Default values for cert-manager.
This is a YAML-formatted file.
Declare variables to be passed into your templates.
Reference to one or more secrets to be used when pulling images
ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/|`array`|
[]| -|`global.commonLabels`|
Labels to apply to all resources
Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource:
eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
eg. secretTemplate in CertificateSpec
ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec|`object`|
{}|
-|`global.priorityClassName`|Optional priority class to be used for the cert-manager pods
|`string`|""| -|`global.rbac.create`|
Create RBAC rules
|`bool`|true| -|`global.rbac.aggregateClusterRoles`|
Aggregate ClusterRoles to Kubernetes default user-facing roles. ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
|`bool`|true| -|`global.logLevel`|
Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
|`number`|2| -|`global.leaderElection.namespace`|
Override the namespace used for the leader election lease
|`string`|kube-system| -|`global.leaderElection.leaseDuration`|
The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate.
|`string`|undefined| -|`global.leaderElection.renewDeadline`|
The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
|`string`|undefined| -|`global.leaderElection.retryPeriod`|
The duration the clients should wait between attempting acquisition and renewal of a leadership.
|`string`|undefined| -|`installCRDs`|
Install the CRDs
|`bool`|false| -|`replicaCount`|
Number of replicas to run of the cert-manager controller
|`number`|1| -|`strategy`|
Update strategy to use, for example:
type: RollingUpdate|`object`|
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
{}|
-|`podDisruptionBudget.minAvailable`|minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1`
minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%)
|`number`|undefined| -|`podDisruptionBudget.maxUnavailable`|
maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%)
|`number`|undefined| -|`featureGates`|
Comma separated list of feature gates that should be enabled on the controller pod.
|`string`|""| -|`maxConcurrentChallenges`|
The maximum number of challenges that can be scheduled as 'processing' at once
|`number`|60| -|`image.registry`|
Registry to pull the image from
|`string`|undefined| -|`image.repository`|
Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property
|`string`|quay.io/jetstack/cert-manager-controller| -|`image.tag`|
Override the image tag to deploy by setting this variable.
If no value is set, the chart's appVersion will be used.
undefined| -|`image.digest`|
Setting a digest will override any tag
|`string`|undefined| -|`image.pullPolicy`|
Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
|`string`|IfNotPresent| -|`clusterResourceNamespace`|
Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart.
|`string`|""| -|`namespace`|
This namespace allows you to define where the services will be installed into if not set then they will use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart)
|`string`|""| -|`serviceAccount.create`|
Specifies whether a service account should be created
|`bool`|true| -|`serviceAccount.name`|
The name of the service account to use.
If not set and create is true, a name is generated using the fullname template
undefined| -|`serviceAccount.annotations`|
Optional additional annotations to add to the controller's ServiceAccount
|`object`|undefined| -|`serviceAccount.labels`|
Automount API credentials for a Service Account.
Optional additional labels to add to the controller's ServiceAccount
undefined| -|`serviceAccount.automountServiceAccountToken`|
Service account token wil be automatically mounted in Pods
|`bool`|true| -|`automountServiceAccountToken`|
Automounting API credentials for a particular pod
|`bool`|undefined| -|`enableCertificateOwnerRef`|
When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|`bool`|false| -|`config`|
Used to configure options for the controller pod.
This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
Flags will override options that are set here.
For example:
apiVersion: controller.config.cert-manager.io/v1alpha1|`object`|
kind: ControllerConfiguration
logging:
verbosity: 2
format: text
leaderElectionConfig:
namespace: kube-system
kubernetesAPIQPS: 9000
kubernetesAPIBurst: 9000
numberOfConcurrentWorkers: 200
featureGates:
AdditionalCertificateOutputFormats: true
DisallowInsecureCSRUsageDefinition: true
ExperimentalCertificateSigningRequestControllers: true
ExperimentalGatewayAPISupport: true
LiteralCertificateSubject: true
SecretsFilteredCaching: true
ServerSideApply: true
StableCertificateRequestName: true
UseCertificateRequestBasicConstraints: true
ValidateCAA: true
{}|
-|`dns01RecursiveNameservers`|Setting Nameservers for DNS01 Self Check
See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
Comma separated string with host and port of the recursive nameservers cert-manager should query
|`string`|""| -|`dns01RecursiveNameserversOnly`|
Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
|`bool`|false| -|`extraArgs`|
Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller:
[]| -|`extraEnv`|
Additional environment variables
|`array`|[]| -|`resources`|
Resources the controller will be given
|`object`|{}|
-|`securityContext`|Pod Security Context
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/|`object`|
runAsNonRoot: true| -|`containerSecurityContext`|
seccompProfile:
type: RuntimeDefault
Container Security Context to be set on the controller component container
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/|`object`|
allowPrivilegeEscalation: false| -|`volumes`|
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
Volumes to mount to the controller pod
|`array`|[]| -|`volumeMounts`|
Volumes specified in `volumes` to mount to the controller container
|`array`|[]| -|`deploymentAnnotations`|
Optional additional annotations to add to the controller Deployment
|`object`|undefined| -|`podAnnotations`|
Optional additional annotations to add to the controller Pods
|`object`|undefined| -|`podLabels`|
Optional additional labels to add to the controller Pods
|`object`|{}|
-|`serviceAnnotations`|Optional annotations to add to the controller Service
|`object`|undefined| -|`serviceLabels`|
Optional additional labels to add to the controller Service
|`object`|undefined| -|`podDnsPolicy`|
DNS policy to use within the controller pod
|`string`|undefined| -|`podDnsConfig`|
Optional DNS settings, useful if you have a public and private DNS zone for the same domain on Route 53. What follows is an example of ensuring cert-manager can access an ingress or DNS TXT records at all times. NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for the cluster to work.
|`object`|undefined| -|`nodeSelector`|
Node selector to limit the nodes the controller can schedule on
|`object`|kubernetes.io/os: linux| -|`ingressShim.defaultIssuerName`|
Optional default issuer to use for ingress resources
|`string`|undefined| -|`ingressShim.defaultIssuerKind`|
Optional default issuer kind to use for ingress resources
|`string`|undefined| -|`ingressShim.defaultIssuerGroup`|
Optional default issuer group to use for ingress resources
|`string`|undefined| -|`http_proxy`|
Use these variables to configure the HTTP_PROXY environment variables
undefined| -|`https_proxy`||`string`|
undefined| -|`no_proxy`||`string`|
undefined| -|`affinity`|
A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core for example:
affinity:|`object`|
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: foo.bar.com/role
operator: In
values:
- master
{}|
-|`tolerations`|A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core for example:
tolerations:|`array`|
- key: foo.bar.com/role
operator: Equal
value: master
effect: NoSchedule
[]| -|`topologySpreadConstraints`|
A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core for example:
topologySpreadConstraints:|`array`|
- maxSkew: 2
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
[]| -|`livenessProbe.enabled`||`bool`|
true| -|`livenessProbe.initialDelaySeconds`||`number`|
10| -|`livenessProbe.periodSeconds`||`number`|
10| -|`livenessProbe.timeoutSeconds`||`number`|
15| -|`livenessProbe.successThreshold`||`number`|
1| -|`livenessProbe.failureThreshold`||`number`|
8| -|`enableServiceLinks`|
enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.
|`bool`|false| + +
+
+Default values for cert-manager.
+This is a YAML-formatted file.
+Declare variables to be passed into your templates.
+
+
| Property | +Description | +Type | +Default | +
|---|---|---|---|
| global.imagePullSecrets | +
+ + +Reference to one or more secrets to be used when pulling images + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+
+ |
+array | +
+
+[]
+
+ |
+
| global.commonLabels | +
+
+
+Labels to apply to all resources + +eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress + + + +ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
+
++ +eg. secretTemplate in CertificateSpec + + + +ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+
+ |
+object | +
+
+{}
+
+ |
+
| global.priorityClassName | +
+ + +Optional priority class to be used for the cert-manager pods + + + |
+string | +
+
+""
+
+ |
+
| global.rbac.create | +
+ + +Create RBAC rules + + + |
+bool | +
+
+true
+
+ |
+
| global.rbac.aggregateClusterRoles | +
+ + +Aggregate ClusterRoles to Kubernetes default user-facing roles. ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles + + + |
+bool | +
+
+true
+
+ |
+
| global.logLevel | +
+ + +Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. + + + |
+number | +
+
+2
+
+ |
+
| global.leaderElection.namespace | +
+ + +Override the namespace used for the leader election lease + + + |
+string | +
+
+kube-system
+
+ |
+
| global.leaderElection.leaseDuration | +
+ + +The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. + + + |
+string | +
+
+undefined
+
+ |
+
| global.leaderElection.renewDeadline | +
+ + +The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. + + + |
+string | +
+
+undefined
+
+ |
+
| global.leaderElection.retryPeriod | +
+ + +The duration the clients should wait between attempting acquisition and renewal of a leadership. + + + |
+string | +
+
+undefined
+
+ |
+
| installCRDs | +
+ + +Install the CRDs + + + |
+bool | +
+
+false
+
+ |
+
| replicaCount | +
+ + +Number of replicas to run of the cert-manager controller + + + |
+number | +
+
+1
+
+ |
+
| strategy | +
+ + +Update strategy to use, for example: + + + +type: RollingUpdate
+rollingUpdate:
+ maxSurge: 0
+ maxUnavailable: 1
+
+ |
+object | +
+
+{}
+
+ |
+
| podDisruptionBudget.minAvailable | +
+ + +minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + + ++ +minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + + |
+number | +
+
+undefined
+
+ |
+
| podDisruptionBudget.maxUnavailable | +
+ + +maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + + |
+number | +
+
+undefined
+
+ |
+
| featureGates | +
+ + +Comma separated list of feature gates that should be enabled on the controller pod. + + + |
+string | +
+
+""
+
+ |
+
| maxConcurrentChallenges | +
+ + +The maximum number of challenges that can be scheduled as 'processing' at once + + + |
+number | +
+
+60
+
+ |
+
| image.registry | +
+ + +Registry to pull the image from + + + |
+string | +
+
+undefined
+
+ |
+
| image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + + |
+string | +
+
+quay.io/jetstack/cert-manager-controller
+
+ |
+
| image.tag | +
+ + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + |
+string | +
+
+undefined
+
+ |
+
| image.digest | +
+ + +Setting a digest will override any tag + + + |
+string | +
+
+undefined
+
+ |
+
| image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + + |
+string | +
+
+IfNotPresent
+
+ |
+
| clusterResourceNamespace | +
+ + +Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. + + + |
+string | +
+
+""
+
+ |
+
| namespace | +
+ + +This namespace allows you to define where the services will be installed into if not set then they will use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart) + + + |
+string | +
+
+""
+
+ |
+
| serviceAccount.create | +
+ + +Specifies whether a service account should be created + + + |
+bool | +
+
+true
+
+ |
+
| serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+undefined
+
+ |
+
| serviceAccount.annotations | +
+ + +Optional additional annotations to add to the controller's ServiceAccount + + + |
+object | +
+
+undefined
+
+ |
+
| serviceAccount.labels | +
+
+
+Automount API credentials for a Service Account. |
+object | +
+
+undefined
+
+ |
+
| serviceAccount.automountServiceAccountToken | +
+ + +Service account token wil be automatically mounted in Pods + + + |
+bool | +
+
+true
+
+ |
+
| automountServiceAccountToken | +
+ + +Automounting API credentials for a particular pod + + + |
+bool | +
+
+undefined
+
+ |
+
| enableCertificateOwnerRef | +
+ + +When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted + + + |
+bool | +
+
+false
+
+ |
+
| config | +
+
+
+Used to configure options for the controller pod. + +For example: + + + +apiVersion: controller.config.cert-manager.io/v1alpha1
+kind: ControllerConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+kubernetesAPIQPS: 9000
+kubernetesAPIBurst: 9000
+numberOfConcurrentWorkers: 200
+featureGates:
+ AdditionalCertificateOutputFormats: true
+ DisallowInsecureCSRUsageDefinition: true
+ ExperimentalCertificateSigningRequestControllers: true
+ ExperimentalGatewayAPISupport: true
+ LiteralCertificateSubject: true
+ SecretsFilteredCaching: true
+ ServerSideApply: true
+ StableCertificateRequestName: true
+ UseCertificateRequestBasicConstraints: true
+ ValidateCAA: true
+
+ |
+object | +
+
+{}
+
+ |
+
| dns01RecursiveNameservers | +
+
+
+Setting Nameservers for DNS01 Self Check + +Comma separated string with host and port of the recursive nameservers cert-manager should query + + + |
+string | +
+
+""
+
+ |
+
| dns01RecursiveNameserversOnly | +
+ + +Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers + + + |
+bool | +
+
+false
+
+ |
+
| extraArgs | +
+
+
+Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller: |
+array | +
+
+[]
+
+ |
+
| extraEnv | +
+ + +Additional environment variables + + + |
+array | +
+
+[]
+
+ |
+
| resources | +
+ + +Resources the controller will be given + + + |
+object | +
+
+{}
+
+ |
+
| securityContext | +
+ + +Pod Security Context + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ |
+object | +
+
+runAsNonRoot: true
+seccompProfile:
+ type: RuntimeDefault
+
+ |
+
| containerSecurityContext | +
+ + +Container Security Context to be set on the controller component container + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ |
+object | +
+
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| volumes | +
+ + +Volumes to mount to the controller pod + + + |
+array | +
+
+[]
+
+ |
+
| volumeMounts | +
+ + +Volumes specified in `volumes` to mount to the controller container + + + |
+array | +
+
+[]
+
+ |
+
| deploymentAnnotations | +
+ + +Optional additional annotations to add to the controller Deployment + + + |
+object | +
+
+undefined
+
+ |
+
| podAnnotations | +
+ + +Optional additional annotations to add to the controller Pods + + + |
+object | +
+
+undefined
+
+ |
+
| podLabels | +
+ + +Optional additional labels to add to the controller Pods + + + |
+object | +
+
+{}
+
+ |
+
| serviceAnnotations | +
+ + +Optional annotations to add to the controller Service + + + |
+object | +
+
+undefined
+
+ |
+
| serviceLabels | +
+ + +Optional additional labels to add to the controller Service + + + |
+object | +
+
+undefined
+
+ |
+
| podDnsPolicy | +
+ + +DNS policy to use within the controller pod + + + |
+string | +
+
+undefined
+
+ |
+
| podDnsConfig | +
+ + +Optional DNS settings, useful if you have a public and private DNS zone for the same domain on Route 53. What follows is an example of ensuring cert-manager can access an ingress or DNS TXT records at all times. NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for the cluster to work. + + + |
+object | +
+
+undefined
+
+ |
+
| nodeSelector | +
+ + +Node selector to limit the nodes the controller can schedule on + + + |
+object | +
+
+kubernetes.io/os: linux
+
+ |
+
| ingressShim.defaultIssuerName | +
+ + +Optional default issuer to use for ingress resources + + + |
+string | +
+
+undefined
+
+ |
+
| ingressShim.defaultIssuerKind | +
+ + +Optional default issuer kind to use for ingress resources + + + |
+string | +
+
+undefined
+
+ |
+
| ingressShim.defaultIssuerGroup | +
+ + +Optional default issuer group to use for ingress resources + + + |
+string | +
+
+undefined
+
+ |
+
| http_proxy | +
+ + +Use these variables to configure the HTTP_PROXY environment variables + + + |
+string | +
+
+undefined
+
+ |
+
| https_proxy | ++ | +string | +
+
+undefined
+
+ |
+
| no_proxy | ++ | +string | +
+
+undefined
+
+ |
+
| affinity | +
+ + +A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core for example: + + + +affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: foo.bar.com/role
+ operator: In
+ values:
+ - master
+
+ |
+object | +
+
+{}
+
+ |
+
| tolerations | +
+ + +A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core for example: + + + +tolerations:
+- key: foo.bar.com/role
+ operator: Equal
+ value: master
+ effect: NoSchedule
+
+ |
+array | +
+
+[]
+
+ |
+
| topologySpreadConstraints | +
+ + +A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core for example: + + + +topologySpreadConstraints:
+- maxSkew: 2
+ topologyKey: topology.kubernetes.io/zone
+ whenUnsatisfiable: ScheduleAnyway
+ labelSelector:
+ matchLabels:
+ app.kubernetes.io/instance: cert-manager
+ app.kubernetes.io/component: controller
+
+ |
+array | +
+
+[]
+
+ |
+
| livenessProbe.enabled | ++ | +bool | +
+
+true
+
+ |
+
| livenessProbe.initialDelaySeconds | ++ | +number | +
+
+10
+
+ |
+
| livenessProbe.periodSeconds | ++ | +number | +
+
+10
+
+ |
+
| livenessProbe.timeoutSeconds | ++ | +number | +
+
+15
+
+ |
+
| livenessProbe.successThreshold | ++ | +number | +
+
+1
+
+ |
+
| livenessProbe.failureThreshold | ++ | +number | +
+
+8
+
+ |
+
| enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + + |
+bool | +
+
+false
+
+ |
+
true| -|`prometheus.servicemonitor.enabled`|
Create a ServiceMonitor resource to scrape the metrics endpoint
|`bool`|false| -|`prometheus.servicemonitor.prometheusInstance`||`string`|
default| -|`prometheus.servicemonitor.targetPort`|
The port to scrape metrics from
|`number`|9402| -|`prometheus.servicemonitor.path`|
Path to scrape metrics from
|`string`|/metrics| -|`prometheus.servicemonitor.interval`|
Interval to scrape metrics
|`string`|60s| -|`prometheus.servicemonitor.scrapeTimeout`|
Timeout for each metrics scrape
|`string`|30s| -|`prometheus.servicemonitor.labels`|
Labels to add to the ServiceMonitor resource
|`object`|{}|
-|`prometheus.servicemonitor.annotations`|Annotations to add to the ServiceMonitor resource
|`object`|{}|
-|`prometheus.servicemonitor.honorLabels`||`bool`|false| -|`prometheus.servicemonitor.endpointAdditionalProperties`||`object`|
{}|
-|`prometheus.podmonitor.enabled`|Create a PodMonitor resource to scrape the metrics endpoint
|`bool`|false| -|`prometheus.podmonitor.prometheusInstance`||`string`|
default| -|`prometheus.podmonitor.path`|
Path to scrape metrics from
|`string`|/metrics| -|`prometheus.podmonitor.interval`|
Interval to scrape metrics
|`string`|60s| -|`prometheus.podmonitor.scrapeTimeout`|
Timeout for each metrics scrape
|`string`|30s| -|`prometheus.podmonitor.labels`|
Labels to add to the PodMonitor resource
|`object`|{}|
-|`prometheus.podmonitor.annotations`|Annotations to add to the PodMonitor resource
|`object`|{}|
-|`prometheus.podmonitor.honorLabels`||`bool`|false| -|`prometheus.podmonitor.endpointAdditionalProperties`||`object`|
{}|
+| Property | +Description | +Type | +Default | +
|---|---|---|---|
| prometheus.enabled | ++ | +bool | +
+
+true
+
+ |
+
| prometheus.servicemonitor.enabled | +
+ + +Create a ServiceMonitor resource to scrape the metrics endpoint + + + |
+bool | +
+
+false
+
+ |
+
| prometheus.servicemonitor.prometheusInstance | ++ | +string | +
+
+default
+
+ |
+
| prometheus.servicemonitor.targetPort | +
+ + +The port to scrape metrics from + + + |
+number | +
+
+9402
+
+ |
+
| prometheus.servicemonitor.path | +
+ + +Path to scrape metrics from + + + |
+string | +
+
+/metrics
+
+ |
+
| prometheus.servicemonitor.interval | +
+ + +Interval to scrape metrics + + + |
+string | +
+
+60s
+
+ |
+
| prometheus.servicemonitor.scrapeTimeout | +
+ + +Timeout for each metrics scrape + + + |
+string | +
+
+30s
+
+ |
+
| prometheus.servicemonitor.labels | +
+ + +Labels to add to the ServiceMonitor resource + + + |
+object | +
+
+{}
+
+ |
+
| prometheus.servicemonitor.annotations | +
+ + +Annotations to add to the ServiceMonitor resource + + + |
+object | +
+
+{}
+
+ |
+
| prometheus.servicemonitor.honorLabels | ++ | +bool | +
+
+false
+
+ |
+
| prometheus.servicemonitor.endpointAdditionalProperties | ++ | +object | +
+
+{}
+
+ |
+
| prometheus.podmonitor.enabled | +
+ + +Create a PodMonitor resource to scrape the metrics endpoint + + + |
+bool | +
+
+false
+
+ |
+
| prometheus.podmonitor.prometheusInstance | ++ | +string | +
+
+default
+
+ |
+
| prometheus.podmonitor.path | +
+ + +Path to scrape metrics from + + + |
+string | +
+
+/metrics
+
+ |
+
| prometheus.podmonitor.interval | +
+ + +Interval to scrape metrics + + + |
+string | +
+
+60s
+
+ |
+
| prometheus.podmonitor.scrapeTimeout | +
+ + +Timeout for each metrics scrape + + + |
+string | +
+
+30s
+
+ |
+
| prometheus.podmonitor.labels | +
+ + +Labels to add to the PodMonitor resource + + + |
+object | +
+
+{}
+
+ |
+
| prometheus.podmonitor.annotations | +
+ + +Annotations to add to the PodMonitor resource + + + |
+object | +
+
+{}
+
+ |
+
| prometheus.podmonitor.honorLabels | ++ | +bool | +
+
+false
+
+ |
+
| prometheus.podmonitor.endpointAdditionalProperties | ++ | +object | +
+
+{}
+
+ |
+
| Property | +Description | +Type | +Default | +
|---|---|---|---|
| webhook.replicaCount | ++ | +number | +
+
+1
+
+ |
+
| webhook.timeoutSeconds | +
+
+
+Seconds the API server should wait for the webhook to respond before treating the call as a failure. + +We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user. + + + |
+number | +
+
+30
+
+ |
+
| webhook.config | +
+
+
+Used to configure options for the webhook pod. apiVersion: webhook.config.cert-manager.io/v1alpha1
+kind: WebhookConfiguration
+# The port that the webhook should listen on for requests.
+# In GKE private clusters, by default kubernetes apiservers are allowed to
+# talk to the cluster nodes only on 443 and 10250. so configuring
+# securePort: 10250, will work out of the box without needing to add firewall
+# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
+# This should be uncommented and set as a default by the chart once we graduate
+# the apiVersion of WebhookConfiguration past v1alpha1.
+securePort: 10250
+
+ |
+object | +
+
+{}
+
+ |
+
| webhook.strategy | +
+ + +Deployment strategy, for example: + + + +type: RollingUpdate
+rollingUpdate:
+ maxSurge: 0
+ maxUnavailable: 1
+
+ |
+object | +
+
+{}
+
+ |
+
| webhook.securityContext | +
+ + +Pod Security Context to be set on the webhook component Pod. Rref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ + + + |
+object | +
+
+runAsNonRoot: true
+seccompProfile:
+ type: RuntimeDefault
+
+ |
+
| webhook.podDisruptionBudget.enabled | ++ | +bool | +
+
+false
+
+ |
+
| webhook.podDisruptionBudget.minAvailable | +
+ + +minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + + ++ +minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + + |
+number | +
+
+undefined
+
+ |
+
| webhook.podDisruptionBudget.maxUnavailable | +
+ + +maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + + |
+number | +
+
+undefined
+
+ |
+
| webhook.containerSecurityContext | +
+ + +Container Security Context to be set on the webhook component container + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ |
+object | +
+
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| webhook.deploymentAnnotations | +
+ + +Optional additional annotations to add to the webhook Deployment + + + |
+object | +
+
+undefined
+
+ |
+
| webhook.podAnnotations | +
+ + +Optional additional annotations to add to the webhook Pods + + + |
+object | +
+
+undefined
+
+ |
+
| webhook.serviceAnnotations | +
+ + +Optional additional annotations to add to the webhook Service + + + |
+object | +
+
+undefined
+
+ |
+
| webhook.mutatingWebhookConfigurationAnnotations | +
+ + +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + + + |
+object | +
+
+undefined
+
+ |
+
| webhook.validatingWebhookConfigurationAnnotations | +
+ + +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + + + |
+object | +
+
+undefined
+
+ |
+
| webhook.extraArgs | +
+
+
+Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: |
+array | +
+
+[]
+
+ |
+
| webhook.featureGates | +
+ + +Comma separated list of feature gates that should be enabled on the webhook pod. + + + |
+string | +
+
+""
+
+ |
+
| webhook.resources | ++ | +object | +
+
+{}
+
+ |
+
| webhook.livenessProbe | +
+ + +Liveness probe values + + + +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ |
+object | +
+
+failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+
+ |
+
| webhook.readinessProbe | +
+ + +Readiness probe values + + + +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+ |
+object | +
+
+failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+
+ |
+
| webhook.nodeSelector | ++ | +object | +
+
+kubernetes.io/os: linux
+
+ |
+
| webhook.affinity | ++ | +object | +
+
+{}
+
+ |
+
| webhook.tolerations | ++ | +array | +
+
+[]
+
+ |
+
| webhook.topologySpreadConstraints | ++ | +array | +
+
+[]
+
+ |
+
| webhook.podLabels | +
+ + +Optional additional labels to add to the Webhook Pods + + + |
+object | +
+
+{}
+
+ |
+
| webhook.serviceLabels | +
+ + +Optional additional labels to add to the Webhook Service + + + |
+object | +
+
+{}
+
+ |
+
| webhook.image.registry | +
+ + +Registry to pull the image from + + + |
+string | +
+
+undefined
+
+ |
+
| webhook.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + + |
+string | +
+
+quay.io/jetstack/cert-manager-webhook
+
+ |
+
| webhook.image.tag | +
+ + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + |
+string | +
+
+undefined
+
+ |
+
| webhook.image.digest | +
+ + +Setting a digest will override any tag + + + |
+string | +
+
+undefined
+
+ |
+
| webhook.image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + + |
+string | +
+
+IfNotPresent
+
+ |
+
| webhook.serviceAccount.create | +
+ + +Specifies whether a service account should be created + + + |
+bool | +
+
+true
+
+ |
+
| webhook.serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+undefined
+
+ |
+
| webhook.serviceAccount.annotations | +
+ + +Optional additional annotations to add to the controller's ServiceAccount + + + |
+object | +
+
+undefined
+
+ |
+
| webhook.serviceAccount.labels | +
+ + +Optional additional labels to add to the webhook's ServiceAccount + + + |
+object | +
+
+undefined
+
+ |
+
| webhook.serviceAccount.automountServiceAccountToken | +
+ + +Automount API credentials for a Service Account. + + + |
+bool | +
+
+true
+
+ |
+
| webhook.securePort | +
+ + +The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 + + + |
+number | +
+
+10250
+
+ |
+
| webhook.hostNetwork | +
+ + +Specifies if the webhook should be started in hostNetwork mode. + + ++ +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + + ++ +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + + + |
+bool | +
+
+false
+
+ |
+
| webhook.serviceType | +
+ + +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + + + |
+string | +
+
+ClusterIP
+
+ |
+
| webhook.loadBalancerIP | ++ | +string | +
+
+undefined
+
+ |
+
| webhook.url | +
+ + +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + + + |
+object | +
+
+{}
+
+ |
+
| webhook.networkPolicy.enabled | ++ | +bool | +
+
+false
+
+ |
+
| webhook.networkPolicy.ingress | ++ | +array | +
+
+- from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+
+ |
+
| webhook.networkPolicy.egress | ++ | +array | +
+
+- ports:
+ - port: 80
+ protocol: TCP
+ - port: 443
+ protocol: TCP
+ - port: 53
+ protocol: TCP
+ - port: 53
+ protocol: UDP
+ - port: 6443
+ protocol: TCP
+ to:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+
+ |
+
| webhook.volumes | ++ | +array | +
+
+[]
+
+ |
+
| webhook.volumeMounts | ++ | +array | +
+
+[]
+
+ |
+
| webhook.enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + + |
+bool | +
+
+false
+
+ |
+
| Property | +Description | +Type | +Default | +
|---|---|---|---|
| cainjector.enabled | ++ | +bool | +
+
+true
+
+ |
+
| cainjector.replicaCount | ++ | +number | +
+
+1
+
+ |
+
| cainjector.config | +
+
+
+Used to configure options for the cainjector pod. apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+
+ |
+object | +
+
+{}
+
+ |
+
| cainjector.strategy | +
+ + +Deployment strategy, for example: + + + +type: RollingUpdate
+rollingUpdate:
+ maxSurge: 0
+ maxUnavailable: 1
+
+ |
+object | +
+
+{}
+
+ |
+
| cainjector.securityContext.runAsNonRoot | ++ | +bool | +
+
+true
+
+ |
+
| cainjector.securityContext.seccompProfile.type | ++ | +string | +
+
+RuntimeDefault
+
+ |
+
| cainjector.podDisruptionBudget.enabled | ++ | +bool | +
+
+false
+
+ |
+
| cainjector.podDisruptionBudget.minAvailable | +
+ + +minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + + ++ +minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + + |
+number | +
+
+undefined
+
+ |
+
| cainjector.podDisruptionBudget.maxUnavailable | +
+ + +maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + + |
+number | +
+
+undefined
+
+ |
+
| cainjector.containerSecurityContext | +
+ + +Container Security Context to be set on the cainjector component container + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ |
+object | +
+
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| cainjector.deploymentAnnotations | +
+ + +Optional additional annotations to add to the cainjector Deployment + + + |
+object | +
+
+undefined
+
+ |
+
| cainjector.podAnnotations | +
+ + +Optional additional annotations to add to the cainjector Pods + + + |
+object | +
+
+undefined
+
+ |
+
| cainjector.extraArgs | +
+
+
+Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
+array | +
+
+[]
+
+ |
+
| cainjector.featureGates | +
+ + +Comma separated list of feature gates that should be enabled on the cainjector pod. + + + |
+string | +
+
+""
+
+ |
+
| cainjector.resources | ++ | +object | +
+
+{}
+
+ |
+
| cainjector.nodeSelector | ++ | +object | +
+
+kubernetes.io/os: linux
+
+ |
+
| cainjector.affinity | ++ | +object | +
+
+{}
+
+ |
+
| cainjector.tolerations | ++ | +array | +
+
+[]
+
+ |
+
| cainjector.topologySpreadConstraints | ++ | +array | +
+
+[]
+
+ |
+
| cainjector.podLabels | +
+ + +Optional additional labels to add to the CA Injector Pods + + + |
+object | +
+
+{}
+
+ |
+
| cainjector.image.registry | +
+ + +Registry to pull the image from + + + |
+string | +
+
+undefined
+
+ |
+
| cainjector.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + + |
+string | +
+
+quay.io/jetstack/cert-manager-cainjector
+
+ |
+
| cainjector.image.tag | +
+ + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + |
+string | +
+
+undefined
+
+ |
+
| cainjector.image.digest | +
+ + +Setting a digest will override any tag + + + |
+string | +
+
+undefined
+
+ |
+
| cainjector.image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + + |
+string | +
+
+IfNotPresent
+
+ |
+
| cainjector.serviceAccount.create | +
+ + +Specifies whether a service account should be created + + + |
+bool | +
+
+true
+
+ |
+
| cainjector.serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+undefined
+
+ |
+
| cainjector.serviceAccount.annotations | +
+ + +Optional additional annotations to add to the controller's ServiceAccount + + + |
+object | +
+
+undefined
+
+ |
+
| cainjector.serviceAccount.labels | +
+
+
+Automount API credentials for a Service Account. |
+object | +
+
+undefined
+
+ |
+
| cainjector.serviceAccount.automountServiceAccountToken | ++ | +bool | +
+
+true
+
+ |
+
| cainjector.automountServiceAccountToken | +
+ + +Automounting API credentials for a particular pod + + + |
+bool | +
+
+undefined
+
+ |
+
| cainjector.volumes | ++ | +array | +
+
+[]
+
+ |
+
| cainjector.volumeMounts | ++ | +array | +
+
+[]
+
+ |
+
| cainjector.enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + + |
+bool | +
+
+false
+
+ |
+
| Property | +Description | +Type | +Default | +
|---|---|---|---|
| acmesolver.image.registry | +
+ + +Image registry to pull from + + + |
+string | +
+
+undefined
+
+ |
+
| acmesolver.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + + |
+string | +
+
+quay.io/jetstack/cert-manager-acmesolver
+
+ |
+
| acmesolver.image.tag | +
+ + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + |
+string | +
+
+undefined
+
+ |
+
| acmesolver.image.digest | +
+ + +Setting a digest will override any tag + + + |
+string | +
+
+undefined
+
+ |
+
+ +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job- if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + +
+ +| Property | +Description | +Type | +Default | +
|---|---|---|---|
| startupapicheck.enabled | ++ | +bool | +
+
+true
+
+ |
+
| startupapicheck.securityContext | +
+ + +Pod Security Context to be set on the startupapicheck component Pod + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ |
+object | +
+
+runAsNonRoot: true
+seccompProfile:
+ type: RuntimeDefault
+
+ |
+
| startupapicheck.containerSecurityContext | +
+ + +Container Security Context to be set on the controller component container + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+ |
+object | +
+
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| startupapicheck.timeout | +
+ + +Timeout for 'kubectl check api' command + + + |
+string | +
+
+1m
+
+ |
+
| startupapicheck.backoffLimit | +
+ + +Job backoffLimit + + + |
+number | +
+
+4
+
+ |
+
| startupapicheck.jobAnnotations | +
+ + +Optional additional annotations to add to the startupapicheck Job + + + |
+object | +
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
+
+ |
+
| startupapicheck.podAnnotations | +
+ + +Optional additional annotations to add to the startupapicheck Pods + + + |
+object | +
+
+undefined
+
+ |
+
| startupapicheck.extraArgs | +
+
+
+Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: + +We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example. + + + |
+array | +
+
+- -v
+
+ |
+
| startupapicheck.resources | ++ | +object | +
+
+{}
+
+ |
+
| startupapicheck.nodeSelector | ++ | +object | +
+
+kubernetes.io/os: linux
+
+ |
+
| startupapicheck.affinity | ++ | +object | +
+
+{}
+
+ |
+
| startupapicheck.tolerations | ++ | +array | +
+
+[]
+
+ |
+
| startupapicheck.podLabels | +
+ + +Optional additional labels to add to the startupapicheck Pods + + + |
+object | +
+
+{}
+
+ |
+
| startupapicheck.image.registry | +
+ + +Image registry to pull from + + + |
+string | +
+
+undefined
+
+ |
+
| startupapicheck.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + + |
+string | +
+
+quay.io/jetstack/cert-manager-startupapicheck
+
+ |
+
| startupapicheck.image.tag | +
+ + +Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used. + + + |
+string | +
+
+undefined
+
+ |
+
| startupapicheck.image.digest | +
+ + +Setting a digest will override any tag + + + |
+string | +
+
+undefined
+
+ |
+
| startupapicheck.image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + + |
+string | +
+
+IfNotPresent
+
+ |
+
| startupapicheck.rbac.annotations | +
+ + +annotations for the startup API Check job RBAC and PSP resources + + + |
+object | +
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+
+ |
+
| startupapicheck.serviceAccount.create | +
+ + +Specifies whether a service account should be created + + + |
+bool | +
+
+true
+
+ |
+
| startupapicheck.serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+undefined
+
+ |
+
| startupapicheck.serviceAccount.annotations | +
+ + +Optional additional annotations to add to the Job's ServiceAccount + + + |
+object | +
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+
+ |
+
| startupapicheck.serviceAccount.automountServiceAccountToken | +
+ + +Automount API credentials for a Service Account. + + + |
+bool | +
+
+true
+
+ |
+
| startupapicheck.serviceAccount.labels | +
+ + +Optional additional labels to add to the startupapicheck's ServiceAccount + + + |
+object | +
+
+undefined
+
+ |
+
| startupapicheck.volumes | ++ | +array | +
+
+[]
+
+ |
+
| startupapicheck.volumeMounts | ++ | +array | +
+
+[]
+
+ |
+
| startupapicheck.enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + + |
+bool | +
+
+false
+
+ |
+
{}
+
++ +Deployment strategy, for example: + +
+ +type: RollingUpdate
+rollingUpdate:
+ maxSurge: 0
+ maxUnavailable: 1
+{}
+
+
+
+Pod Security Context to be set on the webhook component Pod
+Rref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+
runAsNonRoot: true
+seccompProfile:
+ type: RuntimeDefault
+
+false
+
++ +minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + +
++ +minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + +
undefined
+
++ +maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + +
undefined
+
++ +Container Security Context to be set on the webhook component container + +
+ +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
++ +Optional additional annotations to add to the webhook Deployment + +
undefined
+
++ +Optional additional annotations to add to the webhook Pods + +
undefined
+
++ +Optional additional annotations to add to the webhook Service + +
undefined
+
++ +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + +
undefined
+
++ +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + +
undefined
+
+
+
+Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:
[]
+
++ +Comma separated list of feature gates that should be enabled on the webhook pod. + +
""
+
+{}
+
++ +Liveness probe values + +
+ +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+
++ +Readiness probe values + +
+ +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+
+kubernetes.io/os: linux
+
+{}
+
+[]
+
+[]
+
++ +Optional additional labels to add to the Webhook Pods + +
{}
+
++ +Optional additional labels to add to the Webhook Service + +
{}
+
++ +Registry to pull the image from + +
undefined
+
++ +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + +
quay.io/jetstack/cert-manager-webhook
+
+
+
+Override the image tag to deploy by setting this variable.
+If no value is set, the chart's appVersion will be used.
+
+
undefined
+
++ +Setting a digest will override any tag + +
undefined
+
++ +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + +
IfNotPresent
+
++ +Specifies whether a service account should be created + +
true
+
+
+
+The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template
+
+
undefined
+
++ +Optional additional annotations to add to the controller's ServiceAccount + +
undefined
+
++ +Optional additional labels to add to the webhook's ServiceAccount + +
undefined
+
++ +Automount API credentials for a Service Account. + +
true
+
+
+
+The port that the webhook should listen on for requests.
+In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
+
+
10250
+
++ +Specifies if the webhook should be started in hostNetwork mode. + +
++ +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +
++ +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + +
false
+
++ +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + +
ClusterIP
+
+undefined
+
++ +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + +
{}
+
+false
+
+- from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+
+- ports:
+ - port: 80
+ protocol: TCP
+ - port: 443
+ protocol: TCP
+ - port: 53
+ protocol: TCP
+ - port: 53
+ protocol: UDP
+ - port: 6443
+ protocol: TCP
+ to:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+
+[]
+
+[]
+
++ +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +
false
+
+| property | +description | +type | +default | +
|---|---|---|---|
| cainjector.enabled | ++ | bool | +
+
+
+true
+
+ |
+
| cainjector.replicaCount | ++ | number | +
+
+
+1
+
+ |
+
| cainjector.config | +
+
+
+Used to configure options for the cainjector pod. apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+ |
+object | +
+
+
+{}
+
+ |
+
| cainjector.strategy | +
+ + +Deployment strategy, for example: + + + +type: RollingUpdate
+rollingUpdate:
+ maxSurge: 0
+ maxUnavailable: 1
+ |
+object | +
+
+
+{}
+
+ |
+
| cainjector.securityContext.runAsNonRoot | ++ | bool | +
+
+
+true
+
+ |
+
| cainjector.securityContext.seccompProfile.type | ++ | string | +
+
+
+RuntimeDefault
+
+ |
+
| cainjector.podDisruptionBudget.enabled | ++ | bool | +
+
+
+false
+
+ |
+
| cainjector.podDisruptionBudget.minAvailable | +
+ + +minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + + ++ +minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + |
+number | +
+
+
+undefined
+
+ |
+
| cainjector.podDisruptionBudget.maxUnavailable | +
+ + +maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + |
+number | +
+
+
+undefined
+
+ |
+
| cainjector.containerSecurityContext | +
+ + +Container Security Context to be set on the cainjector component container + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ |
+object | +
+
+
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| cainjector.deploymentAnnotations | +
+ + +Optional additional annotations to add to the cainjector Deployment + + |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.podAnnotations | +
+ + +Optional additional annotations to add to the cainjector Pods + + |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.extraArgs | +
+
+
+Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
+array | +
+
+
+[]
+
+ |
+
| cainjector.featureGates | +
+ + +Comma separated list of feature gates that should be enabled on the cainjector pod. + + |
+string | +
+
+
+""
+
+ |
+
| cainjector.resources | ++ | object | +
+
+
+{}
+
+ |
+
| cainjector.nodeSelector | ++ | object | +
+
+
+kubernetes.io/os: linux
+
+ |
+
| cainjector.affinity | ++ | object | +
+
+
+{}
+
+ |
+
| cainjector.tolerations | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.topologySpreadConstraints | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.podLabels | +
+ + +Optional additional labels to add to the CA Injector Pods + + |
+object | +
+
+
+{}
+
+ |
+
| cainjector.image.registry | +
+ + +Registry to pull the image from + + |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + |
+string | +
+
+
+quay.io/jetstack/cert-manager-cainjector
+
+ |
+
| cainjector.image.tag | +
+
+
+Override the image tag to deploy by setting this variable. |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.image.digest | +
+ + +Setting a digest will override any tag + + |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + |
+string | +
+
+
+IfNotPresent
+
+ |
+
| cainjector.serviceAccount.create | +
+ + +Specifies whether a service account should be created + + |
+bool | +
+
+
+true
+
+ |
+
| cainjector.serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.serviceAccount.annotations | +
+ + +Optional additional annotations to add to the controller's ServiceAccount + + |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.serviceAccount.labels | +
+
+
+Automount API credentials for a Service Account. |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.serviceAccount.automountServiceAccountToken | ++ | bool | +
+
+
+true
+
+ |
+
| cainjector.automountServiceAccountToken | +
+ + +Automounting API credentials for a particular pod + + |
+bool | +
+
+
+undefined
+
+ |
+
| cainjector.volumes | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.volumeMounts | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + |
+bool | +
+
+
+false
+
+ |
+
| property | +description | +type | +default | +
|---|---|---|---|
| acmesolver.image.registry | +
+ + +Image registry to pull from + + |
+string | +
+
+
+undefined
+
+ |
+
| acmesolver.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + |
+string | +
+
+
+quay.io/jetstack/cert-manager-acmesolver
+
+ |
+
| acmesolver.image.tag | +
+
+
+Override the image tag to deploy by setting this variable. |
+string | +
+
+
+undefined
+
+ |
+
| acmesolver.image.digest | +
+ + +Setting a digest will override any tag + + |
+string | +
+
+
+undefined
+
+ |
+
+ +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job- if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + +
+ +| property | +description | +type | +default | +
|---|---|---|---|
| startupapicheck.enabled | ++ | bool | +
+
+
+true
+
+ |
+
| startupapicheck.securityContext | +
+ + +Pod Security Context to be set on the startupapicheck component Pod + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ |
+object | +
+
+
+runAsNonRoot: true
+seccompProfile:
+ type: RuntimeDefault
+
+ |
+
| startupapicheck.containerSecurityContext | +
+ + +Container Security Context to be set on the controller component container + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ |
+object | +
+
+
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| startupapicheck.timeout | +
+ + +Timeout for 'kubectl check api' command + + |
+string | +
+
+
+1m
+
+ |
+
| startupapicheck.backoffLimit | +
+ + +Job backoffLimit + + |
+number | +
+
+
+4
+
+ |
+
| startupapicheck.jobAnnotations | +
+ + +Optional additional annotations to add to the startupapicheck Job + + |
+object | +
+
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
+
+ |
+
| startupapicheck.podAnnotations | +
+ + +Optional additional annotations to add to the startupapicheck Pods + + |
+object | +
+
+
+undefined
+
+ |
+
| startupapicheck.extraArgs | +
+
+
+Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: + +We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example. + + |
+array | +
+
+
+- -v
+
+ |
+
| startupapicheck.resources | ++ | object | +
+
+
+{}
+
+ |
+
| startupapicheck.nodeSelector | ++ | object | +
+
+
+kubernetes.io/os: linux
+
+ |
+
| startupapicheck.affinity | ++ | object | +
+
+
+{}
+
+ |
+
| startupapicheck.tolerations | ++ | array | +
+
+
+[]
+
+ |
+
| startupapicheck.podLabels | +
+ + +Optional additional labels to add to the startupapicheck Pods + + |
+object | +
+
+
+{}
+
+ |
+
| startupapicheck.image.registry | +
+ + +Image registry to pull from + + |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + |
+string | +
+
+
+quay.io/jetstack/cert-manager-startupapicheck
+
+ |
+
| startupapicheck.image.tag | +
+
+
+Override the image tag to deploy by setting this variable. |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.image.digest | +
+ + +Setting a digest will override any tag + + |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + |
+string | +
+
+
+IfNotPresent
+
+ |
+
| startupapicheck.rbac.annotations | +
+ + +annotations for the startup API Check job RBAC and PSP resources + + |
+object | +
+
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+
+ |
+
| startupapicheck.serviceAccount.create | +
+ + +Specifies whether a service account should be created + + |
+bool | +
+
+
+true
+
+ |
+
| startupapicheck.serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.serviceAccount.annotations | +
+ + +Optional additional annotations to add to the Job's ServiceAccount + + |
+object | +
+
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+
+ |
+
| startupapicheck.serviceAccount.automountServiceAccountToken | +
+ + +Automount API credentials for a Service Account. + + |
+bool | +
+
+
+true
+
+ |
+
| startupapicheck.serviceAccount.labels | +
+ + +Optional additional labels to add to the startupapicheck's ServiceAccount + + |
+object | +
+
+
+undefined
+
+ |
+
| startupapicheck.volumes | ++ | array | +
+
+
+[]
+
+ |
+
| startupapicheck.volumeMounts | ++ | array | +
+
+
+[]
+
+ |
+
| startupapicheck.enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + |
+bool | +
+
+
+false
+
+ |
+
{}
+
++ +Deployment strategy, for example: + +
+ +type: RollingUpdate
+rollingUpdate:
+ maxSurge: 0
+ maxUnavailable: 1
+{}
+
+
+
+Pod Security Context to be set on the webhook component Pod
+Rref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+
runAsNonRoot: true
+seccompProfile:
+ type: RuntimeDefault
+
+false
+
+
+
+minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1`
+
+
+
+ +minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + +
undefined
+
++ +maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + +
undefined
+
++ +Container Security Context to be set on the webhook component container + +
+ +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
++ +Optional additional annotations to add to the webhook Deployment + +
undefined
+
++ +Optional additional annotations to add to the webhook Pods + +
undefined
+
++ +Optional additional annotations to add to the webhook Service + +
undefined
+
++ +Optional additional annotations to add to the webhook MutatingWebhookConfiguration + +
undefined
+
++ +Optional additional annotations to add to the webhook ValidatingWebhookConfiguration + +
undefined
+
+
+
+Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:
[]
+
++ +Comma separated list of feature gates that should be enabled on the webhook pod. + +
""
+
+{}
+
++ +Liveness probe values + +
+ +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+failureThreshold: 3
+initialDelaySeconds: 60
+periodSeconds: 10
+successThreshold: 1
+timeoutSeconds: 1
+
++ +Readiness probe values + +
+ +ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+failureThreshold: 3
+initialDelaySeconds: 5
+periodSeconds: 5
+successThreshold: 1
+timeoutSeconds: 1
+
+kubernetes.io/os: linux
+
+{}
+
+[]
+
+[]
+
++ +Optional additional labels to add to the Webhook Pods + +
{}
+
++ +Optional additional labels to add to the Webhook Service + +
{}
+
++ +Registry to pull the image from + +
undefined
+
++ +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + +
quay.io/jetstack/cert-manager-webhook
+
+
+
+Override the image tag to deploy by setting this variable.
+If no value is set, the chart's appVersion will be used.
+
+
undefined
+
++ +Setting a digest will override any tag + +
undefined
+
++ +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + +
IfNotPresent
+
++ +Specifies whether a service account should be created + +
true
+
+
+
+The name of the service account to use.
+If not set and create is true, a name is generated using the fullname template
+
+
undefined
+
++ +Optional additional annotations to add to the controller's ServiceAccount + +
undefined
+
++ +Optional additional labels to add to the webhook's ServiceAccount + +
undefined
+
++ +Automount API credentials for a Service Account. + +
true
+
+
+
+The port that the webhook should listen on for requests.
+In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
+
+
10250
+
++ +Specifies if the webhook should be started in hostNetwork mode. + +
++ +Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working + +
++ +Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. + +
false
+
++ +Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. + +
ClusterIP
+
+undefined
+
++ +Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. + +
{}
+
+false
+
+- from:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+
+- ports:
+ - port: 80
+ protocol: TCP
+ - port: 443
+ protocol: TCP
+ - port: 53
+ protocol: TCP
+ - port: 53
+ protocol: UDP
+ - port: 6443
+ protocol: TCP
+ to:
+ - ipBlock:
+ cidr: 0.0.0.0/0
+
+[]
+
+[]
+
++ +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + +
false
+
+| property | +description | +type | +default | +
|---|---|---|---|
| cainjector.enabled | ++ | bool | +
+
+
+true
+
+ |
+
| cainjector.replicaCount | ++ | number | +
+
+
+1
+
+ |
+
| cainjector.config | +
+
+
+Used to configure options for the cainjector pod. apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+ |
+object | +
+
+
+{}
+
+ |
+
| cainjector.strategy | +
+ + +Deployment strategy, for example: + + + +type: RollingUpdate
+rollingUpdate:
+ maxSurge: 0
+ maxUnavailable: 1
+ |
+object | +
+
+
+{}
+
+ |
+
| cainjector.securityContext.runAsNonRoot | ++ | bool | +
+
+
+true
+
+ |
+
| cainjector.securityContext.seccompProfile.type | ++ | string | +
+
+
+RuntimeDefault
+
+ |
+
| cainjector.podDisruptionBudget.enabled | ++ | bool | +
+
+
+false
+
+ |
+
| cainjector.podDisruptionBudget.minAvailable | +
+
+
+minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` + +minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + |
+number | +
+
+
+undefined
+
+ |
+
| cainjector.podDisruptionBudget.maxUnavailable | +
+ + +maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) + + |
+number | +
+
+
+undefined
+
+ |
+
| cainjector.containerSecurityContext | +
+ + +Container Security Context to be set on the cainjector component container -### Webhook + -|property|description|type|default| -|--|--|--|--| -|`webhook.replicaCount`||`number`|1| -|`webhook.timeoutSeconds`| Seconds the API server should wait for the webhook to respond before treating the call as a failure. We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user. |`number`|30| -|`webhook.config`| Used to configure options for the webhook pod. apiVersion: webhook.config.cert-manager.io/v1alpha1|`object`| {}|
-|`webhook.strategy`|Deployment strategy, for example: type: RollingUpdate|`object`| {}|
-|`webhook.securityContext`|Pod Security Context to be set on the webhook component Pod runAsNonRoot: true| -|`webhook.podDisruptionBudget.enabled`||`bool`| false| -|`webhook.podDisruptionBudget.minAvailable`| minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) |`number`|undefined| -|`webhook.podDisruptionBudget.maxUnavailable`| maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) |`number`|undefined| -|`webhook.containerSecurityContext`| Container Security Context to be set on the webhook component container ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/|`object`| allowPrivilegeEscalation: false| -|`webhook.deploymentAnnotations`| Optional additional annotations to add to the webhook Deployment |`object`|undefined| -|`webhook.podAnnotations`| Optional additional annotations to add to the webhook Pods |`object`|undefined| -|`webhook.serviceAnnotations`| Optional additional annotations to add to the webhook Service |`object`|undefined| -|`webhook.mutatingWebhookConfigurationAnnotations`| Optional additional annotations to add to the webhook MutatingWebhookConfiguration |`object`|undefined| -|`webhook.validatingWebhookConfigurationAnnotations`| Optional additional annotations to add to the webhook ValidatingWebhookConfiguration |`object`|undefined| -|`webhook.extraArgs`| Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: []| -|`webhook.featureGates`| Comma separated list of feature gates that should be enabled on the webhook pod. |`string`|""| -|`webhook.resources`||`object`| {}|
-|`webhook.livenessProbe`|Liveness probe values ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes|`object`| failureThreshold: 3| -|`webhook.readinessProbe`| Readiness probe values ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes|`object`| failureThreshold: 3| -|`webhook.nodeSelector`||`object`| kubernetes.io/os: linux| -|`webhook.affinity`||`object`| {}|
-|`webhook.tolerations`||`array`|[]| -|`webhook.topologySpreadConstraints`||`array`| []| -|`webhook.podLabels`| Optional additional labels to add to the Webhook Pods |`object`|{}|
-|`webhook.serviceLabels`|Optional additional labels to add to the Webhook Service |`object`|{}|
-|`webhook.image.registry`|Registry to pull the image from |`string`|undefined| -|`webhook.image.repository`| Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property |`string`|quay.io/jetstack/cert-manager-webhook| -|`webhook.image.tag`| Override the image tag to deploy by setting this variable. undefined| -|`webhook.image.digest`| Setting a digest will override any tag |`string`|undefined| -|`webhook.image.pullPolicy`| Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy |`string`|IfNotPresent| -|`webhook.serviceAccount.create`| Specifies whether a service account should be created |`bool`|true| -|`webhook.serviceAccount.name`| The name of the service account to use. undefined| -|`webhook.serviceAccount.annotations`| Optional additional annotations to add to the controller's ServiceAccount |`object`|undefined| -|`webhook.serviceAccount.labels`| Optional additional labels to add to the webhook's ServiceAccount |`object`|undefined| -|`webhook.serviceAccount.automountServiceAccountToken`| Automount API credentials for a Service Account. |`bool`|true| -|`webhook.securePort`| The port that the webhook should listen on for requests. 10250| -|`webhook.hostNetwork`| Specifies if the webhook should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode. |`bool`|false| -|`webhook.serviceType`| Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services. |`string`|ClusterIP| -|`webhook.loadBalancerIP`||`string`| undefined| -|`webhook.url`| Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service. |`object`|{}|
-|`webhook.networkPolicy.enabled`||`bool`|false| -|`webhook.networkPolicy.ingress`||`array`| - from:| -|`webhook.networkPolicy.egress`||`array`| - ports:| -|`webhook.volumes`||`array`| []| -|`webhook.volumeMounts`||`array`| []| -|`webhook.enableServiceLinks`| enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. |`bool`|false| + ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ |
+object | +
-### CA Injector
-|property|description|type|default|
-|--|--|--|--|
-|`cainjector.enabled`||`bool`|true| -|`cainjector.replicaCount`||`number`| 1| -|`cainjector.config`| Used to configure options for the cainjector pod. apiVersion: cainjector.config.cert-manager.io/v1alpha1|`object`| {}|
-|`cainjector.strategy`|Deployment strategy, for example: type: RollingUpdate|`object`| {}|
-|`cainjector.securityContext.runAsNonRoot`||`bool`|true| -|`cainjector.securityContext.seccompProfile.type`||`string`| RuntimeDefault| -|`cainjector.podDisruptionBudget.enabled`||`bool`| false| -|`cainjector.podDisruptionBudget.minAvailable`| minAvailable and maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) if neither minAvailable or maxUnavailable is set, we default to `minAvailable: 1` minAvailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) |`number`|undefined| -|`cainjector.podDisruptionBudget.maxUnavailable`| maxUnavailable can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%) |`number`|undefined| -|`cainjector.containerSecurityContext`| Container Security Context to be set on the cainjector component container ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/|`object`| allowPrivilegeEscalation: false| -|`cainjector.deploymentAnnotations`| Optional additional annotations to add to the cainjector Deployment |`object`|undefined| -|`cainjector.podAnnotations`| Optional additional annotations to add to the cainjector Pods |`object`|undefined| -|`cainjector.extraArgs`| Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: []| -|`cainjector.featureGates`| Comma separated list of feature gates that should be enabled on the cainjector pod. |`string`|""| -|`cainjector.resources`||`object`| {}|
-|`cainjector.nodeSelector`||`object`|kubernetes.io/os: linux| -|`cainjector.affinity`||`object`| {}|
-|`cainjector.tolerations`||`array`|[]| -|`cainjector.topologySpreadConstraints`||`array`| []| -|`cainjector.podLabels`| Optional additional labels to add to the CA Injector Pods |`object`|{}|
-|`cainjector.image.registry`|Registry to pull the image from |`string`|undefined| -|`cainjector.image.repository`| Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property |`string`|quay.io/jetstack/cert-manager-cainjector| -|`cainjector.image.tag`| Override the image tag to deploy by setting this variable. undefined| -|`cainjector.image.digest`| Setting a digest will override any tag |`string`|undefined| -|`cainjector.image.pullPolicy`| Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy |`string`|IfNotPresent| -|`cainjector.serviceAccount.create`| Specifies whether a service account should be created |`bool`|true| -|`cainjector.serviceAccount.name`| The name of the service account to use. undefined| -|`cainjector.serviceAccount.annotations`| Optional additional annotations to add to the controller's ServiceAccount |`object`|undefined| -|`cainjector.serviceAccount.labels`| Automount API credentials for a Service Account. undefined| -|`cainjector.serviceAccount.automountServiceAccountToken`||`bool`| true| -|`cainjector.automountServiceAccountToken`| Automounting API credentials for a particular pod |`bool`|undefined| -|`cainjector.volumes`||`array`| []| -|`cainjector.volumeMounts`||`array`| []| -|`cainjector.enableServiceLinks`| enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. |`bool`|false| + allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| cainjector.deploymentAnnotations | +
+ + +Optional additional annotations to add to the cainjector Deployment + + |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.podAnnotations | +
+ + +Optional additional annotations to add to the cainjector Pods + + |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.extraArgs | +
+
+
+Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: |
+array | +
+
+
+[]
+
+ |
+
| cainjector.featureGates | +
+ + +Comma separated list of feature gates that should be enabled on the cainjector pod. + + |
+string | +
+
+
+""
+
+ |
+
| cainjector.resources | ++ | object | +
+
+
+{}
+
+ |
+
| cainjector.nodeSelector | ++ | object | +
+
+
+kubernetes.io/os: linux
+
+ |
+
| cainjector.affinity | ++ | object | +
+
+
+{}
+
+ |
+
| cainjector.tolerations | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.topologySpreadConstraints | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.podLabels | +
+ + +Optional additional labels to add to the CA Injector Pods + + |
+object | +
+
+
+{}
+
+ |
+
| cainjector.image.registry | +
+ + +Registry to pull the image from + + |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + |
+string | +
+
+
+quay.io/jetstack/cert-manager-cainjector
+
+ |
+
| cainjector.image.tag | +
+
+
+Override the image tag to deploy by setting this variable. |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.image.digest | +
+ + +Setting a digest will override any tag + + |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + |
+string | +
+
+
+IfNotPresent
+
+ |
+
| cainjector.serviceAccount.create | +
+ + +Specifies whether a service account should be created + + |
+bool | +
+
+
+true
+
+ |
+
| cainjector.serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+
+undefined
+
+ |
+
| cainjector.serviceAccount.annotations | +
+ + +Optional additional annotations to add to the controller's ServiceAccount + + |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.serviceAccount.labels | +
+
+
+Automount API credentials for a Service Account. |
+object | +
+
+
+undefined
+
+ |
+
| cainjector.serviceAccount.automountServiceAccountToken | ++ | bool | +
+
+
+true
+
+ |
+
| cainjector.automountServiceAccountToken | +
+ + +Automounting API credentials for a particular pod + + |
+bool | +
+
+
+undefined
+
+ |
+
| cainjector.volumes | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.volumeMounts | ++ | array | +
+
+
+[]
+
+ |
+
| cainjector.enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + |
+bool | +
+
+
+false
+
+ |
+
Image registry to pull from
|`string`|undefined| -|`acmesolver.image.repository`|
Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property
|`string`|quay.io/jetstack/cert-manager-acmesolver| -|`acmesolver.image.tag`|
Override the image tag to deploy by setting this variable.
If no value is set, the chart's appVersion will be used.
undefined| -|`acmesolver.image.digest`|
Setting a digest will override any tag
|`string`|undefined| +
| property | +description | +type | +default | +
|---|---|---|---|
| acmesolver.image.registry | +
+ + +Image registry to pull from + + |
+string | +
+
+
+undefined
+
+ |
+
| acmesolver.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + |
+string | +
+
+
+quay.io/jetstack/cert-manager-acmesolver
+
+ |
+
| acmesolver.image.tag | +
+
+
+Override the image tag to deploy by setting this variable. |
+string | +
+
+
+undefined
+
+ |
+
| acmesolver.image.digest | +
+ + +Setting a digest will override any tag + + |
+string | +
+
+
+undefined
+
+ |
+
This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job- if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context.
- -|property|description|type|default| -|--|--|--|--| -|`startupapicheck.enabled`||`bool`|true| -|`startupapicheck.securityContext`|
Pod Security Context to be set on the startupapicheck component Pod
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/|`object`|
runAsNonRoot: true| -|`startupapicheck.containerSecurityContext`|
seccompProfile:
type: RuntimeDefault
Container Security Context to be set on the controller component container
ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/|`object`|
allowPrivilegeEscalation: false| -|`startupapicheck.timeout`|
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
Timeout for 'kubectl check api' command
|`string`|1m| -|`startupapicheck.backoffLimit`|
Job backoffLimit
|`number`|4| -|`startupapicheck.jobAnnotations`|
Optional additional annotations to add to the startupapicheck Job
|`object`|helm.sh/hook: post-install| -|`startupapicheck.podAnnotations`|
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "1"
Optional additional annotations to add to the startupapicheck Pods
|`object`|undefined| -|`startupapicheck.extraArgs`|
Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:
We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example.
|`array`|- -v| -|`startupapicheck.resources`||`object`|
{}|
-|`startupapicheck.nodeSelector`||`object`|kubernetes.io/os: linux| -|`startupapicheck.affinity`||`object`|
{}|
-|`startupapicheck.tolerations`||`array`|[]| -|`startupapicheck.podLabels`|
Optional additional labels to add to the startupapicheck Pods
|`object`|{}|
-|`startupapicheck.image.registry`|Image registry to pull from
|`string`|undefined| -|`startupapicheck.image.repository`|
Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property
|`string`|quay.io/jetstack/cert-manager-startupapicheck| -|`startupapicheck.image.tag`|
Override the image tag to deploy by setting this variable.
If no value is set, the chart's appVersion will be used.
undefined| -|`startupapicheck.image.digest`|
Setting a digest will override any tag
|`string`|undefined| -|`startupapicheck.image.pullPolicy`|
Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy
|`string`|IfNotPresent| -|`startupapicheck.rbac.annotations`|
annotations for the startup API Check job RBAC and PSP resources
|`object`|helm.sh/hook: post-install| -|`startupapicheck.serviceAccount.create`|
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"
Specifies whether a service account should be created
|`bool`|true| -|`startupapicheck.serviceAccount.name`|
The name of the service account to use.
If not set and create is true, a name is generated using the fullname template
undefined| -|`startupapicheck.serviceAccount.annotations`|
Optional additional annotations to add to the Job's ServiceAccount
|`object`|helm.sh/hook: post-install| -|`startupapicheck.serviceAccount.automountServiceAccountToken`|
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"
Automount API credentials for a Service Account.
|`bool`|true| -|`startupapicheck.serviceAccount.labels`|
Optional additional labels to add to the startupapicheck's ServiceAccount
|`object`|undefined| -|`startupapicheck.volumes`||`array`|
[]| -|`startupapicheck.volumeMounts`||`array`|
[]| -|`startupapicheck.enableServiceLinks`|
enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.
|`bool`|false| + +
+ +This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job- if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context. + +
+ +| property | +description | +type | +default | +
|---|---|---|---|
| startupapicheck.enabled | ++ | bool | +
+
+
+true
+
+ |
+
| startupapicheck.securityContext | +
+ + +Pod Security Context to be set on the startupapicheck component Pod + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ |
+object | +
+
+
+runAsNonRoot: true
+seccompProfile:
+ type: RuntimeDefault
+
+ |
+
| startupapicheck.containerSecurityContext | +
+ + +Container Security Context to be set on the controller component container + + + +ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+ |
+object | +
+
+
+allowPrivilegeEscalation: false
+capabilities:
+ drop:
+ - ALL
+readOnlyRootFilesystem: true
+
+ |
+
| startupapicheck.timeout | +
+ + +Timeout for 'kubectl check api' command + + |
+string | +
+
+
+1m
+
+ |
+
| startupapicheck.backoffLimit | +
+ + +Job backoffLimit + + |
+number | +
+
+
+4
+
+ |
+
| startupapicheck.jobAnnotations | +
+ + +Optional additional annotations to add to the startupapicheck Job + + |
+object | +
+
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "1"
+
+ |
+
| startupapicheck.podAnnotations | +
+ + +Optional additional annotations to add to the startupapicheck Pods + + |
+object | +
+
+
+undefined
+
+ |
+
| startupapicheck.extraArgs | +
+
+
+Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: + +We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example. + + |
+array | +
+
+
+- -v
+
+ |
+
| startupapicheck.resources | ++ | object | +
+
+
+{}
+
+ |
+
| startupapicheck.nodeSelector | ++ | object | +
+
+
+kubernetes.io/os: linux
+
+ |
+
| startupapicheck.affinity | ++ | object | +
+
+
+{}
+
+ |
+
| startupapicheck.tolerations | ++ | array | +
+
+
+[]
+
+ |
+
| startupapicheck.podLabels | +
+ + +Optional additional labels to add to the startupapicheck Pods + + |
+object | +
+
+
+{}
+
+ |
+
| startupapicheck.image.registry | +
+ + +Image registry to pull from + + |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.image.repository | +
+ + +Image name, this can be the full image including registry or the short name excluding the registry. The registy can also be set in the `registry` property + + |
+string | +
+
+
+quay.io/jetstack/cert-manager-startupapicheck
+
+ |
+
| startupapicheck.image.tag | +
+
+
+Override the image tag to deploy by setting this variable. |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.image.digest | +
+ + +Setting a digest will override any tag + + |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.image.pullPolicy | +
+ + +Image pull policy, see https://kubernetes.io/docs/concepts/containers/images/#image-pull-policy + + |
+string | +
+
+
+IfNotPresent
+
+ |
+
| startupapicheck.rbac.annotations | +
+ + +annotations for the startup API Check job RBAC and PSP resources + + |
+object | +
+
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+
+ |
+
| startupapicheck.serviceAccount.create | +
+ + +Specifies whether a service account should be created + + |
+bool | +
+
+
+true
+
+ |
+
| startupapicheck.serviceAccount.name | +
+
+
+The name of the service account to use. |
+string | +
+
+
+undefined
+
+ |
+
| startupapicheck.serviceAccount.annotations | +
+ + +Optional additional annotations to add to the Job's ServiceAccount + + |
+object | +
+
+
+helm.sh/hook: post-install
+helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+helm.sh/hook-weight: "-5"
+
+ |
+
| startupapicheck.serviceAccount.automountServiceAccountToken | +
+ + +Automount API credentials for a Service Account. + + |
+bool | +
+
+
+true
+
+ |
+
| startupapicheck.serviceAccount.labels | +
+ + +Optional additional labels to add to the startupapicheck's ServiceAccount + + |
+object | +
+
+
+undefined
+
+ |
+
| startupapicheck.volumes | ++ | array | +
+
+
+[]
+
+ |
+
| startupapicheck.volumeMounts | ++ | array | +
+
+
+[]
+
+ |
+
| startupapicheck.enableServiceLinks | +
+ + +enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. + + |
+bool | +
+
+
+false
+
+ |
+
| Property | ") + fmt.Fprint(&sb, "\nDescription | ") + fmt.Fprint(&sb, "\nType | ") + fmt.Fprint(&sb, "\nDefault | ") + fmt.Fprint(&sb, "\n
|---|---|---|---|
| %s | ", prop.Name) + fmt.Fprintf(&sb, "\n%s\n | ", description) + fmt.Fprintf(&sb, "\n%s | ", prop.Type) + fmt.Fprintf(&sb, "\n%s\n | ", defaultValue) + fmt.Fprint(&sb, "\n
%s
", strings.ReplaceAll(str, "\n\n", ""))
+ str = strings.ReplaceAll(str, "\n", "
\n")
+ str = strings.ReplaceAll(str, "
", "\n
\n\n") + str = strings.ReplaceAll(str, "
", "\n\n") } default: continue } - - str = strings.ReplaceAll(str, "\n", "%s`, str)
- str = strings.ReplaceAll(str, "\n", "%s\n", str)
return str
}