.io/os: linux +``` + +
startupapicheck.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +```yaml +{} +``` + +
startupapicheck.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +```yaml +[] +``` + +
startupapicheck.podLabels + +Optional additional labels to add to the startupapicheck Pods + +object + +```yaml +{} +``` + +
startupapicheck.image.registry + +The container registry to pull the startupapicheck image from + + +string + +```yaml +undefined +``` + +
startupapicheck.image.repository + +The container image for the cert-manager startupapicheck + + +string + +```yaml +quay.io/jetstack/cert-manager-startupapicheck +``` + +
startupapicheck.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +```yaml +undefined +``` + +
startupapicheck.image.digest + +Setting a digest will override any tag + + +string + +```yaml +undefined +``` + +
startupapicheck.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +```yaml +IfNotPresent +``` + +
startupapicheck.rbac.annotations + +annotations for the startup API Check job RBAC and PSP resources + + +object + +```yaml +helm.sh/hook: post-install +helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +helm.sh/hook-weight: "-5" +``` + +
startupapicheck.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +```yaml +undefined +``` + +
startupapicheck.serviceAccount.create + +Specifies whether a service account should be created + +bool + +```yaml +true +``` + +
startupapicheck.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +```yaml +undefined +``` + +
startupapicheck.serviceAccount.annotations + +Optional additional annotations to add to the Job's ServiceAccount + + +object + +```yaml +helm.sh/hook: post-install +helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded +helm.sh/hook-weight: "-5" +``` + +
startupapicheck.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + + +bool + +```yaml +true +``` + +
startupapicheck.serviceAccount.labels + +Optional additional labels to add to the startupapicheck's ServiceAccount + + +object + +```yaml +undefined +``` + +
startupapicheck.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +```yaml +[] +``` + +
startupapicheck.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +```yaml +[] +``` + +
startupapicheck.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +```yaml +false +``` + +
+ +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 +``` + + +object + + +

{}
+ + + + + + +webhook.strategy + + +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` + + +object + + +
{}
+ + + + + + +webhook.securityContext + + +Pod Security Context to be set on the webhook component Pod + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + + +object + + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ + + + + + +webhook.containerSecurityContext + + +Container Security Context to be set on the webhook component container + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + + +object + + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ + + + + + +webhook.podDisruptionBudget.enabled + + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + + +bool + + +
false
+ + + + + + +webhook.podDisruptionBudget.minAvailable + + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + + +number + + +
undefined
+ + + + + + +webhook.podDisruptionBudget.maxUnavailable + + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + + +number + + +
undefined
+ + + + + + +webhook.deploymentAnnotations + + +Optional additional annotations to add to the webhook Deployment + + + +object + + +
undefined
+ + + + + + +webhook.podAnnotations + + +Optional additional annotations to add to the webhook Pods + + + +object + + +
undefined
+ + + + + + +webhook.serviceAnnotations + + +Optional additional annotations to add to the webhook Service + + + +object + + +
undefined
+ + + + + + +webhook.mutatingWebhookConfigurationAnnotations + + +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + + + +object + + +
undefined
+ + + + + + +webhook.validatingWebhookConfigurationAnnotations + + +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + + + +object + + +
undefined
+ + + + + + +webhook.extraArgs + + +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + + +array + + +
[]
+ + + + + + +webhook.featureGates + + +Comma separated list of feature gates that should be enabled on the webhook pod. + + +string + + +
""
+ + + + + + +webhook.resources + + +Resources to provide to the cert-manager webhook pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + + + +```yaml +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +``` + + +object + + +
{}
+ + + + + + +webhook.livenessProbe + + +Liveness probe values + +```yaml +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +``` + + + + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.readinessProbe + + +Readiness probe values + +```yaml +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes +``` + + + + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.nodeSelector + + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + + +object + + +
kubernetes.io/os: linux
+ + + + + + +webhook.affinity + + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + + +object + + +
{}
+ + + + + + +webhook.tolerations + + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + + +array + + +
[]
+ + + + + + +webhook.topologySpreadConstraints + + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + + +array + + +
[]
+ + + + + + +webhook.podLabels + + +Optional additional labels to add to the Webhook Pods + + +object + + +
{}
+ + + + + + +webhook.serviceLabels + + +Optional additional labels to add to the Webhook Service + + +object + + +
{}
+ + + + + + +webhook.image.registry + + +The container registry to pull the webhook image from + + + +string + + +
undefined
+ + + + + + +webhook.image.repository + + +The container image for the cert-manager webhook + + + +string + + +
quay.io/jetstack/cert-manager-webhook
+ + + + + + +webhook.image.tag + + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + +string + + +
undefined
+ + + + + + +webhook.image.digest + + +Setting a digest will override any tag + + + +string + + +
undefined
+ + + + + + +webhook.image.pullPolicy + + +Kubernetes imagePullPolicy on Deployment. + + +string + + +
IfNotPresent
+ + + + + + +webhook.serviceAccount.create + + +Specifies whether a service account should be created + + +bool + + +
true
+ + + + + + +webhook.serviceAccount.name + + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + + +string + + +
undefined
+ + + + + + +webhook.serviceAccount.annotations + + +Optional additional annotations to add to the controller's ServiceAccount + + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.labels + + +Optional additional labels to add to the webhook's ServiceAccount + + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.automountServiceAccountToken + + +Automount API credentials for a Service Account. + + +bool + + +
true
+ + + + + + +webhook.automountServiceAccountToken + + +Automounting API credentials for a particular pod + + + +bool + + +
undefined
+ + + + + + +webhook.securePort + + +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + + +number + + +
10250
+ + + + + + +webhook.hostNetwork + + +Specifies if the webhook should be started in hostNetwork mode. + +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + + +bool + + +
false
+ + + + + + +webhook.serviceType + + +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + + +string + + +
ClusterIP
+ + + + + + +webhook.loadBalancerIP + + +Specify the load balancer IP for the created service + + + +string + + +
undefined
+ + + + + + +webhook.url + + +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + + +object + + +
{}
+ + + + + + +webhook.networkPolicy.enabled + + +Create network policies for the webhooks + + +bool + + +
false
+ + + + + + +webhook.networkPolicy.ingress + + +Ingress rule for the webhook network policy, by default will allow all inbound traffic + + + +array + + +
- from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.networkPolicy.egress + + +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + + + +array + + +
- ports:
+    - port: 80
+      protocol: TCP
+    - port: 443
+      protocol: TCP
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+    - port: 6443
+      protocol: TCP
+  to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.volumes + + +Additional volumes to add to the cert-manager controller pod. + + +array + + +
[]
+ + + + + + +webhook.volumeMounts + + +Additional volume mounts to add to the cert-manager controller container. + + +array + + +
[]
+ + + + + + +webhook.enableServiceLinks + + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + +bool + + +
false
+ + + + + + +### CA Injector + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
cainjector.enabled + +Create the CA Injector deployment + +bool + +
true
+ +
cainjector.replicaCount + +Number of replicas of the cert-manager cainjector to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +number + +
1
+ +
cainjector.config + +Used to configure options for the cainjector pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +```yaml +apiVersion: cainjector.config.cert-manager.io/v1alpha1 +kind: CAInjectorConfiguration +logging: + verbosity: 2 + format: text +leaderElectionConfig: + namespace: kube-system +``` + +object + +
{}
+ +
cainjector.strategy + +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +```yaml +strategy: + type: RollingUpdate + rollingUpdate: + maxSurge: 0 + maxUnavailable: 1 +``` + +object + +
{}
+ +
cainjector.securityContext + +Pod Security Context to be set on the cainjector component Pod + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
cainjector.containerSecurityContext + +Container Security Context to be set on the cainjector component container + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
cainjector.podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +
false
+ +
cainjector.podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +
undefined
+ +
cainjector.podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +
undefined
+ +
cainjector.deploymentAnnotations + +Optional additional annotations to add to the cainjector Deployment + + +object + +
undefined
+ +
cainjector.podAnnotations + +Optional additional annotations to add to the cainjector Pods + + +object + +
undefined
+ +
cainjector.extraArgs + +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + +array + +
[]
+ +
cainjector.featureGates + +Comma separated list of feature gates that should be enabled on the cainjector pod. + +string + +
""
+ +
cainjector.resources + +Resources to provide to the cert-manager cainjector pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + + + +```yaml +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +``` + +object + +
{}
+ +
cainjector.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +
kubernetes.io/os: linux
+ +
cainjector.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +
{}
+ +
cainjector.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +
[]
+ +
cainjector.topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +```yaml +topologySpreadConstraints: +- maxSkew: 2 + topologyKey: topology.kubernetes.io/zone + whenUnsatisfiable: ScheduleAnyway + labelSelector: + matchLabels: + app.kubernetes.io/instance: cert-manager + app.kubernetes.io/component: controller +``` + +array + +
[]
+ +
cainjector.podLabels + +Optional additional labels to add to the CA Injector Pods + +object + +
{}
+ +
cainjector.image.registry + +The container registry to pull the cainjector image from + + +string + +
undefined
+ +
cainjector.image.repository + +The container image for the cert-manager cainjector + + +string + +
quay.io/jetstack/cert-manager-controller
+ +
cainjector.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
cainjector.image.digest + +Setting a digest will override any tag + + +string + +
undefined
+ +
cainjector.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
cainjector.serviceAccount.create + +Specifies whether a service account should be created + +bool + +
true
+ +
cainjector.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +
undefined
+ +
cainjector.serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + +object + +
undefined
+ +
cainjector.serviceAccount.labels + +Optional additional labels to add to the cainjector's ServiceAccount + + +object + +
undefined
+ +
cainjector.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + +bool + +
true
+ +
cainjector.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +
undefined
+ +
cainjector.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +
[]
+ +
cainjector.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +
[]
+ +
cainjector.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +
false
+ +
+ +### ACME Solver + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
acmesolver.image.registry + +The container registry to pull the acmesolver image from + + +string + +
undefined
+ +
acmesolver.image.repository + +The container image for the cert-manager acmesolver + + +string + +
quay.io/jetstack/cert-manager-acmesolver
+ +
acmesolver.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
acmesolver.image.digest + +Setting a digest will override any tag + + +string + +
undefined
+ +
acmesolver.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
+ +### Startup API Check + + +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
startupapicheck.enabled + +Enables the startup api check + +bool + +
true
+ +
startupapicheck.securityContext + +Pod Security Context to be set on the startupapicheck component Pod + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
startupapicheck.containerSecurityContext + +Container Security Context to be set on the controller component container + +```yaml +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +``` + + +object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
startupapicheck.timeout + +Timeout for 'kubectl check api' command + +string + +
1m
+ +
startupapicheck.backoffLimit + +Job backoffLimit + +number + +
4
+ +
startupapicheck.jobAnnotations + +Optional additional annotations to add to the startupapicheck Job + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
+ +
startupapicheck.extraArgs[0] + +string + +
-v
+ +
startupapicheck.resources + +Resources to provide to the cert-manager controller pod + +For example: + +```yaml +requests: + cpu: 10m + memory: 32Mi +``` + + + +```yaml +ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ +``` + +object + +
{}
+ +
startupapicheck.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +
kubernetes.io/os: linux
+ +
startupapicheck.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +```yaml +affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: foo.bar.com/role + operator: In + values: + - master +``` + +object + +
{}
+ +
startupapicheck.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +```yaml +tolerations: +- key: foo.bar.com/role + operator: Equal + value: master + effect: NoSchedule +``` + +array + +
[]
+ +
startupapicheck.podLabels + +Optional additional labels to add to the startupapicheck Pods + +object + +
{}
+ +
startupapicheck.image.registry + +The container registry to pull the startupapicheck image from + + +string + +
undefined
+ +
startupapicheck.image.repository + +The container image for the cert-manager startupapicheck + + +string + +
quay.io/jetstack/cert-manager-startupapicheck
+ +
startupapicheck.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
startupapicheck.image.digest + +Setting a digest will override any tag + + +string + +
undefined
+ +
startupapicheck.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
startupapicheck.rbac.annotations + +annotations for the startup API Check job RBAC and PSP resources + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +
undefined
+ +
startupapicheck.serviceAccount.create + +Specifies whether a service account should be created + +bool + +
true
+ +
startupapicheck.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +
undefined
+ +
startupapicheck.serviceAccount.annotations + +Optional additional annotations to add to the Job's ServiceAccount + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + + +bool + +
true
+ +
startupapicheck.serviceAccount.labels + +Optional additional labels to add to the startupapicheck's ServiceAccount + + +object + +
undefined
+ +
startupapicheck.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +
[]
+ +
startupapicheck.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +
[]
+ +
startupapicheck.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +
false
+ +
+ +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 + + + +object + + +
{}
+ + + + + + +webhook.strategy + + +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +
strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ + +object + + +
{}
+ + + + + + +webhook.securityContext + + +Pod Security Context to be set on the webhook component Pod + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ + + + + + +webhook.containerSecurityContext + + +Container Security Context to be set on the webhook component container + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ + + + + + +webhook.podDisruptionBudget.enabled + + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + + +bool + + +
false
+ + + + + + +webhook.podDisruptionBudget.minAvailable + + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + + +number + + +
undefined
+ + + + + + +webhook.podDisruptionBudget.maxUnavailable + + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + + +number + + +
undefined
+ + + + + + +webhook.deploymentAnnotations + + +Optional additional annotations to add to the webhook Deployment + + + +object + + +
undefined
+ + + + + + +webhook.podAnnotations + + +Optional additional annotations to add to the webhook Pods + + + +object + + +
undefined
+ + + + + + +webhook.serviceAnnotations + + +Optional additional annotations to add to the webhook Service + + + +object + + +
undefined
+ + + + + + +webhook.mutatingWebhookConfigurationAnnotations + + +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + + + +object + + +
undefined
+ + + + + + +webhook.validatingWebhookConfigurationAnnotations + + +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + + + +object + + +
undefined
+ + + + + + +webhook.extraArgs + + +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + + +array + + +
[]
+ + + + + + +webhook.featureGates + + +Comma separated list of feature gates that should be enabled on the webhook pod. + + +string + + +
""
+ + + + + + +webhook.resources + + +Resources to provide to the cert-manager webhook pod + +For example: + +
requests:
+  cpu: 10m
+  memory: 32Mi
+
+ + + +
ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ + +object + + +
{}
+ + + + + + +webhook.livenessProbe + + +Liveness probe values + +
ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ + + + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.readinessProbe + + +Readiness probe values + +
ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ + + + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.nodeSelector + + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + + +object + + +
kubernetes.io/os: linux
+ + + + + + +webhook.affinity + + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +
affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ + +object + + +
{}
+ + + + + + +webhook.tolerations + + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +
tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ + +array + + +
[]
+ + + + + + +webhook.topologySpreadConstraints + + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +
topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ + +array + + +
[]
+ + + + + + +webhook.podLabels + + +Optional additional labels to add to the Webhook Pods + + +object + + +
{}
+ + + + + + +webhook.serviceLabels + + +Optional additional labels to add to the Webhook Service + + +object + + +
{}
+ + + + + + +webhook.image.registry + + +The container registry to pull the webhook image from + + + +string + + +
undefined
+ + + + + + +webhook.image.repository + + +The container image for the cert-manager webhook + + + +string + + +
quay.io/jetstack/cert-manager-webhook
+ + + + + + +webhook.image.tag + + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + +string + + +
undefined
+ + + + + + +webhook.image.digest + + +Setting a digest will override any tag + + + +string + + +
undefined
+ + + + + + +webhook.image.pullPolicy + + +Kubernetes imagePullPolicy on Deployment. + + +string + + +
IfNotPresent
+ + + + + + +webhook.serviceAccount.create + + +Specifies whether a service account should be created + + +bool + + +
true
+ + + + + + +webhook.serviceAccount.name + + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + + +string + + +
undefined
+ + + + + + +webhook.serviceAccount.annotations + + +Optional additional annotations to add to the controller's ServiceAccount + + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.labels + + +Optional additional labels to add to the webhook's ServiceAccount + + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.automountServiceAccountToken + + +Automount API credentials for a Service Account. + + +bool + + +
true
+ + + + + + +webhook.automountServiceAccountToken + + +Automounting API credentials for a particular pod + + + +bool + + +
undefined
+ + + + + + +webhook.securePort + + +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + + +number + + +
10250
+ + + + + + +webhook.hostNetwork + + +Specifies if the webhook should be started in hostNetwork mode. + +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + + +bool + + +
false
+ + + + + + +webhook.serviceType + + +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + + +string + + +
ClusterIP
+ + + + + + +webhook.loadBalancerIP + + +Specify the load balancer IP for the created service + + + +string + + +
undefined
+ + + + + + +webhook.url + + +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + + +object + + +
{}
+ + + + + + +webhook.networkPolicy.enabled + + +Create network policies for the webhooks + + +bool + + +
false
+ + + + + + +webhook.networkPolicy.ingress + + +Ingress rule for the webhook network policy, by default will allow all inbound traffic + + + +array + + +
- from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.networkPolicy.egress + + +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + + + +array + + +
- ports:
+    - port: 80
+      protocol: TCP
+    - port: 443
+      protocol: TCP
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+    - port: 6443
+      protocol: TCP
+  to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.volumes + + +Additional volumes to add to the cert-manager controller pod. + + +array + + +
[]
+ + + + + + +webhook.volumeMounts + + +Additional volume mounts to add to the cert-manager controller container. + + +array + + +
[]
+ + + + + + +webhook.enableServiceLinks + + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + +bool + + +
false
+ + + + + + +### CA Injector + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
cainjector.enabled + +Create the CA Injector deployment + +bool + +
true
+ +
cainjector.replicaCount + +Number of replicas of the cert-manager cainjector to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +number + +
1
+ +
cainjector.config + +Used to configure options for the cainjector pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +
apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+
+ +		object + +
{}
+ +
cainjector.strategy + +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +
strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ +		object + +
{}
+ +
cainjector.securityContext + +Pod Security Context to be set on the cainjector component Pod + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
cainjector.containerSecurityContext + +Container Security Context to be set on the cainjector component container + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
cainjector.podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +
false
+ +
cainjector.podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +
undefined
+ +
cainjector.podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +
undefined
+ +
cainjector.deploymentAnnotations + +Optional additional annotations to add to the cainjector Deployment + + +object + +
undefined
+ +
cainjector.podAnnotations + +Optional additional annotations to add to the cainjector Pods + + +object + +
undefined
+ +
cainjector.extraArgs + +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + +array + +
[]
+ +
cainjector.featureGates + +Comma separated list of feature gates that should be enabled on the cainjector pod. + +string + +
""
+ +
cainjector.resources + +Resources to provide to the cert-manager cainjector pod + +For example: + +
requests:
+  cpu: 10m
+  memory: 32Mi
+
+ + + +
ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ +		object + +
{}
+ +
cainjector.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +
kubernetes.io/os: linux
+ +
cainjector.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +
affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ +		object + +
{}
+ +
cainjector.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +
tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ +		array + +
[]
+ +
cainjector.topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +
topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ +		array + +
[]
+ +
cainjector.podLabels + +Optional additional labels to add to the CA Injector Pods + +object + +
{}
+ +
cainjector.image.registry + +The container registry to pull the cainjector image from + + +string + +
undefined
+ +
cainjector.image.repository + +The container image for the cert-manager cainjector + + +string + +
quay.io/jetstack/cert-manager-controller
+ +
cainjector.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
cainjector.image.digest + +Setting a digest will override any tag + + +string + +
undefined
+ +
cainjector.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
cainjector.serviceAccount.create + +Specifies whether a service account should be created + +bool + +
true
+ +
cainjector.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +
undefined
+ +
cainjector.serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + +object + +
undefined
+ +
cainjector.serviceAccount.labels + +Optional additional labels to add to the cainjector's ServiceAccount + + +object + +
undefined
+ +
cainjector.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + +bool + +
true
+ +
cainjector.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +
undefined
+ +
cainjector.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +
[]
+ +
cainjector.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +
[]
+ +
cainjector.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +
false
+ +
+ +### ACME Solver + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
acmesolver.image.registry + +The container registry to pull the acmesolver image from + + +string + +
undefined
+ +
acmesolver.image.repository + +The container image for the cert-manager acmesolver + + +string + +
quay.io/jetstack/cert-manager-acmesolver
+ +
acmesolver.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
acmesolver.image.digest + +Setting a digest will override any tag + + +string + +
undefined
+ +
acmesolver.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
+ +### Startup API Check + + +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
startupapicheck.enabled + +Enables the startup api check + +bool + +
true
+ +
startupapicheck.securityContext + +Pod Security Context to be set on the startupapicheck component Pod + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
startupapicheck.containerSecurityContext + +Container Security Context to be set on the controller component container + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
startupapicheck.timeout + +Timeout for 'kubectl check api' command + +string + +
1m
+ +
startupapicheck.backoffLimit + +Job backoffLimit + +number + +
4
+ +
startupapicheck.jobAnnotations + +Optional additional annotations to add to the startupapicheck Job + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
+ +
startupapicheck.extraArgs[0] + +string + +
-v
+ +
startupapicheck.resources + +Resources to provide to the cert-manager controller pod + +For example: + +
requests:
+  cpu: 10m
+  memory: 32Mi
+
+ + + +
ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ +		object + +
{}
+ +
startupapicheck.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +
kubernetes.io/os: linux
+ +
startupapicheck.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +
affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ +		object + +
{}
+ +
startupapicheck.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +
tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ +		array + +
[]
+ +
startupapicheck.podLabels + +Optional additional labels to add to the startupapicheck Pods + +object + +
{}
+ +
startupapicheck.image.registry + +The container registry to pull the startupapicheck image from + + +string + +
undefined
+ +
startupapicheck.image.repository + +The container image for the cert-manager startupapicheck + + +string + +
quay.io/jetstack/cert-manager-startupapicheck
+ +
startupapicheck.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
startupapicheck.image.digest + +Setting a digest will override any tag + + +string + +
undefined
+ +
startupapicheck.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
startupapicheck.rbac.annotations + +annotations for the startup API Check job RBAC and PSP resources + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.automountServiceAccountToken + +Automounting API credentials for a particular pod + + +bool + +
undefined
+ +
startupapicheck.serviceAccount.create + +Specifies whether a service account should be created + +bool + +
true
+ +
startupapicheck.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +
undefined
+ +
startupapicheck.serviceAccount.annotations + +Optional additional annotations to add to the Job's ServiceAccount + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + + +bool + +
true
+ +
startupapicheck.serviceAccount.labels + +Optional additional labels to add to the startupapicheck's ServiceAccount + + +object + +
undefined
+ +
startupapicheck.volumes + +Additional volumes to add to the cert-manager controller pod. + +array + +
[]
+ +
startupapicheck.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + +array + +
[]
+ +
startupapicheck.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +
false
+ +
+ +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 + + + +object + + +
{}
+ + + + + + +webhook.strategy + +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +
strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ + +object + + +
{}
+ + + + + + +webhook.securityContext + +Pod Security Context to be set on the webhook component Pod + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ + + + + + +webhook.containerSecurityContext + +Container Security Context to be set on the webhook component container + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ + + + + + +webhook.podDisruptionBudget.enabled + +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + + +bool + + +
false
+ + + + + + +webhook.podDisruptionBudget.minAvailable + +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + + +number + + +
undefined
+ + + + + + +webhook.podDisruptionBudget.maxUnavailable + +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + + +number + + +
undefined
+ + + + + + +webhook.deploymentAnnotations + +Optional additional annotations to add to the webhook Deployment + + + +object + + +
undefined
+ + + + + + +webhook.podAnnotations + +Optional additional annotations to add to the webhook Pods + + + +object + + +
undefined
+ + + + + + +webhook.serviceAnnotations + +Optional additional annotations to add to the webhook Service + + + +object + + +
undefined
+ + + + + + +webhook.mutatingWebhookConfigurationAnnotations + +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + + + +object + + +
undefined
+ + + + + + +webhook.validatingWebhookConfigurationAnnotations + +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + + + +object + + +
undefined
+ + + + + + +webhook.extraArgs + +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + + +array + + +
[]
+ + + + + + +webhook.featureGates + +Comma separated list of feature gates that should be enabled on the webhook pod. + + +string + + +
""
+ + + + + + +webhook.resources + +Resources to provide to the cert-manager webhook pod + +For example: + +
requests:
+  cpu: 10m
+  memory: 32Mi
+
+ + +
ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ + +object + + +
{}
+ + + + + + +webhook.livenessProbe + +Liveness probe values + +
ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ + + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.readinessProbe + +Readiness probe values + +
ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ + + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.nodeSelector + +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + + +object + + +
kubernetes.io/os: linux
+ + + + + + +webhook.affinity + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +
affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ + +object + + +
{}
+ + + + + + +webhook.tolerations + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +
tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ + +array + + +
[]
+ + + + + + +webhook.topologySpreadConstraints + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +
topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ + +array + + +
[]
+ + + + + + +webhook.podLabels + +Optional additional labels to add to the Webhook Pods + + +object + + +
{}
+ + + + + + +webhook.serviceLabels + +Optional additional labels to add to the Webhook Service + + +object + + +
{}
+ + + + + + +webhook.image.registry + +The container registry to pull the webhook image from + + + +string + + +
undefined
+ + + + + + +webhook.image.repository + +The container image for the cert-manager webhook + + + +string + + +
quay.io/jetstack/cert-manager-webhook
+ + + + + + +webhook.image.tag + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + +string + + +
undefined
+ + + + + + +webhook.image.digest + +Setting a digest will override any tag + + + +string + + +
undefined
+ + + + + + +webhook.image.pullPolicy + +Kubernetes imagePullPolicy on Deployment. + + +string + + +
IfNotPresent
+ + + + + + +webhook.serviceAccount.create + +Specifies whether a service account should be created + + +bool + + +
true
+ + + + + + +webhook.serviceAccount.name + +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + + +string + + +
undefined
+ + + + + + +webhook.serviceAccount.annotations + +Optional additional annotations to add to the controller's ServiceAccount + + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.labels + +Optional additional labels to add to the webhook's ServiceAccount + + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.automountServiceAccountToken + +Automount API credentials for a Service Account. + + +bool + + +
true
+ + + + + + +webhook.automountServiceAccountToken + +Automounting API credentials for a particular pod + + + +bool + + +
undefined
+ + + + + + +webhook.securePort + +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + + +number + + +
10250
+ + + + + + +webhook.hostNetwork + +Specifies if the webhook should be started in hostNetwork mode. + +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + + +bool + + +
false
+ + + + + + +webhook.serviceType + +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + + +string + + +
ClusterIP
+ + + + + + +webhook.loadBalancerIP + +Specify the load balancer IP for the created service + + + +string + + +
undefined
+ + + + + + +webhook.url + +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + + +object + + +
{}
+ + + + + + +webhook.networkPolicy.enabled + +Create network policies for the webhooks + + +bool + + +
false
+ + + + + + +webhook.networkPolicy.ingress + +Ingress rule for the webhook network policy, by default will allow all inbound traffic + + + +array + + +
- from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.networkPolicy.egress + +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + + + +array + + +
- ports:
+    - port: 80
+      protocol: TCP
+    - port: 443
+      protocol: TCP
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+    - port: 6443
+      protocol: TCP
+  to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.volumes + +Additional volumes to add to the cert-manager controller pod. + + +array + + +
[]
+ + + + + + +webhook.volumeMounts + +Additional volume mounts to add to the cert-manager controller container. + + +array + + +
[]
+ + + + + + +webhook.enableServiceLinks + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + +bool + + +
false
+ + + + + + +### CA Injector + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
cainjector.enabled +Create the CA Injector deployment + +bool + +
true
+ +
cainjector.replicaCount +Number of replicas of the cert-manager cainjector to run. + +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. + +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +number + +
1
+ +
cainjector.config +Used to configure options for the cainjector pod. +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. +Flags will override options that are set here. + +For example: + +
apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+
+ +		object + +
{}
+ +
cainjector.strategy +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +For example: + +
strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ +		object + +
{}
+ +
cainjector.securityContext +Pod Security Context to be set on the cainjector component Pod + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
cainjector.containerSecurityContext +Container Security Context to be set on the cainjector component container + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
cainjector.podDisruptionBudget.enabled +Enable or disable the PodDisruptionBudget resource + +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager +Pod is currently running. + +bool + +
false
+ +
cainjector.podDisruptionBudget.minAvailable +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `maxUnavailable` is set. + + +number + +
undefined
+ +
cainjector.podDisruptionBudget.maxUnavailable +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +Cannot be used if `minAvailable` is set. + + +number + +
undefined
+ +
cainjector.deploymentAnnotations +Optional additional annotations to add to the cainjector Deployment + + +object + +
undefined
+ +
cainjector.podAnnotations +Optional additional annotations to add to the cainjector Pods + + +object + +
undefined
+ +
cainjector.extraArgs +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + +array + +
[]
+ +
cainjector.featureGates +Comma separated list of feature gates that should be enabled on the cainjector pod. + +string + +
""
+ +
cainjector.resources +Resources to provide to the cert-manager cainjector pod + +For example: + +
requests:
+  cpu: 10m
+  memory: 32Mi
+
+ + +
ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ +		object + +
{}
+ +
cainjector.nodeSelector +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +
kubernetes.io/os: linux
+ +
cainjector.affinity +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +
affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ +		object + +
{}
+ +
cainjector.tolerations +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +
tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ +		array + +
[]
+ +
cainjector.topologySpreadConstraints +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +For example: + +
topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ +		array + +
[]
+ +
cainjector.podLabels +Optional additional labels to add to the CA Injector Pods + +object + +
{}
+ +
cainjector.image.registry +The container registry to pull the cainjector image from + + +string + +
undefined
+ +
cainjector.image.repository +The container image for the cert-manager cainjector + + +string + +
quay.io/jetstack/cert-manager-controller
+ +
cainjector.image.tag +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
cainjector.image.digest +Setting a digest will override any tag + + +string + +
undefined
+ +
cainjector.image.pullPolicy +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
cainjector.serviceAccount.create +Specifies whether a service account should be created + +bool + +
true
+ +
cainjector.serviceAccount.name +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +
undefined
+ +
cainjector.serviceAccount.annotations +Optional additional annotations to add to the controller's ServiceAccount + + +object + +
undefined
+ +
cainjector.serviceAccount.labels +Optional additional labels to add to the cainjector's ServiceAccount + + +object + +
undefined
+ +
cainjector.serviceAccount.automountServiceAccountToken +Automount API credentials for a Service Account. + +bool + +
true
+ +
cainjector.automountServiceAccountToken +Automounting API credentials for a particular pod + + +bool + +
undefined
+ +
cainjector.volumes +Additional volumes to add to the cert-manager controller pod. + +array + +
[]
+ +
cainjector.volumeMounts +Additional volume mounts to add to the cert-manager controller container. + +array + +
[]
+ +
cainjector.enableServiceLinks +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +
false
+ +
+ +### ACME Solver + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
acmesolver.image.registry +The container registry to pull the acmesolver image from + + +string + +
undefined
+ +
acmesolver.image.repository +The container image for the cert-manager acmesolver + + +string + +
quay.io/jetstack/cert-manager-acmesolver
+ +
acmesolver.image.tag +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
acmesolver.image.digest +Setting a digest will override any tag + + +string + +
undefined
+ +
acmesolver.image.pullPolicy +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
+ +### Startup API Check + +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
startupapicheck.enabled +Enables the startup api check + +bool + +
true
+ +
startupapicheck.securityContext +Pod Security Context to be set on the startupapicheck component Pod + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
startupapicheck.containerSecurityContext +Container Security Context to be set on the controller component container + +
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
startupapicheck.timeout +Timeout for 'kubectl check api' command + +string + +
1m
+ +
startupapicheck.backoffLimit +Job backoffLimit + +number + +
4
+ +
startupapicheck.jobAnnotations +Optional additional annotations to add to the startupapicheck Job + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
+ +
startupapicheck.extraArgs[0] + +string + +
-v
+ +
startupapicheck.resources +Resources to provide to the cert-manager controller pod + +For example: + +
requests:
+  cpu: 10m
+  memory: 32Mi
+
+ + +
ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ +		object + +
{}
+ +
startupapicheck.nodeSelector +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + + +object + +
kubernetes.io/os: linux
+ +
startupapicheck.affinity +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +For example: + +
affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ +		object + +
{}
+ +
startupapicheck.tolerations +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +For example: + +
tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ +		array + +
[]
+ +
startupapicheck.podLabels +Optional additional labels to add to the startupapicheck Pods + +object + +
{}
+ +
startupapicheck.image.registry +The container registry to pull the startupapicheck image from + + +string + +
undefined
+ +
startupapicheck.image.repository +The container image for the cert-manager startupapicheck + + +string + +
quay.io/jetstack/cert-manager-startupapicheck
+ +
startupapicheck.image.tag +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + +string + +
undefined
+ +
startupapicheck.image.digest +Setting a digest will override any tag + + +string + +
undefined
+ +
startupapicheck.image.pullPolicy +Kubernetes imagePullPolicy on Deployment. + +string + +
IfNotPresent
+ +
startupapicheck.rbac.annotations +annotations for the startup API Check job RBAC and PSP resources + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.automountServiceAccountToken +Automounting API credentials for a particular pod + + +bool + +
undefined
+ +
startupapicheck.serviceAccount.create +Specifies whether a service account should be created + +bool + +
true
+ +
startupapicheck.serviceAccount.name +The name of the service account to use. +If not set and create is true, a name is generated using the fullname template + + +string + +
undefined
+ +
startupapicheck.serviceAccount.annotations +Optional additional annotations to add to the Job's ServiceAccount + + +object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.serviceAccount.automountServiceAccountToken +Automount API credentials for a Service Account. + + +bool + +
true
+ +
startupapicheck.serviceAccount.labels +Optional additional labels to add to the startupapicheck's ServiceAccount + + +object + +
undefined
+ +
startupapicheck.volumes +Additional volumes to add to the cert-manager controller pod. + +array + +
[]
+ +
startupapicheck.volumeMounts +Additional volume mounts to add to the cert-manager controller container. + +array + +
[]
+ +
startupapicheck.enableServiceLinks +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +bool + +
false
+ +
+ +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 + + + +object + + +
{}
+ + + + + + +webhook.strategy + + +

+ +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +

+

+ +For example: + +

+ +
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ + +object + + +
{}
+ + + + + + +webhook.securityContext + + +

+ +Pod Security Context to be set on the webhook component Pod + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ + + + + + +webhook.containerSecurityContext + + +

+ +Container Security Context to be set on the webhook component container + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ + + + + + +webhook.podDisruptionBudget.enabled + + +

+ +Enable or disable the PodDisruptionBudget resource + +

+

+ +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Pod is currently running. + +

+ + +bool + + +
false
+ + + + + + +webhook.podDisruptionBudget.minAvailable + + +

+ +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `maxUnavailable` is set. + +

+ + + +number + + +
undefined
+ + + + + + +webhook.podDisruptionBudget.maxUnavailable + + +

+ +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `minAvailable` is set. + +

+ + + +number + + +
undefined
+ + + + + + +webhook.deploymentAnnotations + + +

+ +Optional additional annotations to add to the webhook Deployment + +

+ + + +object + + +
undefined
+ + + + + + +webhook.podAnnotations + + +

+ +Optional additional annotations to add to the webhook Pods + +

+ + + +object + + +
undefined
+ + + + + + +webhook.serviceAnnotations + + +

+ +Optional additional annotations to add to the webhook Service + +

+ + + +object + + +
undefined
+ + + + + + +webhook.mutatingWebhookConfigurationAnnotations + + +

+ +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + +

+ + + +object + + +
undefined
+ + + + + + +webhook.validatingWebhookConfigurationAnnotations + + +

+ +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + +

+ + + +object + + +
undefined
+ + + + + + +webhook.extraArgs + + +

+ +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + +

+ + +array + + +
[]
+ + + + + + +webhook.featureGates + + +

+ +Comma separated list of feature gates that should be enabled on the webhook pod. + +

+ + +string + + +
""
+ + + + + + +webhook.resources + + +

+ +Resources to provide to the cert-manager webhook pod + +

+

+ +For example: + +

+ +
+requests:
+  cpu: 10m
+  memory: 32Mi
+
+ +

+ + + +

+ +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ + +object + + +
{}
+ + + + + + +webhook.livenessProbe + + +

+ +Liveness probe values + +

+ +
+ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ +

+ + + +

+ + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.readinessProbe + + +

+ +Readiness probe values + +

+ +
+ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ +

+ + + +

+ + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.nodeSelector + + +

+ +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +

+ + + +object + + +
kubernetes.io/os: linux
+ + + + + + +webhook.affinity + + +

+ +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example: + +

+ +
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ + +object + + +
{}
+ + + + + + +webhook.tolerations + + +

+ +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example: + +

+ +
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ + +array + + +
[]
+ + + + + + +webhook.topologySpreadConstraints + + +

+ +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +

+

+ +For example: + +

+ +
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ + +array + + +
[]
+ + + + + + +webhook.podLabels + + +

+ +Optional additional labels to add to the Webhook Pods + +

+ + +object + + +
{}
+ + + + + + +webhook.serviceLabels + + +

+ +Optional additional labels to add to the Webhook Service + +

+ + +object + + +
{}
+ + + + + + +webhook.image.registry + + +

+ +The container registry to pull the webhook image from + +

+ + + +string + + +
undefined
+ + + + + + +webhook.image.repository + + +

+ +The container image for the cert-manager webhook + +

+ + + +string + + +
quay.io/jetstack/cert-manager-controller
+ + + + + + +webhook.image.tag + + +

+ +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +

+ + + +string + + +
undefined
+ + + + + + +webhook.image.digest + + +

+ +Setting a digest will override any tag + +

+ + + +string + + +
undefined
+ + + + + + +webhook.image.pullPolicy + + +

+ +Kubernetes imagePullPolicy on Deployment. + +

+ + +string + + +
IfNotPresent
+ + + + + + +webhook.serviceAccount.create + + +

+ +Specifies whether a service account should be created + +

+ + +bool + + +
true
+ + + + + + +webhook.serviceAccount.name + + +

+ +The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template + +

+ + + +string + + +
undefined
+ + + + + + +webhook.serviceAccount.annotations + + +

+ +Optional additional annotations to add to the controller's ServiceAccount + +

+ + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.labels + + +

+ +Optional additional labels to add to the webhook's ServiceAccount + +

+ + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.automountServiceAccountToken + + +

+ +Automount API credentials for a Service Account. + +

+ + +bool + + +
true
+ + + + + + +webhook.automountServiceAccountToken + + +

+ +Automounting API credentials for a particular pod + +

+ + + +bool + + +
undefined
+ + + + + + +webhook.securePort + + +

+ +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + +

+ + +number + + +
10250
+ + + + + + +webhook.hostNetwork + + +

+ +Specifies if the webhook should be started in hostNetwork mode. + +

+

+ +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +

+

+ +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + +

+ + +bool + + +
false
+ + + + + + +webhook.serviceType + + +

+ +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + +

+ + +string + + +
ClusterIP
+ + + + + + +webhook.loadBalancerIP + + +

+ +Specify the load balancer IP for the created service + +

+ + + +string + + +
undefined
+ + + + + + +webhook.url + + +

+ +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + +

+ + +object + + +
{}
+ + + + + + +webhook.networkPolicy.enabled + + +

+ +Create network policies for the webhooks + +

+ + +bool + + +
false
+ + + + + + +webhook.networkPolicy.ingress + + +

+ +Ingress rule for the webhook network policy, by default will allow all inbound traffic + +

+ + + +array + + +
- from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.networkPolicy.egress + + +

+ +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + +

+ + + +array + + +
- ports:
+    - port: 80
+      protocol: TCP
+    - port: 443
+      protocol: TCP
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+    - port: 6443
+      protocol: TCP
+  to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.volumes + + +

+ +Additional volumes to add to the cert-manager controller pod. + +

+ + +array + + +
[]
+ + + + + + +webhook.volumeMounts + + +

+ +Additional volume mounts to add to the cert-manager controller container. + +

+ + +array + + +
[]
+ + + + + + +webhook.enableServiceLinks + + +

+ +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +

+ + +bool + + +
false
+ + + + + + +### CA Injector + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
cainjector.enabled + +

+ +Create the CA Injector deployment + +

+ +		bool + +
true
+ +
cainjector.replicaCount + +

+ +Number of replicas of the cert-manager cainjector to run. + +

+

+ +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +

+

+ +If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. + +

+

+ +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +

+ +		number + +
1
+ +
cainjector.config + +

+ +Used to configure options for the cainjector pod.
+This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
+Flags will override options that are set here. + +

+

+ +For example: + +

+ +
+apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+
+ +		object + +
{}
+ +
cainjector.strategy + +

+ +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +

+

+ +For example: + +

+ +
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ +		object + +
{}
+ +
cainjector.securityContext + +

+ +Pod Security Context to be set on the cainjector component Pod + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
cainjector.containerSecurityContext + +

+ +Container Security Context to be set on the cainjector component container + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
cainjector.podDisruptionBudget.enabled + +

+ +Enable or disable the PodDisruptionBudget resource + +

+

+ +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Pod is currently running. + +

+ +		bool + +
false
+ +
cainjector.podDisruptionBudget.minAvailable + +

+ +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `maxUnavailable` is set. + +

+ + +		number + +
undefined
+ +
cainjector.podDisruptionBudget.maxUnavailable + +

+ +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `minAvailable` is set. + +

+ + +		number + +
undefined
+ +
cainjector.deploymentAnnotations + +

+ +Optional additional annotations to add to the cainjector Deployment + +

+ + +		object + +
undefined
+ +
cainjector.podAnnotations + +

+ +Optional additional annotations to add to the cainjector Pods + +

+ + +		object + +
undefined
+ +
cainjector.extraArgs + +

+ +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + +

+ +		array + +
[]
+ +
cainjector.featureGates + +

+ +Comma separated list of feature gates that should be enabled on the cainjector pod. + +

+ +		string + +
""
+ +
cainjector.resources + +

+ +Resources to provide to the cert-manager cainjector pod + +

+

+ +For example: + +

+ +
+requests:
+  cpu: 10m
+  memory: 32Mi
+
+ +

+ + + +

+ +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ +		object + +
{}
+ +
cainjector.nodeSelector + +

+ +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +

+ + +		object + +
kubernetes.io/os: linux
+ +
cainjector.affinity + +

+ +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example: + +

+ +
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ +		object + +
{}
+ +
cainjector.tolerations + +

+ +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example: + +

+ +
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ +		array + +
[]
+ +
cainjector.topologySpreadConstraints + +

+ +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +

+

+ +For example: + +

+ +
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ +		array + +
[]
+ +
cainjector.podLabels + +

+ +Optional additional labels to add to the CA Injector Pods + +

+ +		object + +
{}
+ +
cainjector.image.registry + +

+ +The container registry to pull the cainjector image from + +

+ + +		string + +
undefined
+ +
cainjector.image.repository + +

+ +The container image for the cert-manager cainjector + +

+ + +		string + +
quay.io/jetstack/cert-manager-controller
+ +
cainjector.image.tag + +

+ +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +

+ + +		string + +
undefined
+ +
cainjector.image.digest + +

+ +Setting a digest will override any tag + +

+ + +		string + +
undefined
+ +
cainjector.image.pullPolicy + +

+ +Kubernetes imagePullPolicy on Deployment. + +

+ +		string + +
IfNotPresent
+ +
cainjector.serviceAccount.create + +

+ +Specifies whether a service account should be created + +

+ +		bool + +
true
+ +
cainjector.serviceAccount.name + +

+ +The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template + +

+ + +		string + +
undefined
+ +
cainjector.serviceAccount.annotations + +

+ +Optional additional annotations to add to the controller's ServiceAccount + +

+ + +		object + +
undefined
+ +
cainjector.serviceAccount.labels + +

+ +Optional additional labels to add to the cainjector's ServiceAccount + +

+ + +		object + +
undefined
+ +
cainjector.serviceAccount.automountServiceAccountToken + +

+ +Automount API credentials for a Service Account. + +

+ +		bool + +
true
+ +
cainjector.automountServiceAccountToken + +

+ +Automounting API credentials for a particular pod + +

+ + +		bool + +
undefined
+ +
cainjector.volumes + +

+ +Additional volumes to add to the cert-manager controller pod. + +

+ +		array + +
[]
+ +
cainjector.volumeMounts + +

+ +Additional volume mounts to add to the cert-manager controller container. + +

+ +		array + +
[]
+ +
cainjector.enableServiceLinks + +

+ +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +

+ +		bool + +
false
+ +
+ +### ACME Solver + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
acmesolver.image.registry + +

+ +The container registry to pull the acmesolver image from + +

+ + +		string + +
undefined
+ +
acmesolver.image.repository + +

+ +The container image for the cert-manager acmesolver + +

+ + +		string + +
quay.io/jetstack/cert-manager-acmesolver
+ +
acmesolver.image.tag + +

+ +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +

+ + +		string + +
undefined
+ +
acmesolver.image.digest + +

+ +Setting a digest will override any tag + +

+ + +		string + +
undefined
+ +
acmesolver.image.pullPolicy + +

+ +Kubernetes imagePullPolicy on Deployment. + +

+ +		string + +
IfNotPresent
+ +
+ +### Startup API Check + + +

+ +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + +

+ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + +
PropertyDescriptionTypeDefault
startupapicheck.enabled + +

+ +Enables the startup api check + +

+ +		bool + +
true
+ +
startupapicheck.securityContext + +

+ +Pod Security Context to be set on the startupapicheck component Pod + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
startupapicheck.containerSecurityContext + +

+ +Container Security Context to be set on the controller component container + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
startupapicheck.timeout + +

+ +Timeout for 'kubectl check api' command + +

+ +		string + +
1m
+ +
startupapicheck.backoffLimit + +

+ +Job backoffLimit + +

+ +		number + +
4
+ +
startupapicheck.jobAnnotations + +

+ +Optional additional annotations to add to the startupapicheck Job + +

+ + +		object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
+ +
startupapicheck.extraArgs[0] + +string + +
-v
+ +
startupapicheck.resources + +

+ +Resources to provide to the cert-manager controller pod + +

+

+ +For example: + +

+ +
+requests:
+  cpu: 10m
+  memory: 32Mi
+
+ +

+ + + +

+ +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ +		object + +
{}
+ +
startupapicheck.nodeSelector + +

+ +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +

+ + +		object + +
kubernetes.io/os: linux
+ +
startupapicheck.affinity + +

+ +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example: + +

+ +
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ +		object + +
{}
+ +
startupapicheck.tolerations + +

+ +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example: + +

+ +
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ +		array + +
[]
+ +
startupapicheck.podLabels + +

+ +Optional additional labels to add to the startupapicheck Pods + +

+ +		object + +
{}
+ +
startupapicheck.image.registry + +

+ +The container registry to pull the startupapicheck image from + +

+ + +		string + +
undefined
+ +
startupapicheck.image.repository + +

+ +The container image for the cert-manager startupapicheck + +

+ + +		string + +
quay.io/jetstack/cert-manager-startupapicheck
+ +
startupapicheck.image.tag + +

+ +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +

+ + +		string + +
undefined
+ +
startupapicheck.image.digest + +

+ +Setting a digest will override any tag + +

+ + +		string + +
undefined
+ +
startupapicheck.image.pullPolicy + +

+ +Kubernetes imagePullPolicy on Deployment. + +

+ +		string + +
IfNotPresent
+ +
startupapicheck.rbac.annotations + +

+ +annotations for the startup API Check job RBAC and PSP resources + +

+ + +		object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.automountServiceAccountToken + +

+ +Automounting API credentials for a particular pod + +

+ + +		bool + +
undefined
+ +
startupapicheck.serviceAccount.create + +

+ +Specifies whether a service account should be created + +

+ +		bool + +
true
+ +
startupapicheck.serviceAccount.name + +

+ +The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template + +

+ + +		string + +
undefined
+ +
startupapicheck.serviceAccount.annotations + +

+ +Optional additional annotations to add to the Job's ServiceAccount + +

+ + +		object + +
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+ +
startupapicheck.serviceAccount.automountServiceAccountToken + +

+ +Automount API credentials for a Service Account. + +

+ + +		bool + +
true
+ +
startupapicheck.serviceAccount.labels + +

+ +Optional additional labels to add to the startupapicheck's ServiceAccount + +

+ + +		object + +
undefined
+ +
startupapicheck.volumes + +

+ +Additional volumes to add to the cert-manager controller pod. + +

+ +		array + +
[]
+ +
startupapicheck.volumeMounts + +

+ +Additional volume mounts to add to the cert-manager controller container. + +

+ +		array + +
[]
+ +
startupapicheck.enableServiceLinks + +

+ +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +

+ +		bool + +
false
+ +
+ +# The port that the webhook should listen on for requests. +# In GKE private clusters, by default kubernetes apiservers are allowed to +# talk to the cluster nodes only on 443 and 10250. so configuring +# securePort: 10250, will work out of the box without needing to add firewall +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. +# This should be uncommented and set as a default by the chart once we graduate +# the apiVersion of WebhookConfiguration past v1alpha1. +securePort: 10250 + + + +object + + +
{}
+ + + + + + +webhook.strategy + + +

+ +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +

+

+ +For example: + +

+ +
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ + +object + + +
{}
+ + + + + + +webhook.securityContext + + +

+ +Pod Security Context to be set on the webhook component Pod + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ + + + + + +webhook.containerSecurityContext + + +

+ +Container Security Context to be set on the webhook component container + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + + +object + + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ + + + + + +webhook.podDisruptionBudget.enabled + + +

+ +Enable or disable the PodDisruptionBudget resource + +

+

+ +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Pod is currently running. + +

+ + +bool + + +
false
+ + + + + + +webhook.podDisruptionBudget.minAvailable + + +

+ +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `maxUnavailable` is set. + +

+ + + +number + + +
undefined
+ + + + + + +webhook.podDisruptionBudget.maxUnavailable + + +

+ +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `minAvailable` is set. + +

+ + + +number + + +
undefined
+ + + + + + +webhook.deploymentAnnotations + + +

+ +Optional additional annotations to add to the webhook Deployment + +

+ + + +object + + +
undefined
+ + + + + + +webhook.podAnnotations + + +

+ +Optional additional annotations to add to the webhook Pods + +

+ + + +object + + +
undefined
+ + + + + + +webhook.serviceAnnotations + + +

+ +Optional additional annotations to add to the webhook Service + +

+ + + +object + + +
undefined
+ + + + + + +webhook.mutatingWebhookConfigurationAnnotations + + +

+ +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + +

+ + + +object + + +
undefined
+ + + + + + +webhook.validatingWebhookConfigurationAnnotations + + +

+ +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + +

+ + + +object + + +
undefined
+ + + + + + +webhook.extraArgs + + +

+ +Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help + +

+ + +array + + +
[]
+ + + + + + +webhook.featureGates + + +

+ +Comma separated list of feature gates that should be enabled on the webhook pod. + +

+ + +string + + +
""
+ + + + + + +webhook.resources + + +

+ +Resources to provide to the cert-manager webhook pod + +

+

+ +For example: + +

+ +
+requests:
+  cpu: 10m
+  memory: 32Mi
+
+ +

+ + + +

+ +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ + +object + + +
{}
+ + + + + + +webhook.livenessProbe + + +

+ +Liveness probe values + +

+ +
+ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ +

+ + + +

+ + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.readinessProbe + + +

+ +Readiness probe values + +

+ +
+ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ +

+ + + +

+ + + +object + + +
failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+ + + + + + +webhook.nodeSelector + + +

+ +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +

+ + + +object + + +
kubernetes.io/os: linux
+ + + + + + +webhook.affinity + + +

+ +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example: + +

+ +
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ + +object + + +
{}
+ + + + + + +webhook.tolerations + + +

+ +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example: + +

+ +
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ + +array + + +
[]
+ + + + + + +webhook.topologySpreadConstraints + + +

+ +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +

+

+ +For example: + +

+ +
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ + +array + + +
[]
+ + + + + + +webhook.podLabels + + +

+ +Optional additional labels to add to the Webhook Pods + +

+ + +object + + +
{}
+ + + + + + +webhook.serviceLabels + + +

+ +Optional additional labels to add to the Webhook Service + +

+ + +object + + +
{}
+ + + + + + +webhook.image.registry + + +

+ +The container registry to pull the webhook image from + +

+ + + +string + + +
undefined
+ + + + + + +webhook.image.repository + + +

+ +The container image for the cert-manager webhook + +

+ + + +string + + +
quay.io/jetstack/cert-manager-controller
+ + + + + + +webhook.image.tag + + +

+ +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + +

+ + + +string + + +
undefined
+ + + + + + +webhook.image.digest + + +

+ +Setting a digest will override any tag + +

+ + + +string + + +
undefined
+ + + + + + +webhook.image.pullPolicy + + +

+ +Kubernetes imagePullPolicy on Deployment. + +

+ + +string + + +
IfNotPresent
+ + + + + + +webhook.serviceAccount.create + + +

+ +Specifies whether a service account should be created + +

+ + +bool + + +
true
+ + + + + + +webhook.serviceAccount.name + + +

+ +The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template + +

+ + + +string + + +
undefined
+ + + + + + +webhook.serviceAccount.annotations + + +

+ +Optional additional annotations to add to the controller's ServiceAccount + +

+ + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.labels + + +

+ +Optional additional labels to add to the webhook's ServiceAccount + +

+ + + +object + + +
undefined
+ + + + + + +webhook.serviceAccount.automountServiceAccountToken + + +

+ +Automount API credentials for a Service Account. + +

+ + +bool + + +
true
+ + + + + + +webhook.automountServiceAccountToken + + +

Automounting API credentials for a particular pod @@ -661,7 +13506,496 @@ Automounting API credentials for a particular pod -bool +bool + + +

undefined
+ + + + + + +webhook.securePort + + +

+ +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + +

+ + +number + + +
10250
+ + + + + + +webhook.hostNetwork + + +

+ +Specifies if the webhook should be started in hostNetwork mode. + +

+

+ +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +

+

+ +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + +

+ + +bool + + +
false
+ + + + + + +webhook.serviceType + + +

+ +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + +

+ + +string + + +
ClusterIP
+ + + + + + +webhook.loadBalancerIP + + +

+ +Specify the load balancer IP for the created service + +

+ + + +string + + +
undefined
+ + + + + + +webhook.url + + +

+ +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + +

+ + +object + + +
{}
+ + + + + + +webhook.networkPolicy.enabled + + +

+ +Create network policies for the webhooks + +

+ + +bool + + +
false
+ + + + + + +webhook.networkPolicy.ingress + + +

+ +Ingress rule for the webhook network policy, by default will allow all inbound traffic + +

+ + + +array + + +
- from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.networkPolicy.egress + + +

+ +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + +

+ + + +array + + +
- ports:
+    - port: 80
+      protocol: TCP
+    - port: 443
+      protocol: TCP
+    - port: 53
+      protocol: TCP
+    - port: 53
+      protocol: UDP
+    - port: 6443
+      protocol: TCP
+  to:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+ + + + + + +webhook.volumes + + +

+ +Additional volumes to add to the cert-manager controller pod. + +

+ + +array + + +
[]
+ + + + + + +webhook.volumeMounts + + +

+ +Additional volume mounts to add to the cert-manager controller container. + +

+ + +array + + +
[]
+ + + + + + +webhook.enableServiceLinks + + +

+ +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +

+ + +bool + + +
false
+ + + + + + +### CA Injector + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - + - + - + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + @@ -742,55 +14150,91 @@ featureGates: - + - + - + - + - + - + @@ -822,12 +14282,12 @@ Additional environment variables - + - + + + - + + + + + + + - + + + - + + + + + + + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + - + + +
PropertyDescriptionTypeDefault
cainjector.enabled + +

+ +Create the CA Injector deployment + +

+ +		bool + +
true
+ +
cainjector.replicaCount + +

+ +Number of replicas of the cert-manager cainjector to run. + +

+

+ +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +

+

+ +If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. + +

+

+ +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +

+ +		number + +
1
+ +
cainjector.config + +

+ +Used to configure options for the cainjector pod.
+This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
+Flags will override options that are set here. + +

+

+ +For example: + +

+ +
+apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+
+ +		object + +
{}
+ +
cainjector.strategy + +

+ +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +

+

+ +For example: + +

+ +
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+
+ +		object + +
{}
+ +
cainjector.securityContext + +

+ +Pod Security Context to be set on the cainjector component Pod + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+ +
cainjector.containerSecurityContext + +

+ +Container Security Context to be set on the cainjector component container + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + +		object + +
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
+ +
cainjector.podDisruptionBudget.enabled + +

+ +Enable or disable the PodDisruptionBudget resource + +

+

+ +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Pod is currently running. + +

+ +		bool + +
false
+ +
cainjector.podDisruptionBudget.minAvailable + +

+ +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `maxUnavailable` is set. + +

+ + +		number 
undefined
@@ -671,34 +14005,116 @@ Automounting API credentials for a particular pod
enableCertificateOwnerRefcainjector.podDisruptionBudget.maxUnavailable

-When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `minAvailable` is set.

+ 		boolnumber -
false
+
undefined
configcainjector.deploymentAnnotations

-Used to configure options for the controller pod.
-This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
-Flags will override options that are set here. +Optional additional annotations to add to the cainjector Deployment + +

+ + +		object + +
undefined
+ +
cainjector.podAnnotations + +

+ +Optional additional annotations to add to the cainjector Pods + +

+ + +		object + +
undefined
+ +
cainjector.extraArgs + +

+ +Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help + +

+ +		array + +
[]
+ +
cainjector.featureGates + +

+ +Comma separated list of feature gates that should be enabled on the cainjector pod. + +

+ +		string + +
""
+ +
cainjector.resources + +

+ +Resources to provide to the cert-manager cainjector pod

@@ -708,27 +14124,19 @@ For example: 

-apiVersion: controller.config.cert-manager.io/v1alpha1
-kind: ControllerConfiguration
-logging:
-  verbosity: 2
-  format: text
-leaderElectionConfig:
-  namespace: kube-system
-kubernetesAPIQPS: 9000
-kubernetesAPIBurst: 9000
-numberOfConcurrentWorkers: 200
-featureGates:
-  AdditionalCertificateOutputFormats: true
-  DisallowInsecureCSRUsageDefinition: true
-  ExperimentalCertificateSigningRequestControllers: true
-  ExperimentalGatewayAPISupport: true
-  LiteralCertificateSubject: true
-  SecretsFilteredCaching: true
-  ServerSideApply: true
-  StableCertificateRequestName: true
-  UseCertificateRequestBasicConstraints: true
-  ValidateCAA: true
+requests:
+  cpu: 10m
+  memory: 32Mi
+
+ +

+ + + +

+ +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
dns01RecursiveNameserverscainjector.nodeSelector

-Comma separated string with host and port of the recursive nameservers cert-manager should query +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

+ 		stringobject -
""
+
kubernetes.io/os: linux
dns01RecursiveNameserversOnlycainjector.affinity

-Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example:

+
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ 		boolobject -
false
+
{}
extraArgscainjector.tolerations

-Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example:

+
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ 		array @@ -802,14 +14246,30 @@ Additional command line flags to pass to cert-manager controller binary. To see
extraEnvcainjector.topologySpreadConstraints

-Additional environment variables +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core

+

+ +For example: + +

+ +
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
 array
resourcescainjector.podLabels

-Resources the controller will be given +Optional additional labels to add to the CA Injector Pods

@@ -842,114 +14302,143 @@ Resources the controller will be given
securityContextcainjector.image.registry

-Pod Security Context +The container registry to pull the cainjector image from

-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
+		string + +
undefined
object
cainjector.image.repository -
runAsNonRoot: true
-seccompProfile:
-  type: RuntimeDefault
+

+ +The container image for the cert-manager cainjector + +

+ + +		string + +
quay.io/jetstack/cert-manager-controller
containerSecurityContextcainjector.image.tag

-Container Security Context to be set on the controller component container +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.

-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
+		string + +
undefined
object
cainjector.image.digest -
allowPrivilegeEscalation: false
-capabilities:
-  drop:
-    - ALL
-readOnlyRootFilesystem: true
+

+ +Setting a digest will override any tag + +

+ + +		string + +
undefined
volumescainjector.image.pullPolicy

-Volumes to mount to the controller pod +Kubernetes imagePullPolicy on Deployment.

arraystring -
[]
+
IfNotPresent
volumeMountscainjector.serviceAccount.create

-Volumes specified in `volumes` to mount to the controller container +Specifies whether a service account should be created

arraybool -
[]
+
true
deploymentAnnotationscainjector.serviceAccount.name

-Optional additional annotations to add to the controller Deployment +The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template

objectstring 
undefined
@@ -959,12 +14448,12 @@ Optional additional annotations to add to the controller Deployment
podAnnotationscainjector.serviceAccount.annotations

-Optional additional annotations to add to the controller Pods +Optional additional annotations to add to the controller's ServiceAccount

@@ -980,59 +14469,59 @@ Optional additional annotations to add to the controller Pods
podLabelscainjector.serviceAccount.labels

-Optional additional labels to add to the controller Pods +Optional additional labels to add to the cainjector's ServiceAccount

+ 		object -
{}
+
undefined
serviceAnnotationscainjector.serviceAccount.automountServiceAccountToken

-Optional annotations to add to the controller Service +Automount API credentials for a Service Account.

- 		objectbool -
undefined
+
true
serviceLabelscainjector.automountServiceAccountToken

-Optional additional labels to add to the controller Service +Automounting API credentials for a particular pod

objectbool 
undefined
@@ -1042,75 +14531,84 @@ Optional additional labels to add to the controller Service
podDnsPolicycainjector.volumes

-DNS policy to use within the controller pod +Additional volumes to add to the cert-manager controller pod.

- 		stringarray -
undefined
+
[]
podDnsConfigcainjector.volumeMounts

-Optional DNS settings, useful if you have a public and private DNS zone for the same domain on Route 53. What follows is an example of ensuring cert-manager can access an ingress or DNS TXT records at all times. NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for the cluster to work. +Additional volume mounts to add to the cert-manager controller container.

- 		objectarray -
undefined
+
[]
nodeSelectorcainjector.enableServiceLinks

-Node selector to limit the nodes the controller can schedule on +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.

- 		objectbool -
kubernetes.io/os: linux
+
false
+ +### ACME Solver + + + + + + + + - + - + - + - + @@ -1183,672 +14687,674 @@ Optional default issuer group to use for ingress resources - + - +
PropertyDescriptionTypeDefault
ingressShim.defaultIssuerNameacmesolver.image.registry

-Optional default issuer to use for ingress resources +The container registry to pull the acmesolver image from

@@ -1126,12 +14624,12 @@ Optional default issuer to use for ingress resources
ingressShim.defaultIssuerKindacmesolver.image.repository

-Optional default issuer kind to use for ingress resources +The container image for the cert-manager acmesolver

@@ -1140,19 +14638,19 @@ Optional default issuer kind to use for ingress resources 		string -
undefined
+
quay.io/jetstack/cert-manager-acmesolver
ingressShim.defaultIssuerGroupacmesolver.image.tag

-Optional default issuer group to use for ingress resources +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.

@@ -1168,9 +14666,15 @@ Optional default issuer group to use for ingress resources
http_proxyacmesolver.image.digest +

+ +Setting a digest will override any tag + +

+ 		string
https_proxyacmesolver.image.pullPolicy +

+ +Kubernetes imagePullPolicy on Deployment. + +

 string -
undefined
+
IfNotPresent
-no_proxy - +### Startup API Check - -string - +

-

undefined
+This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. - +

+ + + + + + - + - + - + - + - + - + - - - + +

-

- +Timeout for 'kubectl check api' command - - - + - + - - - + +Optional additional annotations to add to the startupapicheck Job - - +

- - - + - + - + - + - - +
+requests:
+  cpu: 10m
+  memory: 32Mi
+
- -
PropertyDescriptionTypeDefault
affinitystartupapicheck.enabled

-A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core for example: +Enables the startup api check

-
-affinity:
-  nodeAffinity:
-   requiredDuringSchedulingIgnoredDuringExecution:
-     nodeSelectorTerms:
-     - matchExpressions:
-       - key: foo.bar.com/role
-         operator: In
-         values:
-         - master
-
- 		objectbool -
{}
+
true
tolerationsstartupapicheck.securityContext

-A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core for example: +Pod Security Context to be set on the startupapicheck component Pod 

-tolerations:
-- key: foo.bar.com/role
-  operator: Equal
-  value: master
-  effect: NoSchedule
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ 		arrayobject -
[]
+
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
topologySpreadConstraintsstartupapicheck.containerSecurityContext

-A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core for example: +Container Security Context to be set on the controller component container 

-topologySpreadConstraints:
-- maxSkew: 2
-  topologyKey: topology.kubernetes.io/zone
-  whenUnsatisfiable: ScheduleAnyway
-  labelSelector:
-    matchLabels:
-      app.kubernetes.io/instance: cert-manager
-      app.kubernetes.io/component: controller
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ 		arrayobject -
[]
+
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
livenessProbe.enabled - -boolstartupapicheck.timeout -
true
- -
livenessProbe.initialDelaySeconds +

numberstring -
10
+
1m
livenessProbe.periodSecondsstartupapicheck.backoffLimit +

+ +Job backoffLimit + +

+ 		number -
10
+
4
livenessProbe.timeoutSeconds - -numberstartupapicheck.jobAnnotations -
15
+

-

livenessProbe.successThreshold numberobject -
1
+
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
livenessProbe.failureThresholdstartupapicheck.extraArgs[0] numberstring -
8
+
-v
enableServiceLinksstartupapicheck.resources

-enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. +Resources to provide to the cert-manager controller pod

+

-

bool +For example: -
false
+

-
+

-### Prometheus - - - - - - - - +

- - - + - + - - +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. - - +

- - - + - + - + - + - + - + - + - + - + - + - + - + - - - + +Setting a digest will override any tag - - +

- - - + - + - + - + - + - + - + - + - + - + - + - + - + - - - + +Optional additional labels to add to the startupapicheck's ServiceAccount - - +

- - -
PropertyDescriptionTypeDefault
prometheus.enabled +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
boolobject -
true
+
{}
prometheus.servicemonitor.enabledstartupapicheck.nodeSelector

-Create a ServiceMonitor resource to scrape the metrics endpoint +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/

+

-

bool - -
false
- -
prometheus.servicemonitor.prometheusInstance stringobject -
default
+
kubernetes.io/os: linux
prometheus.servicemonitor.targetPortstartupapicheck.affinity

-The port to scrape metrics from +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example:

+
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ 		numberobject -
9402
+
{}
prometheus.servicemonitor.pathstartupapicheck.tolerations

-Path to scrape metrics from +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example:

+
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ 		stringarray -
/metrics
+
[]
prometheus.servicemonitor.intervalstartupapicheck.podLabels

-Interval to scrape metrics +Optional additional labels to add to the startupapicheck Pods

stringobject -
60s
+
{}
prometheus.servicemonitor.scrapeTimeoutstartupapicheck.image.registry

-Timeout for each metrics scrape +The container registry to pull the startupapicheck image from

+ 		string -
30s
+
undefined
prometheus.servicemonitor.labelsstartupapicheck.image.repository

-Labels to add to the ServiceMonitor resource +The container image for the cert-manager startupapicheck

+ 		objectstring -
{}
+
quay.io/jetstack/cert-manager-startupapicheck
prometheus.servicemonitor.annotationsstartupapicheck.image.tag

-Annotations to add to the ServiceMonitor resource +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.

+ 		objectstring -
{}
+
undefined
prometheus.servicemonitor.honorLabels - -boolstartupapicheck.image.digest -
false
+

-

prometheus.servicemonitor.endpointAdditionalProperties objectstring -
{}
+
undefined
prometheus.podmonitor.enabledstartupapicheck.image.pullPolicy

-Create a PodMonitor resource to scrape the metrics endpoint +Kubernetes imagePullPolicy on Deployment.

boolstring -
false
+
IfNotPresent
prometheus.podmonitor.prometheusInstancestartupapicheck.rbac.annotations +

+ +annotations for the startup API Check job RBAC and PSP resources + +

+ + 		stringobject -
default
+
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
prometheus.podmonitor.pathstartupapicheck.automountServiceAccountToken

-Path to scrape metrics from +Automounting API credentials for a particular pod

+ 		stringbool -
/metrics
+
undefined
prometheus.podmonitor.intervalstartupapicheck.serviceAccount.create

-Interval to scrape metrics +Specifies whether a service account should be created

stringbool -
60s
+
true
prometheus.podmonitor.scrapeTimeoutstartupapicheck.serviceAccount.name

-Timeout for each metrics scrape +The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template

+ 		string -
30s
+
undefined
prometheus.podmonitor.labelsstartupapicheck.serviceAccount.annotations

-Labels to add to the PodMonitor resource +Optional additional annotations to add to the Job's ServiceAccount

+ 		object -
{}
+
helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
prometheus.podmonitor.annotationsstartupapicheck.serviceAccount.automountServiceAccountToken

-Annotations to add to the PodMonitor resource +Automount API credentials for a Service Account.

+ 		objectbool -
{}
+
true
prometheus.podmonitor.honorLabels - -boolstartupapicheck.serviceAccount.labels -
false
+

-

prometheus.podmonitor.endpointAdditionalProperties object -
{}
+
undefined
+ -### Webhook +startupapicheck.volumes + +

- - - - - - - - +Additional volumes to add to the cert-manager controller pod. - - - + - + - + - + + + + + +
PropertyDescriptionTypeDefault
webhook.replicaCount +

numberarray -
1
+
[]
webhook.timeoutSecondsstartupapicheck.volumeMounts

-Seconds the API server should wait for the webhook to respond before treating the call as a failure.
-Value must be between 1 and 30 seconds. See:
-https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/ - -

-

- -We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user. +Additional volume mounts to add to the cert-manager controller container.

numberarray -
30
+
[]
webhook.configstartupapicheck.enableServiceLinks

-Used to configure options for the webhook pod.
-This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. Flags will override options that are set here. Example config: +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.

-
-apiVersion: webhook.config.cert-manager.io/v1alpha1
-kind: WebhookConfiguration
+
bool + +
false
+ +
+ # The port that the webhook should listen on for requests. # In GKE private clusters, by default kubernetes apiservers are allowed to # talk to the cluster nodes only on 443 and 10250. so configuring # securePort: 10250, will work out of the box without needing to add firewall -# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. +# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. # This should be uncommented and set as a default by the chart once we graduate # the apiVersion of WebhookConfiguration past v1alpha1. securePort: 10250 @@ -1870,15 +15376,21 @@ securePort: 10250

-Deployment strategy, for example: +Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +

+

+ +For example: 

-type: RollingUpdate
-rollingUpdate:
-  maxSurge: 0
-  maxUnavailable: 1
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
@@ -1897,10 +15409,14 @@ rollingUpdate:

-Pod Security Context to be set on the webhook component Pod. Rref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ +Pod Security Context to be set on the webhook component Pod

+
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ object @@ -1915,51 +15431,72 @@ seccompProfile: -webhook.podDisruptionBudget.enabled +webhook.containerSecurityContext +

+ +Container Security Context to be set on the webhook component container + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + -bool +object -
false
+
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
-webhook.podDisruptionBudget.minAvailable +webhook.podDisruptionBudget.enabled +

+ +Enable or disable the PodDisruptionBudget resource +

-minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Pod is currently running.

-number +bool -
undefined
+
false
-webhook.podDisruptionBudget.maxUnavailable +webhook.podDisruptionBudget.minAvailable -

-maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `maxUnavailable` is set.

+ number @@ -1971,29 +15508,22 @@ maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e -webhook.containerSecurityContext +webhook.podDisruptionBudget.maxUnavailable

-Container Security Context to be set on the webhook component container +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `minAvailable` is set.

-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
- -object +number -
allowPrivilegeEscalation: false
-capabilities:
-  drop:
-    - ALL
-readOnlyRootFilesystem: true
+
undefined
@@ -2148,6 +15678,33 @@ Comma separated list of feature gates that should be enabled on the webhook pod. webhook.resources +

+ +Resources to provide to the cert-manager webhook pod + +

+

+ +For example: + +

+ +
+requests:
+  cpu: 10m
+  memory: 32Mi
+
+ +

+ + + +

+ +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ object @@ -2232,6 +15789,17 @@ timeoutSeconds: 1 webhook.nodeSelector +

+ +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +

+ object @@ -2247,6 +15815,29 @@ timeoutSeconds: 1 webhook.affinity +

+ +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example: + +

+ +
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ object @@ -2261,6 +15852,25 @@ timeoutSeconds: 1 webhook.tolerations +

+ +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example: + +

+ +
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ array @@ -2275,6 +15885,28 @@ timeoutSeconds: 1 webhook.topologySpreadConstraints +

+ +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +

+

+ +For example: + +

+ +
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ array @@ -2331,7 +15963,7 @@ Optional additional labels to add to the Webhook Service

-Registry to pull the image from +The container registry to pull the webhook image from

@@ -2352,15 +15984,16 @@ Registry to pull the image from

-Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property +The container image for the cert-manager webhook

+ string -
quay.io/jetstack/cert-manager-webhook
+
quay.io/jetstack/cert-manager-controller
@@ -2414,7 +16047,7 @@ Setting a digest will override any tag

-Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy +Kubernetes imagePullPolicy on Deployment.

@@ -2533,6 +16166,27 @@ Automount API credentials for a Service Account. +webhook.automountServiceAccountToken + + +

+ +Automounting API credentials for a particular pod + +

+ + + +bool + + +
undefined
+ + + + + + webhook.securePort @@ -2606,6 +16260,12 @@ Specifies how the service should be handled. Useful if you want to expose the we webhook.loadBalancerIP +

+ +Specify the load balancer IP for the created service + +

+ string @@ -2641,6 +16301,12 @@ Overrides the mutating webhook and validating webhook so they reach the webhook webhook.networkPolicy.enabled +

+ +Create network policies for the webhooks + +

+ bool @@ -2655,6 +16321,12 @@ Overrides the mutating webhook and validating webhook so they reach the webhook webhook.networkPolicy.ingress +

+ +Ingress rule for the webhook network policy, by default will allow all inbound traffic + +

+ array @@ -2672,6 +16344,12 @@ Overrides the mutating webhook and validating webhook so they reach the webhook webhook.networkPolicy.egress +

+ +Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports + +

+ array @@ -2700,6 +16378,12 @@ Overrides the mutating webhook and validating webhook so they reach the webhook webhook.volumes +

+ +Additional volumes to add to the cert-manager controller pod. + +

+ array @@ -2714,6 +16398,12 @@ Overrides the mutating webhook and validating webhook so they reach the webhook webhook.volumeMounts +

+ +Additional volume mounts to add to the cert-manager controller container. + +

+ array @@ -2760,6 +16450,12 @@ enableServiceLinks indicates whether information about services should be inject cainjector.enabled +

+ +Create the CA Injector deployment + +

+ bool @@ -2774,6 +16470,27 @@ enableServiceLinks indicates whether information about services should be inject cainjector.replicaCount +

+ +Number of replicas of the cert-manager cainjector to run. + +

+

+ +The default is 1, but in production you should set this to 2 or 3 to provide high availability. + +

+

+ +If `replicas > 1` you should also consider setting cainjector.podDisruptionBudget.enabled=true. + +

+

+ +Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time. + +

+ number @@ -2791,7 +16508,13 @@ enableServiceLinks indicates whether information about services should be inject

Used to configure options for the cainjector pod.
-This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. Flags will override options that are set here. For example: +This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
+Flags will override options that are set here. + +

+

+ +For example:

@@ -2821,15 +16544,21 @@ leaderElectionConfig:

-Deployment strategy, for example: +Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + +

+

+ +For example: 

-type: RollingUpdate
-rollingUpdate:
-  maxSurge: 0
-  maxUnavailable: 1
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
@@ -2843,79 +16572,99 @@ rollingUpdate: -cainjector.securityContext.runAsNonRoot +cainjector.securityContext - -bool - +

-

true
+Pod Security Context to be set on the cainjector component Pod - +

- - +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
-cainjector.securityContext.seccompProfile.type - -string +object -
RuntimeDefault
+
runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
-cainjector.podDisruptionBudget.enabled +cainjector.containerSecurityContext +

+ +Container Security Context to be set on the cainjector component container + +

+ +
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ + -bool +object -
false
+
allowPrivilegeEscalation: false
+capabilities:
+  drop:
+    - ALL
+readOnlyRootFilesystem: true
-cainjector.podDisruptionBudget.minAvailable +cainjector.podDisruptionBudget.enabled +

+ +Enable or disable the PodDisruptionBudget resource +

-minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) +This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager
+Pod is currently running.

-number +bool -
undefined
+
false
-cainjector.podDisruptionBudget.maxUnavailable +cainjector.podDisruptionBudget.minAvailable -

-maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) +Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `maxUnavailable` is set.

+ number @@ -2927,29 +16676,22 @@ maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e -cainjector.containerSecurityContext +cainjector.podDisruptionBudget.maxUnavailable

-Container Security Context to be set on the cainjector component container +Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
+Cannot be used if `minAvailable` is set.

-
-ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
-
- -object +number -
allowPrivilegeEscalation: false
-capabilities:
-  drop:
-    - ALL
-readOnlyRootFilesystem: true
+
undefined
@@ -3041,6 +16783,33 @@ Comma separated list of feature gates that should be enabled on the cainjector p cainjector.resources +

+ +Resources to provide to the cert-manager cainjector pod + +

+

+ +For example: + +

+ +
+requests:
+  cpu: 10m
+  memory: 32Mi
+
+ +

+ + + +

+ +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
+ object @@ -3055,6 +16824,17 @@ Comma separated list of feature gates that should be enabled on the cainjector p cainjector.nodeSelector +

+ +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +

+ object @@ -3070,6 +16850,29 @@ Comma separated list of feature gates that should be enabled on the cainjector p cainjector.affinity +

+ +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example: + +

+ +
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ object @@ -3084,6 +16887,25 @@ Comma separated list of feature gates that should be enabled on the cainjector p cainjector.tolerations +

+ +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example: + +

+ +
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ array @@ -3098,6 +16920,28 @@ Comma separated list of feature gates that should be enabled on the cainjector p cainjector.topologySpreadConstraints +

+ +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + +

+

+ +For example: + +

+ +
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+
+ array @@ -3134,7 +16978,7 @@ Optional additional labels to add to the CA Injector Pods

-Registry to pull the image from +The container registry to pull the cainjector image from

@@ -3155,15 +16999,16 @@ Registry to pull the image from

-Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property +The container image for the cert-manager cainjector

+ string -
quay.io/jetstack/cert-manager-cainjector
+
quay.io/jetstack/cert-manager-controller
@@ -3217,7 +17062,7 @@ Setting a digest will override any tag

-Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy +Kubernetes imagePullPolicy on Deployment.

@@ -3300,7 +17145,6 @@ Optional additional annotations to add to the controller's ServiceAccount

-Automount API credentials for a Service Account.
Optional additional labels to add to the cainjector's ServiceAccount

@@ -3320,6 +17164,12 @@ Optional additional labels to add to the cainjector's ServiceAccount cainjector.serviceAccount.automountServiceAccountToken +

+ +Automount API credentials for a Service Account. + +

+ bool @@ -3355,6 +17205,12 @@ Automounting API credentials for a particular pod cainjector.volumes +

+ +Additional volumes to add to the cert-manager controller pod. + +

+ array @@ -3369,6 +17225,12 @@ Automounting API credentials for a particular pod cainjector.volumeMounts +

+ +Additional volume mounts to add to the cert-manager controller container. + +

+ array @@ -3417,7 +17279,7 @@ enableServiceLinks indicates whether information about services should be inject

-Image registry to pull from +The container registry to pull the acmesolver image from

@@ -3438,10 +17300,11 @@ Image registry to pull from

-Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property +The container image for the cert-manager acmesolver

+ string @@ -3492,15 +17355,35 @@ Setting a digest will override any tag + + + +acmesolver.image.pullPolicy + + +

+ +Kubernetes imagePullPolicy on Deployment. + +

+ + +string + + +
IfNotPresent
+ + + -### Startup check API +### Startup API Check

-This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job- if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context.

@@ -3516,6 +17399,12 @@ This startupapicheck is a Helm post-install hook that waits for the webhook endp startupapicheck.enabled +

+ +Enables the startup api check + +

+ bool @@ -3646,55 +17535,49 @@ helm.sh/hook-weight: "1" -startupapicheck.podAnnotations +startupapicheck.extraArgs[0] -

- -Optional additional annotations to add to the startupapicheck Pods - -

- - -object +string -
undefined
+
-v
-startupapicheck.extraArgs +startupapicheck.resources

-Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help +Resources to provide to the cert-manager controller pod

-We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example. +For example:

+
+requests:
+  cpu: 10m
+  memory: 32Mi
+
- -array - +

-

- -v
- - - +

-startupapicheck.resources - +
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+
object @@ -3710,6 +17593,17 @@ We enable verbose logging by default so that if startupapicheck fails, users can startupapicheck.nodeSelector +

+ +The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + +

+

+ +This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. + +

+ object @@ -3725,6 +17619,29 @@ We enable verbose logging by default so that if startupapicheck fails, users can startupapicheck.affinity +

+ +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + +

+

+ +For example: + +

+ +
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+
+ object @@ -3739,6 +17656,25 @@ We enable verbose logging by default so that if startupapicheck fails, users can startupapicheck.tolerations +

+ +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + +

+

+ +For example: + +

+ +
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+
+ array @@ -3775,7 +17711,7 @@ Optional additional labels to add to the startupapicheck Pods

-Image registry to pull from +The container registry to pull the startupapicheck image from

@@ -3796,10 +17732,11 @@ Image registry to pull from

-Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property +The container image for the cert-manager startupapicheck

+ string @@ -3858,7 +17795,7 @@ Setting a digest will override any tag

-Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy +Kubernetes imagePullPolicy on Deployment.

@@ -3896,6 +17833,27 @@ helm.sh/hook-weight: "-5" +startupapicheck.automountServiceAccountToken + + +

+ +Automounting API credentials for a particular pod + +

+ + + +bool + + +
undefined
+ + + + + + startupapicheck.serviceAccount.create @@ -3970,6 +17928,7 @@ Automount API credentials for a Service Account.

+ bool @@ -4005,6 +17964,12 @@ Optional additional labels to add to the startupapicheck's ServiceAccount startupapicheck.volumes +

+ +Additional volumes to add to the cert-manager controller pod. + +

+ array @@ -4019,6 +17984,12 @@ Optional additional labels to add to the startupapicheck's ServiceAccount startupapicheck.volumeMounts +

+ +Additional volume mounts to add to the cert-manager controller container. + +

+ array diff --git a/examples/cert-manager/values.yaml b/examples/cert-manager/values.yaml index b8dc03b..86c2d17 100644 --- a/examples/cert-manager/values.yaml +++ b/examples/cert-manager/values.yaml @@ -1,38 +1,45 @@ +# +docs:section=Global + # Default values for cert-manager. # This is a YAML-formatted file. # Declare variables to be passed into your templates. - -# +docs:section=Global - global: # Reference to one or more secrets to be used when pulling images # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ + # + # For example: + # imagePullSecrets: + # - name: "image-pull-secret" imagePullSecrets: [] - # - name: "image-pull-secret" # Labels to apply to all resources # Please note that this does not add labels to the resources created dynamically by the controllers. # For these resources, you have to add the labels in the template in the cert-manager custom resource: - # # eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress # ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress # eg. secretTemplate in CertificateSpec # ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec commonLabels: {} - # team_name: dev + + # The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10) + # +docs:property + # revisionHistoryLimit: 1 # Optional priority class to be used for the cert-manager pods priorityClassName: "" + rbac: - # Create RBAC rules + # Create required ClusterRoles and ClusterRoleBindings for cert-manager create: true - # Aggregate ClusterRoles to Kubernetes default user-facing roles. ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles aggregateClusterRoles: true podSecurityPolicy: - # +docs:ignore + # Create PodSecurityPolicy for cert-manager + # + # NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25 enabled: false - # +docs:ignore + # Configure the PodSecurityPolicy to use AppArmor useAppArmor: true # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. @@ -60,35 +67,53 @@ global: # +docs:property # retryPeriod: 15s -# Install the CRDs +# Install the cert-manager CRDs, it is recommended to not use Helm to manage +# the CRDs installCRDs: false # +docs:section=Controller -# Number of replicas to run of the cert-manager controller +# Number of replicas of the cert-manager controller to run. +# +# The default is 1, but in production you should set this to 2 or 3 to provide high +# availability. +# +# If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`. +# +# Note: cert-manager uses leader election to ensure that there can +# only be a single instance active at a time. replicaCount: 1 -# Update strategy to use, for example: -# type: RollingUpdate -# rollingUpdate: -# maxSurge: 0 -# maxUnavailable: 1 +# Deployment update strategy for the cert-manager controller deployment. +# See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy +# +# For example: +# strategy: +# type: RollingUpdate +# rollingUpdate: +# maxSurge: 0 +# maxUnavailable: 1 strategy: {} podDisruptionBudget: - # +docs:ignore + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. enabled: false - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` - + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. # +docs:property - # minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) # minAvailable: 1 + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. # +docs:property - # maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) # maxUnavailable: 1 # Comma separated list of feature gates that should be enabled on the @@ -99,24 +124,24 @@ featureGates: "" maxConcurrentChallenges: 60 image: - # Registry to pull the image from + # The container registry to pull the manager image from # +docs:property # registry: quay.io - # Image name, this can be the full image including registry or the short name - # excluding the registry. The registy can also be set in the `registry` property + # The container image for the cert-manager controller + # +docs:property repository: quay.io/jetstack/cert-manager-controller # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # +docs:property - # tag: canary + # tag: vX.Y.Z # Setting a digest will override any tag # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - # Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent # Override the namespace used to store DNS provider credentials etc. for ClusterIssuer @@ -142,12 +167,11 @@ serviceAccount: # +docs:property # annotations: {} - # Automount API credentials for a Service Account. # Optional additional labels to add to the controller's ServiceAccount # +docs:property # labels: {} - # Service account token wil be automatically mounted in Pods + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod @@ -163,27 +187,36 @@ enableCertificateOwnerRef: false # Flags will override options that are set here. # # For example: -# apiVersion: controller.config.cert-manager.io/v1alpha1 -# kind: ControllerConfiguration -# logging: -# verbosity: 2 -# format: text -# leaderElectionConfig: -# namespace: kube-system -# kubernetesAPIQPS: 9000 -# kubernetesAPIBurst: 9000 -# numberOfConcurrentWorkers: 200 -# featureGates: -# AdditionalCertificateOutputFormats: true -# DisallowInsecureCSRUsageDefinition: true -# ExperimentalCertificateSigningRequestControllers: true -# ExperimentalGatewayAPISupport: true -# LiteralCertificateSubject: true -# SecretsFilteredCaching: true -# ServerSideApply: true -# StableCertificateRequestName: true -# UseCertificateRequestBasicConstraints: true -# ValidateCAA: true +# config: +# apiVersion: controller.config.cert-manager.io/v1alpha1 +# kind: ControllerConfiguration +# logging: +# verbosity: 2 +# format: text +# leaderElectionConfig: +# namespace: kube-system +# kubernetesAPIQPS: 9000 +# kubernetesAPIBurst: 9000 +# numberOfConcurrentWorkers: 200 +# featureGates: +# AdditionalCertificateOutputFormats: true +# DisallowInsecureCSRUsageDefinition: true +# ExperimentalCertificateSigningRequestControllers: true +# ExperimentalGatewayAPISupport: true +# LiteralCertificateSubject: true +# SecretsFilteredCaching: true +# ServerSideApply: true +# StableCertificateRequestName: true +# UseCertificateRequestBasicConstraints: true +# ValidateCAA: true +# metricsTLSConfig: +# dynamic: +# secretNamespace: "cert-manager" +# secretName: "cert-manager-metrics-ca" +# dnsNames: +# - cert-manager-metrics +# - cert-manager-metrics.cert-manager +# - cert-manager-metrics.cert-manager.svc config: {} # Setting Nameservers for DNS01 Self Check @@ -198,20 +231,28 @@ dns01RecursiveNameserversOnly: false # Additional command line flags to pass to cert-manager controller binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help +# +# Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver +# +# For example: +# extraArgs: +# - --controllers=*,-certificaterequests-approver extraArgs: [] - # Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver - # - --controllers=*,-certificaterequests-approver -# Additional environment variables +# Additional environment variables to pass to cert-manager controller binary. extraEnv: [] # - name: SOME_VAR # value: 'some value' -# Resources the controller will be given +# Resources to provide to the cert-manager controller pod +# +# For example: +# requests: +# cpu: 10m +# memory: 32Mi +# +# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi # Pod Security Context # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ @@ -231,10 +272,10 @@ containerSecurityContext: - ALL readOnlyRootFilesystem: true -# Volumes to mount to the controller pod +# Additional volumes to add to the cert-manager controller pod. volumes: [] -# Volumes specified in `volumes` to mount to the controller container +# Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # Optional additional annotations to add to the controller Deployment @@ -256,22 +297,32 @@ podLabels: {} # +docs:property # serviceLabels: {} -# DNS policy to use within the controller pod -# +docs:property -# podDnsPolicy: "None" - # Optional DNS settings, useful if you have a public and private DNS zone for # the same domain on Route 53. What follows is an example of ensuring # cert-manager can access an ingress or DNS TXT records at all times. # NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for # the cluster to work. + +# Pod DNS policy +# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy +# +docs:property +# podDnsPolicy: "None" + +# Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy +# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. +# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config # +docs:property # podDnsConfig: # nameservers: # - "1.1.1.1" # - "8.8.8.8" -# Node selector to limit the nodes the controller can schedule on +# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with +# matching labels. +# See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ +# +# This default ensures that Pods are only scheduled to Linux nodes. +# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. # +docs:property nodeSelector: kubernetes.io/os: linux @@ -293,17 +344,23 @@ ingressShim: {} # Use these variables to configure the HTTP_PROXY environment variables +# Configures the HTTP_PROXY environment variable for where a HTTP proxy is required # +docs:property # http_proxy: "http://proxy:8080" +# Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required # +docs:property # https_proxy: "https://proxy:8080" +# Configures the NO_PROXY environment variable for where a HTTP proxy is required, +# but certain domains should be excluded # +docs:property # no_proxy: 127.0.0.1,localhost + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core -# for example: +# +# For example: # affinity: # nodeAffinity: # requiredDuringSchedulingIgnoredDuringExecution: @@ -316,7 +373,8 @@ ingressShim: {} affinity: {} # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core -# for example: +# +# For example: # tolerations: # - key: foo.bar.com/role # operator: Equal @@ -325,7 +383,8 @@ affinity: {} tolerations: [] # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core -# for example: +# +# For example: # topologySpreadConstraints: # - maxSkew: 2 # topologyKey: topology.kubernetes.io/zone @@ -343,6 +402,7 @@ topologySpreadConstraints: [] # LivenessProbe durations and thresholds are based on those used for the Kubernetes # controller-manager. See: # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 +# +docs:property livenessProbe: enabled: true initialDelaySeconds: 10 @@ -356,49 +416,110 @@ livenessProbe: # links. enableServiceLinks: false -# +docs:section=Prometheus +# docs:section=Prometheus prometheus: + # Enable prometheus monitoring for the cert-manager controller, to use with + # Prometheus Operator either `prometheus.servicemonitor.enabled` or + # `prometheus.podmonitor.enabled` can be used to create a ServiceMonitor/PodMonitor + # resource enabled: true servicemonitor: - # Create a ServiceMonitor resource to scrape the metrics endpoint + # Create a ServiceMonitor to add cert-manager to Prometheus enabled: false + + # Specifies the `prometheus` label on the created ServiceMonitor, this is + # used when different Prometheus instances have label selectors matching + # different ServiceMonitors. prometheusInstance: default - # The port to scrape metrics from + + # The target port to set on the ServiceMonitor, should match the port that + # cert-manager controller is listening on for metrics targetPort: 9402 - # Path to scrape metrics from + + # The path to scrape for metrics path: /metrics - # Interval to scrape metrics + + # The interval to scrape metrics interval: 60s - # Timeout for each metrics scrape + + # The timeout before a metrics scrape fails scrapeTimeout: 30s - # Labels to add to the ServiceMonitor resource + + # Additional labels to add to the ServiceMonitor labels: {} - # Annotations to add to the ServiceMonitor resource + + # Additional annotations to add to the ServiceMonitor annotations: {} + + # Keep labels from scraped data, overriding server-side labels. honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # + # +docs:property endpointAdditionalProperties: {} + # Note: Enabling both PodMonitor and ServiceMonitor is mutually exclusive, enabling both will result in a error. podmonitor: - # Create a PodMonitor resource to scrape the metrics endpoint + # Create a PodMonitor to add cert-manager to Prometheus enabled: false + + # Specifies the `prometheus` label on the created PodMonitor, this is + # used when different Prometheus instances have label selectors matching + # different PodMonitor. prometheusInstance: default - # Path to scrape metrics from + + # The path to scrape for metrics path: /metrics - # Interval to scrape metrics + + # The interval to scrape metrics interval: 60s - # Timeout for each metrics scrape + + # The timeout before a metrics scrape fails scrapeTimeout: 30s - # Labels to add to the PodMonitor resource + + # Additional labels to add to the PodMonitor labels: {} - # Annotations to add to the PodMonitor resource + + # Additional annotations to add to the PodMonitor annotations: {} + + # Keep labels from scraped data, overriding server-side labels. honorLabels: false + + # EndpointAdditionalProperties allows setting additional properties on the + # endpoint such as relabelings, metricRelabelings etc. + # + # For example: + # endpointAdditionalProperties: + # relabelings: + # - action: replace + # sourceLabels: + # - __meta_kubernetes_pod_node_name + # targetLabel: instance + # + # +docs:property endpointAdditionalProperties: {} # +docs:section=Webhook webhook: + # Number of replicas of the cert-manager webhook to run. + # + # The default is 1, but in production you should set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`. replicaCount: 1 # Seconds the API server should wait for the webhook to respond before treating the call as a failure. @@ -420,50 +541,40 @@ webhook: # Used to configure options for the webhook pod. # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. - # Flags will override options that are set here. Example config: - # apiVersion: webhook.config.cert-manager.io/v1alpha1 - # kind: WebhookConfiguration - # # The port that the webhook should listen on for requests. - # # In GKE private clusters, by default kubernetes apiservers are allowed to - # # talk to the cluster nodes only on 443 and 10250. so configuring - # # securePort: 10250, will work out of the box without needing to add firewall - # # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. - # # This should be uncommented and set as a default by the chart once we graduate - # # the apiVersion of WebhookConfiguration past v1alpha1. - # securePort: 10250 + # Flags will override options that are set here. + # + # For example: + # apiVersion: webhook.config.cert-manager.io/v1alpha1 + # kind: WebhookConfiguration + # # The port that the webhook should listen on for requests. + # # In GKE private clusters, by default kubernetes apiservers are allowed to + # # talk to the cluster nodes only on 443 and 10250. so configuring + # # securePort: 10250, will work out of the box without needing to add firewall + # # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000. + # # This should be uncommented and set as a default by the chart once we graduate + # # the apiVersion of WebhookConfiguration past v1alpha1. + # securePort: 10250 config: {} - - # Deployment strategy, for example: - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 + # Deployment update strategy for the cert-manager webhook deployment. + # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 strategy: {} # Pod Security Context to be set on the webhook component Pod - # Rref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ # +docs:property securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - podDisruptionBudget: - enabled: false - - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` - - # +docs:property - # minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) - # minAvailable: 1 - - # +docs:property - # maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) - # maxUnavailable: 1 - # Container Security Context to be set on the webhook component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ # +docs:property @@ -474,6 +585,27 @@ webhook: - ALL readOnlyRootFilesystem: true + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property + # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property + # maxUnavailable: 1 + # Optional additional annotations to add to the webhook Deployment # +docs:property # deploymentAnnotations: {} @@ -504,10 +636,15 @@ webhook: # webhook pod. featureGates: "" + # Resources to provide to the cert-manager webhook pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi # Liveness probe values # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes @@ -531,14 +668,51 @@ webhook: successThreshold: 1 timeoutSeconds: 1 + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] + # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller topologySpreadConstraints: [] # Optional additional labels to add to the Webhook Pods @@ -548,24 +722,24 @@ webhook: serviceLabels: {} image: - # Registry to pull the image from + # The container registry to pull the webhook image from # +docs:property # registry: quay.io - # Image name, this can be the full image including registry or the short name - # excluding the registry. The registy can also be set in the `registry` property + # The container image for the cert-manager webhook + # +docs:property repository: quay.io/jetstack/cert-manager-webhook # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # +docs:property - # tag: canary + # tag: vX.Y.Z # Setting a digest will override any tag # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - # Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent serviceAccount: @@ -576,7 +750,7 @@ webhook: # If not set and create is true, a name is generated using the fullname template # +docs:property # name: "" - + # Optional additional annotations to add to the controller's ServiceAccount # +docs:property # annotations: {} @@ -589,6 +763,7 @@ webhook: automountServiceAccountToken: true # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true # The port that the webhook should listen on for requests. @@ -614,8 +789,9 @@ webhook: # reach internal services. serviceType: ClusterIP + # Specify the load balancer IP for the created service # +docs:property - # loadBalancerIP: "1.2.3.4" + # loadBalancerIP: "10.10.10.10" # Overrides the mutating webhook and validating webhook so they reach the webhook # service using the `url` field instead of a service. @@ -624,12 +800,19 @@ webhook: # Enables default network policies for webhooks. networkPolicy: + # Create network policies for the webhooks enabled: false + + # Ingress rule for the webhook network policy, by default will allow all + # inbound traffic # +docs:property ingress: - from: - ipBlock: cidr: 0.0.0.0/0 + + # Egress rule for the webhook network policy, by default will allow all + # outbound traffic traffic to ports 80 and 443, as well as DNS ports # +docs:property egress: - ports: @@ -649,7 +832,10 @@ webhook: - ipBlock: cidr: 0.0.0.0/0 + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be @@ -660,51 +846,54 @@ webhook: # +docs:section=CA Injector cainjector: + # Create the CA Injector deployment enabled: true + + # Number of replicas of the cert-manager cainjector to run. + # + # The default is 1, but in production you should set this to 2 or 3 to provide high + # availability. + # + # If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`. + # + # Note: cert-manager uses leader election to ensure that there can + # only be a single instance active at a time. replicaCount: 1 # Used to configure options for the cainjector pod. # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. - # Flags will override options that are set here. For example: - # apiVersion: cainjector.config.cert-manager.io/v1alpha1 - # kind: CAInjectorConfiguration - # logging: - # verbosity: 2 - # format: text - # leaderElectionConfig: - # namespace: kube-system + # Flags will override options that are set here. + # + # For example: + # apiVersion: cainjector.config.cert-manager.io/v1alpha1 + # kind: CAInjectorConfiguration + # logging: + # verbosity: 2 + # format: text + # leaderElectionConfig: + # namespace: kube-system config: {} - # Deployment strategy, for example: - # type: RollingUpdate - # rollingUpdate: - # maxSurge: 0 - # maxUnavailable: 1 + # Deployment update strategy for the cert-manager cainjector deployment. + # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy + # + # For example: + # strategy: + # type: RollingUpdate + # rollingUpdate: + # maxSurge: 0 + # maxUnavailable: 1 strategy: {} # Pod Security Context to be set on the cainjector component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + # +docs:property securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault - - podDisruptionBudget: - enabled: false - - # minAvailable and maxUnavailable can either be set to an integer (e.g. 1) - # or a percentage value (e.g. 25%) - # if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` - - # +docs:property - # minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) - # minAvailable: 1 - - # +docs:property - # maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) - # maxUnavailable: 1 - + # Container Security Context to be set on the cainjector component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ # +docs:property @@ -715,6 +904,26 @@ cainjector: - ALL readOnlyRootFilesystem: true + podDisruptionBudget: + # Enable or disable the PodDisruptionBudget resource + # + # This prevents downtime during voluntary disruptions such as during a Node upgrade. + # For example, the PodDisruptionBudget will block `kubectl drain` + # if it is used on the Node where the only remaining cert-manager + # Pod is currently running. + enabled: false + + # Configures the minimum available pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `maxUnavailable` is set. + # +docs:property + # minAvailable: 1 + + # Configures the maximum unavailable pods for disruptions. Can either be set to + # an integer (e.g. 1) or a percentage value (e.g. 25%). + # Cannot be used if `minAvailable` is set. + # +docs:property + # maxUnavailable: 1 # Optional additional annotations to add to the cainjector Deployment # +docs:property @@ -734,49 +943,92 @@ cainjector: # cainjector pod. featureGates: "" + # Resources to provide to the cert-manager cainjector pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] + # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core + # + # For example: + # topologySpreadConstraints: + # - maxSkew: 2 + # topologyKey: topology.kubernetes.io/zone + # whenUnsatisfiable: ScheduleAnyway + # labelSelector: + # matchLabels: + # app.kubernetes.io/instance: cert-manager + # app.kubernetes.io/component: controller topologySpreadConstraints: [] # Optional additional labels to add to the CA Injector Pods podLabels: {} image: - # Registry to pull the image from + # The container registry to pull the cainjector image from # +docs:property # registry: quay.io - # Image name, this can be the full image including registry or the short name - # excluding the registry. The registy can also be set in the `registry` property - repository: quay.io/jetstack/cert-manager-cainjector + # The container image for the cert-manager cainjector + # +docs:property + repository: quay.io/jetstack/cert-manager-controller # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # +docs:property - # tag: canary + # tag: vX.Y.Z # Setting a digest will override any tag # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - # Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true - + # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # +docs:property @@ -786,18 +1038,21 @@ cainjector: # +docs:property # annotations: {} - # Automount API credentials for a Service Account. # Optional additional labels to add to the cainjector's ServiceAccount # +docs:property # labels: {} + # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod # +docs:property # automountServiceAccountToken: true + # Additional volumes to add to the cert-manager controller pod. volumes: [] + + # Additional volume mounts to add to the cert-manager controller container. volumeMounts: [] # enableServiceLinks indicates whether information about services should be @@ -809,33 +1064,37 @@ cainjector: acmesolver: image: - # Image registry to pull from + # The container registry to pull the acmesolver image from # +docs:property # registry: quay.io - # Image name, this can be the full image including registry or the short name - # excluding the registry. The registy can also be set in the `registry` property + # The container image for the cert-manager acmesolver + # +docs:property repository: quay.io/jetstack/cert-manager-acmesolver # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # +docs:property - # tag: canary + # tag: vX.Y.Z # Setting a digest will override any tag # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 -# +docs:section=Startup check API + # Kubernetes imagePullPolicy on Deployment. + pullPolicy: IfNotPresent + +# +docs:section=Startup API Check # This startupapicheck is a Helm post-install hook that waits for the webhook # endpoints to become available. -# The check is implemented using a Kubernetes Job- if you are injecting mesh +# The check is implemented using a Kubernetes Job - if you are injecting mesh # sidecar proxies into cert-manager pods, you probably want to ensure that they # are not injected into this Job's pod. Otherwise the installation may time out # due to the Job never being completed because the sidecar proxy does not exit. # See https://github.com/cert-manager/cert-manager/pull/4414 for context. startupapicheck: + # Enables the startup api check enabled: true # Pod Security Context to be set on the startupapicheck component Pod @@ -883,41 +1142,73 @@ startupapicheck: extraArgs: - -v + # Resources to provide to the cert-manager controller pod + # + # For example: + # requests: + # cpu: 10m + # memory: 32Mi + # + # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/ resources: {} - # requests: - # cpu: 10m - # memory: 32Mi + + # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with + # matching labels. + # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/ + # + # This default ensures that Pods are only scheduled to Linux nodes. + # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster. # +docs:property nodeSelector: kubernetes.io/os: linux + # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core + # + # For example: + # affinity: + # nodeAffinity: + # requiredDuringSchedulingIgnoredDuringExecution: + # nodeSelectorTerms: + # - matchExpressions: + # - key: foo.bar.com/role + # operator: In + # values: + # - master affinity: {} + # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core + # + # For example: + # tolerations: + # - key: foo.bar.com/role + # operator: Equal + # value: master + # effect: NoSchedule tolerations: [] # Optional additional labels to add to the startupapicheck Pods podLabels: {} image: - # Image registry to pull from + # The container registry to pull the startupapicheck image from # +docs:property # registry: quay.io - # Image name, this can be the full image including registry or the short name - # excluding the registry. The registy can also be set in the `registry` property + # The container image for the cert-manager startupapicheck + # +docs:property repository: quay.io/jetstack/cert-manager-startupapicheck # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # +docs:property - # tag: canary + # tag: vX.Y.Z # Setting a digest will override any tag # +docs:property # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 - # Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + # Kubernetes imagePullPolicy on Deployment. pullPolicy: IfNotPresent rbac: @@ -929,6 +1220,7 @@ startupapicheck: helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automounting API credentials for a particular pod + # +docs:property # automountServiceAccountToken: true serviceAccount: @@ -948,16 +1240,20 @@ startupapicheck: helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded # Automount API credentials for a Service Account. + # +docs:property automountServiceAccountToken: true # Optional additional labels to add to the startupapicheck's ServiceAccount # +docs:property # labels: {} + # Additional volumes to add to the cert-manager controller pod. volumes: [] - volumeMounts: [] + # Additional volume mounts to add to the cert-manager controller container. + volumeMounts: [] + # enableServiceLinks indicates whether information about services should be # injected into pod's environment variables, matching the syntax of Docker # links. - enableServiceLinks: false \ No newline at end of file + enableServiceLinks: false diff --git a/go.mod b/go.mod index 436acba..29d4571 100644 --- a/go.mod +++ b/go.mod @@ -19,18 +19,18 @@ require ( github.com/go-openapi/swag v0.22.3 // indirect github.com/golang/protobuf v1.5.2 // indirect github.com/google/gnostic-models v0.6.8 // indirect - github.com/google/uuid v1.1.2 // indirect - github.com/huandu/xstrings v1.3.3 // indirect - github.com/imdario/mergo v0.3.11 // indirect + github.com/google/uuid v1.5.0 // indirect + github.com/huandu/xstrings v1.4.0 // indirect + github.com/imdario/mergo v0.3.16 // indirect github.com/inconshreveable/mousetrap v1.1.0 // indirect github.com/josharian/intern v1.0.0 // indirect github.com/mailru/easyjson v0.7.7 // indirect - github.com/mitchellh/copystructure v1.0.0 // indirect - github.com/mitchellh/reflectwalk v1.0.0 // indirect + github.com/mitchellh/copystructure v1.2.0 // indirect + github.com/mitchellh/reflectwalk v1.0.2 // indirect github.com/pmezard/go-difflib v1.0.0 // indirect github.com/shopspring/decimal v1.2.0 // indirect github.com/spf13/cast v1.3.1 // indirect github.com/spf13/pflag v1.0.5 // indirect - golang.org/x/crypto v0.3.0 // indirect + golang.org/x/crypto v0.18.0 // indirect google.golang.org/protobuf v1.27.1 // indirect ) diff --git a/go.sum b/go.sum index 2a1226a..41998f0 100644 --- a/go.sum +++ b/go.sum @@ -25,12 +25,14 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/ github.com/google/gofuzz v1.1.0 h1:Hsa8mG0dQ46ij8Sl2AYJDUv1oA9/d6Vk+3LG99Oe02g= github.com/google/gofuzz v1.1.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg= github.com/google/uuid v1.1.1/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/google/uuid v1.1.2 h1:EVhdT+1Kseyi1/pUmXKaFxYsDNy9RQYkMWRH68J/W7Y= -github.com/google/uuid v1.1.2/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= -github.com/huandu/xstrings v1.3.3 h1:/Gcsuc1x8JVbJ9/rlye4xZnVAbEkGauT8lbebqcQws4= +github.com/google/uuid v1.5.0 h1:1p67kYwdtXjb0gL0BPiP1Av9wiZPo5A8z2cWkTZ+eyU= +github.com/google/uuid v1.5.0/go.mod h1:TIyPZe4MgqvfeYDBFedMoGGpEw/LqOeaOT+nhxU+yHo= github.com/huandu/xstrings v1.3.3/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= -github.com/imdario/mergo v0.3.11 h1:3tnifQM4i+fbajXKBHXWEH+KvNHqojZ778UH75j3bGA= +github.com/huandu/xstrings v1.4.0 h1:D17IlohoQq4UcpqD7fDk80P7l+lwAmlFaBHgOipl2FU= +github.com/huandu/xstrings v1.4.0/go.mod h1:y5/lhBue+AyNmUVz9RLU9xbLR0o4KIIExikq4ovT0aE= github.com/imdario/mergo v0.3.11/go.mod h1:jmQim1M+e3UYxmgPu/WyfjB3N3VflVyUjjjwH0dnCYA= +github.com/imdario/mergo v0.3.16 h1:wwQJbIsHYGMUyLSPrEq1CT16AhnhNJQ51+4fdHUnCl4= +github.com/imdario/mergo v0.3.16/go.mod h1:WBLT9ZmE3lPoWsEzCh9LPo3TiwVN+ZKEjmz+hD27ysY= github.com/inconshreveable/mousetrap v1.1.0 h1:wN+x4NVGpMsO7ErUn/mUI3vEoE6Jt13X2s0bqwp9tc8= github.com/inconshreveable/mousetrap v1.1.0/go.mod h1:vpF70FUmC8bwa3OWnCshd2FqLfsEA9PFc4w1p2J65bw= github.com/josharian/intern v1.0.0 h1:vlS4z54oSdjm0bgjRigI+G1HpF+tI+9rE5LLzOg8HmY= @@ -43,10 +45,12 @@ github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY= github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE= github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0= github.com/mailru/easyjson v0.7.7/go.mod h1:xzfreul335JAWq5oZzymOObrkdz5UnU4kGfJJLY9Nlc= -github.com/mitchellh/copystructure v1.0.0 h1:Laisrj+bAB6b/yJwB5Bt3ITZhGJdqmxquMKeZ+mmkFQ= github.com/mitchellh/copystructure v1.0.0/go.mod h1:SNtv71yrdKgLRyLFxmLdkAbkKEFWgYaq1OVrnRcwhnw= -github.com/mitchellh/reflectwalk v1.0.0 h1:9D+8oIskB4VJBN5SFlmc27fSlIBZaov1Wpk/IfikLNY= +github.com/mitchellh/copystructure v1.2.0 h1:vpKXTN4ewci03Vljg/q9QvCGUDttBOGBIa15WveJJGw= +github.com/mitchellh/copystructure v1.2.0/go.mod h1:qLl+cE2AmVv+CoeAwDPye/v+N2HKCj9FbZEVFJRxO9s= github.com/mitchellh/reflectwalk v1.0.0/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= +github.com/mitchellh/reflectwalk v1.0.2 h1:G2LzWKi524PWgd3mLHV8Y5k7s6XUvT0Gef6zxSIeXaQ= +github.com/mitchellh/reflectwalk v1.0.2/go.mod h1:mSTlrgnPZtwu0c4WaC2kGObEpuNDbx0jmZXqmk4esnw= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= @@ -70,8 +74,9 @@ github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o github.com/yuin/goldmark v1.4.13/go.mod h1:6yULJ656Px+3vBD8DxQVa3kxgyrAnzto9xy5taEt/CY= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20210921155107-089bfa567519/go.mod h1:GvvjBRRGRdwPK5ydBHafDWAxML/pGHZbMvKqRZ5+Abc= -golang.org/x/crypto v0.3.0 h1:a06MkbcxBrEFc0w0QIZWXrH/9cCX6KJyWbBOIwAn+7A= golang.org/x/crypto v0.3.0/go.mod h1:hebNnKkNXi2UzZN1eVRvBB7co0a+JxK6XbPiWVs/3J4= +golang.org/x/crypto v0.18.0 h1:PGVlW0xEltQnzFZ55hkuX5+KLyrMYhHld1YHO4AKcdc= +golang.org/x/crypto v0.18.0/go.mod h1:R0j02AL6hcrfOiy9T4ZYp/rcWeMxM3L6QYxlOuEG1mg= golang.org/x/mod v0.6.0-dev.0.20220419223038-86c51ed26bb4/go.mod h1:jJ57K6gSWd91VN4djpZkiMVwK6gcyfeH4XE8wZrZaV4= golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= @@ -108,8 +113,6 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q= gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY= -gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ= gopkg.in/yaml.v3 v3.0.0-20200313102051-9f266ea9e77c/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA= gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM= diff --git a/main.go b/main.go index 2f5355b..81001f7 100644 --- a/main.go +++ b/main.go @@ -52,7 +52,13 @@ var Render = cobra.Command{ os.Exit(1) } - fmt.Println(render.Render(templateName, document)) + result, err := render.Render(templateName, document) + if err != nil { + fmt.Fprintf(os.Stderr, "Error rendering template: %s\n", err) + os.Exit(1) + } + + fmt.Println(result) }, } diff --git a/render/markdown-table b/render/markdown-table index a047c63..4ed91f9 100644 --- a/render/markdown-table +++ b/render/markdown-table @@ -1,30 +1,12 @@ {{- /* Comment rendering depends on the comment type, define a helper function */}} {{ define "comment" }} {{ if eq .Type "yaml" }} -
-{{- range .Contents }}
+```yaml
 {{ . }}
-{{- end }}
-
+``` {{- else if eq .Type "text" }} -

- -{{ $firstLineInParagraph := true }} -{{- range .Contents }} -{{- if eq . "" }} - -

-

- -{{ $firstLineInParagraph = true }} -{{- else }} -{{- if $firstLineInParagraph }}{{ . }}{{ else }}
-{{ . }}{{ end }} -{{- $firstLineInParagraph = false }} -{{- end }} -{{- end }} - -

+{{- /* Newlines are only preserved in markdown if the line ends with two or more spaces */}} +{{ .String | replace "\n" " \n"}} {{- end }} {{- end }} @@ -66,10 +48,11 @@ {{.Type}} -
{{.Default}}
+```yaml +{{.Default}} +``` - {{- end }} diff --git a/render/markdown-table-vertical b/render/markdown-table-vertical new file mode 100644 index 0000000..106614e --- /dev/null +++ b/render/markdown-table-vertical @@ -0,0 +1,57 @@ +{{- /* Comment rendering depends on the comment type, define a helper function */}} +{{ define "comment" }} +{{ if eq .Type "yaml" }} +```yaml +{{ . }} +``` +{{- else if eq .Type "text" }} +{{- /* Newlines are only preserved in markdown if the line ends with two or more spaces */}} +{{ .String | replace "\n" " \n"}} +{{- end }} +{{- end }} + +{{- /* Iterate over defined sections */}} +{{- range .Sections }} + + {{- /* Render section header */}} + {{- if .Name }} +## {{ .Name }} + {{- end }} + + {{- /* Render the description comment */}} + {{- range .Description.Segments }} + {{- template "comment" . }} + {{- end }} + + {{- /* Iterate over properties within the section */}} + {{- range .Properties }} + +### {{ .Name }} + + + + + + + + + + + + + + +
Property{{ .Name }}
Type{{.Type}}
Default + +```yaml +{{.Default}} +``` + +
+ +{{- range .Description.Segments }} + {{- template "comment" . }} +{{- end }} + +{{ end }} +{{- end }} \ No newline at end of file diff --git a/render/render.go b/render/render.go index f13b757..b50f846 100644 --- a/render/render.go +++ b/render/render.go @@ -27,9 +27,12 @@ import ( "text/template" "github.com/cert-manager/helm-tool/parser" + + "github.com/Masterminds/sprig/v3" ) //go:embed markdown-table +//go:embed markdown-table-vertical var templates embed.FS func openTemplate(path string) (fs.File, error) { @@ -58,7 +61,7 @@ func Render(templateName string, document *parser.Document) (string, error) { return "", err } - template, err := template.New(templateName).Parse(string(templateBytes)) + template, err := template.New(templateName).Funcs(sprig.TxtFuncMap()).Parse(string(templateBytes)) if err != nil { return "", err }