all repos — infra @ 13d143bca8aeaec2447be2ee2089fdbb3bb01f27

infrastructure manifests and setup notes

cert-manager/values.yaml (view raw)

  1# Default values for cert-manager.
  2# This is a YAML-formatted file.
  3# Declare variables to be passed into your templates.
  4global:
  5  ## Reference to one or more secrets to be used when pulling images
  6  ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
  7  ##
  8  imagePullSecrets: []
  9  # - name: "image-pull-secret"
 10
 11  # Optional priority class to be used for the cert-manager pods
 12  priorityClassName: ""
 13  rbac:
 14    create: true
 15
 16  podSecurityPolicy:
 17    enabled: false
 18    useAppArmor: true
 19
 20  # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
 21  logLevel: 2
 22
 23  leaderElection:
 24    # Override the namespace used to store the ConfigMap for leader election
 25    namespace: "kube-system"
 26
 27    # The duration that non-leader candidates will wait after observing a
 28    # leadership renewal until attempting to acquire leadership of a led but
 29    # unrenewed leader slot. This is effectively the maximum duration that a
 30    # leader can be stopped before it is replaced by another candidate.
 31    # leaseDuration: 60s
 32
 33    # The interval between attempts by the acting master to renew a leadership
 34    # slot before it stops leading. This must be less than or equal to the
 35    # lease duration.
 36    # renewDeadline: 40s
 37
 38    # The duration the clients should wait between attempting acquisition and
 39    # renewal of a leadership.
 40    # retryPeriod: 15s
 41
 42installCRDs: true
 43
 44replicaCount: 1
 45
 46strategy: {}
 47  # type: RollingUpdate
 48  # rollingUpdate:
 49  #   maxSurge: 0
 50  #   maxUnavailable: 1
 51
 52# Comma separated list of feature gates that should be enabled on the
 53# controller pod.
 54featureGates: ""
 55
 56image:
 57  repository: quay.io/jetstack/cert-manager-controller
 58  # You can manage a registry with
 59  # registry: quay.io
 60  # repository: jetstack/cert-manager-controller
 61
 62  # Override the image tag to deploy by setting this variable.
 63  # If no value is set, the chart's appVersion will be used.
 64  # tag: canary
 65
 66  # Setting a digest will override any tag
 67  # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
 68  pullPolicy: IfNotPresent
 69
 70# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
 71# resources. By default, the same namespace as cert-manager is deployed within is
 72# used. This namespace will not be automatically created by the Helm chart.
 73clusterResourceNamespace: ""
 74
 75serviceAccount:
 76  # Specifies whether a service account should be created
 77  create: true
 78  # The name of the service account to use.
 79  # If not set and create is true, a name is generated using the fullname template
 80  # name: ""
 81  # Optional additional annotations to add to the controller's ServiceAccount
 82  # annotations: {}
 83  # Automount API credentials for a Service Account.
 84  automountServiceAccountToken: true
 85
 86# Optional additional arguments
 87extraArgs: []
 88  # Use this flag to set a namespace that cert-manager will use to store
 89  # supporting resources required for each ClusterIssuer (default is kube-system)
 90  # - --cluster-resource-namespace=kube-system
 91  # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
 92  # - --enable-certificate-owner-ref=true
 93  # Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
 94  # - --controllers=*,-certificaterequests-approver
 95
 96extraEnv: []
 97# - name: SOME_VAR
 98#   value: 'some value'
 99
100resources: {}
101  # requests:
102  #   cpu: 10m
103  #   memory: 32Mi
104
105# Pod Security Context
106# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
107securityContext:
108  runAsNonRoot: true
109# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported
110# securityContext:
111#   enabled: false
112#   fsGroup: 1001
113#   runAsUser: 1001
114# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters
115# you want to set, e.g.
116# securityContext:
117#   fsGroup: 1000
118#   runAsUser: 1000
119#   runAsNonRoot: true
120
121# Container Security Context to be set on the controller component container
122# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
123containerSecurityContext: {}
124  # capabilities:
125  #   drop:
126  #   - ALL
127  # readOnlyRootFilesystem: true
128  # runAsNonRoot: true
129
130
131volumes: []
132
133volumeMounts: []
134
135# Optional additional annotations to add to the controller Deployment
136# deploymentAnnotations: {}
137
138# Optional additional annotations to add to the controller Pods
139# podAnnotations: {}
140
141podLabels: {}
142
143# Optional additional labels to add to the controller Service
144# serviceLabels: {}
145
146# Optional DNS settings, useful if you have a public and private DNS zone for
147# the same domain on Route 53. What follows is an example of ensuring
148# cert-manager can access an ingress or DNS TXT records at all times.
149# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
150# the cluster to work.
151# podDnsPolicy: "None"
152# podDnsConfig:
153#   nameservers:
154#     - "1.1.1.1"
155#     - "8.8.8.8"
156
157nodeSelector: {}
158
159ingressShim: {}
160  # defaultIssuerName: ""
161  # defaultIssuerKind: ""
162  # defaultIssuerGroup: ""
163
164prometheus:
165  enabled: true
166  servicemonitor:
167    enabled: false
168    prometheusInstance: default
169    targetPort: 9402
170    path: /metrics
171    interval: 60s
172    scrapeTimeout: 30s
173    labels: {}
174
175# Use these variables to configure the HTTP_PROXY environment variables
176# http_proxy: "http://proxy:8080"
177# https_proxy: "https://proxy:8080"
178# no_proxy: 127.0.0.1,localhost
179
180# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
181# for example:
182#   affinity:
183#     nodeAffinity:
184#      requiredDuringSchedulingIgnoredDuringExecution:
185#        nodeSelectorTerms:
186#        - matchExpressions:
187#          - key: foo.bar.com/role
188#            operator: In
189#            values:
190#            - master
191affinity: {}
192
193# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
194# for example:
195#   tolerations:
196#   - key: foo.bar.com/role
197#     operator: Equal
198#     value: master
199#     effect: NoSchedule
200tolerations: []
201
202webhook:
203  replicaCount: 1
204  timeoutSeconds: 10
205
206  strategy: {}
207    # type: RollingUpdate
208    # rollingUpdate:
209    #   maxSurge: 0
210    #   maxUnavailable: 1
211
212  # Pod Security Context to be set on the webhook component Pod
213  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
214  securityContext:
215    runAsNonRoot: true
216
217  # Container Security Context to be set on the webhook component container
218  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
219  containerSecurityContext: {}
220    # capabilities:
221    #   drop:
222    #   - ALL
223    # readOnlyRootFilesystem: true
224    # runAsNonRoot: true
225
226  # Optional additional annotations to add to the webhook Deployment
227  # deploymentAnnotations: {}
228
229  # Optional additional annotations to add to the webhook Pods
230  # podAnnotations: {}
231
232  # Optional additional annotations to add to the webhook MutatingWebhookConfiguration
233  # mutatingWebhookConfigurationAnnotations: {}
234
235  # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
236  # validatingWebhookConfigurationAnnotations: {}
237
238  # Optional additional arguments for webhook
239  extraArgs: []
240
241  resources: {}
242    # requests:
243    #   cpu: 10m
244    #   memory: 32Mi
245
246  ## Liveness and readiness probe values
247  ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
248  ##
249  livenessProbe:
250    failureThreshold: 3
251    initialDelaySeconds: 60
252    periodSeconds: 10
253    successThreshold: 1
254    timeoutSeconds: 1
255  readinessProbe:
256    failureThreshold: 3
257    initialDelaySeconds: 5
258    periodSeconds: 5
259    successThreshold: 1
260    timeoutSeconds: 1
261
262  nodeSelector: {}
263
264  affinity: {}
265
266  tolerations: []
267
268  # Optional additional labels to add to the Webhook Pods
269  podLabels: {}
270
271  image:
272    repository: quay.io/jetstack/cert-manager-webhook
273    # You can manage a registry with
274    # registry: quay.io
275    # repository: jetstack/cert-manager-webhook
276
277    # Override the image tag to deploy by setting this variable.
278    # If no value is set, the chart's appVersion will be used.
279    # tag: canary
280
281    # Setting a digest will override any tag
282    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
283
284    pullPolicy: IfNotPresent
285
286  serviceAccount:
287    # Specifies whether a service account should be created
288    create: true
289    # The name of the service account to use.
290    # If not set and create is true, a name is generated using the fullname template
291    # name: ""
292    # Optional additional annotations to add to the controller's ServiceAccount
293    # annotations: {}
294    # Automount API credentials for a Service Account.
295    automountServiceAccountToken: true
296
297  # The port that the webhook should listen on for requests.
298  # In GKE private clusters, by default kubernetes apiservers are allowed to
299  # talk to the cluster nodes only on 443 and 10250. so configuring
300  # securePort: 10250, will work out of the box without needing to add firewall
301  # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
302  securePort: 10250
303
304  # Specifies if the webhook should be started in hostNetwork mode.
305  #
306  # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
307  # CNI (such as calico), because control-plane managed by AWS cannot communicate
308  # with pods' IP CIDR and admission webhooks are not working
309  #
310  # Since the default port for the webhook conflicts with kubelet on the host
311  # network, `webhook.securePort` should be changed to an available port if
312  # running in hostNetwork mode.
313  hostNetwork: false
314
315  # Specifies how the service should be handled. Useful if you want to expose the
316  # webhook to outside of the cluster. In some cases, the control plane cannot
317  # reach internal services.
318  serviceType: ClusterIP
319  # loadBalancerIP:
320
321  # Overrides the mutating webhook and validating webhook so they reach the webhook
322  # service using the `url` field instead of a service.
323  url: {}
324    # host:
325
326cainjector:
327  enabled: true
328  replicaCount: 1
329
330  strategy: {}
331    # type: RollingUpdate
332    # rollingUpdate:
333    #   maxSurge: 0
334    #   maxUnavailable: 1
335
336  # Pod Security Context to be set on the cainjector component Pod
337  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
338  securityContext:
339    runAsNonRoot: true
340
341  # Container Security Context to be set on the cainjector component container
342  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
343  containerSecurityContext: {}
344    # capabilities:
345    #   drop:
346    #   - ALL
347    # readOnlyRootFilesystem: true
348    # runAsNonRoot: true
349
350
351  # Optional additional annotations to add to the cainjector Deployment
352  # deploymentAnnotations: {}
353
354  # Optional additional annotations to add to the cainjector Pods
355  # podAnnotations: {}
356
357  # Optional additional arguments for cainjector
358  extraArgs:
359    - --leader-elect=false
360
361  resources: {}
362    # requests:
363    #   cpu: 10m
364    #   memory: 32Mi
365
366  nodeSelector: {}
367
368  affinity: {}
369
370  tolerations: []
371
372  # Optional additional labels to add to the CA Injector Pods
373  podLabels: {}
374
375  image:
376    repository: quay.io/jetstack/cert-manager-cainjector
377    # You can manage a registry with
378    # registry: quay.io
379    # repository: jetstack/cert-manager-cainjector
380
381    # Override the image tag to deploy by setting this variable.
382    # If no value is set, the chart's appVersion will be used.
383    # tag: canary
384
385    # Setting a digest will override any tag
386    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
387
388    pullPolicy: IfNotPresent
389
390  serviceAccount:
391    # Specifies whether a service account should be created
392    create: true
393    # The name of the service account to use.
394    # If not set and create is true, a name is generated using the fullname template
395    # name: ""
396    # Optional additional annotations to add to the controller's ServiceAccount
397    # annotations: {}
398    # Automount API credentials for a Service Account.
399    automountServiceAccountToken: true