cert-manager/values.yaml (view raw)
1# Default values for cert-manager.
2# This is a YAML-formatted file.
3# Declare variables to be passed into your templates.
4global:
5 ## Reference to one or more secrets to be used when pulling images
6 ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
7 ##
8 imagePullSecrets: []
9 # - name: "image-pull-secret"
10
11 # Optional priority class to be used for the cert-manager pods
12 priorityClassName: ""
13 rbac:
14 create: true
15
16 podSecurityPolicy:
17 enabled: false
18 useAppArmor: true
19
20 # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
21 logLevel: 2
22
23 leaderElection:
24 # Override the namespace used to store the ConfigMap for leader election
25 namespace: "kube-system"
26
27 # The duration that non-leader candidates will wait after observing a
28 # leadership renewal until attempting to acquire leadership of a led but
29 # unrenewed leader slot. This is effectively the maximum duration that a
30 # leader can be stopped before it is replaced by another candidate.
31 # leaseDuration: 60s
32
33 # The interval between attempts by the acting master to renew a leadership
34 # slot before it stops leading. This must be less than or equal to the
35 # lease duration.
36 # renewDeadline: 40s
37
38 # The duration the clients should wait between attempting acquisition and
39 # renewal of a leadership.
40 # retryPeriod: 15s
41
42installCRDs: true
43
44replicaCount: 1
45
46strategy: {}
47 # type: RollingUpdate
48 # rollingUpdate:
49 # maxSurge: 0
50 # maxUnavailable: 1
51
52# Comma separated list of feature gates that should be enabled on the
53# controller pod.
54featureGates: ""
55
56image:
57 repository: quay.io/jetstack/cert-manager-controller
58 # You can manage a registry with
59 # registry: quay.io
60 # repository: jetstack/cert-manager-controller
61
62 # Override the image tag to deploy by setting this variable.
63 # If no value is set, the chart's appVersion will be used.
64 # tag: canary
65
66 # Setting a digest will override any tag
67 # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
68 pullPolicy: IfNotPresent
69
70# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
71# resources. By default, the same namespace as cert-manager is deployed within is
72# used. This namespace will not be automatically created by the Helm chart.
73clusterResourceNamespace: ""
74
75serviceAccount:
76 # Specifies whether a service account should be created
77 create: true
78 # The name of the service account to use.
79 # If not set and create is true, a name is generated using the fullname template
80 # name: ""
81 # Optional additional annotations to add to the controller's ServiceAccount
82 # annotations: {}
83 # Automount API credentials for a Service Account.
84 automountServiceAccountToken: true
85
86# Optional additional arguments
87extraArgs: []
88 # Use this flag to set a namespace that cert-manager will use to store
89 # supporting resources required for each ClusterIssuer (default is kube-system)
90 # - --cluster-resource-namespace=kube-system
91 # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
92 # - --enable-certificate-owner-ref=true
93 # Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
94 # - --controllers=*,-certificaterequests-approver
95
96extraEnv: []
97# - name: SOME_VAR
98# value: 'some value'
99
100resources: {}
101 # requests:
102 # cpu: 10m
103 # memory: 32Mi
104
105# Pod Security Context
106# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
107securityContext:
108 runAsNonRoot: true
109# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported
110# securityContext:
111# enabled: false
112# fsGroup: 1001
113# runAsUser: 1001
114# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters
115# you want to set, e.g.
116# securityContext:
117# fsGroup: 1000
118# runAsUser: 1000
119# runAsNonRoot: true
120
121# Container Security Context to be set on the controller component container
122# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
123containerSecurityContext: {}
124 # capabilities:
125 # drop:
126 # - ALL
127 # readOnlyRootFilesystem: true
128 # runAsNonRoot: true
129
130
131volumes: []
132
133volumeMounts: []
134
135# Optional additional annotations to add to the controller Deployment
136# deploymentAnnotations: {}
137
138# Optional additional annotations to add to the controller Pods
139# podAnnotations: {}
140
141podLabels: {}
142
143# Optional additional labels to add to the controller Service
144# serviceLabels: {}
145
146# Optional DNS settings, useful if you have a public and private DNS zone for
147# the same domain on Route 53. What follows is an example of ensuring
148# cert-manager can access an ingress or DNS TXT records at all times.
149# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
150# the cluster to work.
151# podDnsPolicy: "None"
152# podDnsConfig:
153# nameservers:
154# - "1.1.1.1"
155# - "8.8.8.8"
156
157nodeSelector: {}
158
159ingressShim: {}
160 # defaultIssuerName: ""
161 # defaultIssuerKind: ""
162 # defaultIssuerGroup: ""
163
164prometheus:
165 enabled: true
166 servicemonitor:
167 enabled: false
168 prometheusInstance: default
169 targetPort: 9402
170 path: /metrics
171 interval: 60s
172 scrapeTimeout: 30s
173 labels: {}
174
175# Use these variables to configure the HTTP_PROXY environment variables
176# http_proxy: "http://proxy:8080"
177# https_proxy: "https://proxy:8080"
178# no_proxy: 127.0.0.1,localhost
179
180# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
181# for example:
182# affinity:
183# nodeAffinity:
184# requiredDuringSchedulingIgnoredDuringExecution:
185# nodeSelectorTerms:
186# - matchExpressions:
187# - key: foo.bar.com/role
188# operator: In
189# values:
190# - master
191affinity: {}
192
193# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
194# for example:
195# tolerations:
196# - key: foo.bar.com/role
197# operator: Equal
198# value: master
199# effect: NoSchedule
200tolerations: []
201
202webhook:
203 replicaCount: 1
204 timeoutSeconds: 10
205
206 strategy: {}
207 # type: RollingUpdate
208 # rollingUpdate:
209 # maxSurge: 0
210 # maxUnavailable: 1
211
212 # Pod Security Context to be set on the webhook component Pod
213 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
214 securityContext:
215 runAsNonRoot: true
216
217 # Container Security Context to be set on the webhook component container
218 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
219 containerSecurityContext: {}
220 # capabilities:
221 # drop:
222 # - ALL
223 # readOnlyRootFilesystem: true
224 # runAsNonRoot: true
225
226 # Optional additional annotations to add to the webhook Deployment
227 # deploymentAnnotations: {}
228
229 # Optional additional annotations to add to the webhook Pods
230 # podAnnotations: {}
231
232 # Optional additional annotations to add to the webhook MutatingWebhookConfiguration
233 # mutatingWebhookConfigurationAnnotations: {}
234
235 # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
236 # validatingWebhookConfigurationAnnotations: {}
237
238 # Optional additional arguments for webhook
239 extraArgs: []
240
241 resources: {}
242 # requests:
243 # cpu: 10m
244 # memory: 32Mi
245
246 ## Liveness and readiness probe values
247 ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
248 ##
249 livenessProbe:
250 failureThreshold: 3
251 initialDelaySeconds: 60
252 periodSeconds: 10
253 successThreshold: 1
254 timeoutSeconds: 1
255 readinessProbe:
256 failureThreshold: 3
257 initialDelaySeconds: 5
258 periodSeconds: 5
259 successThreshold: 1
260 timeoutSeconds: 1
261
262 nodeSelector: {}
263
264 affinity: {}
265
266 tolerations: []
267
268 # Optional additional labels to add to the Webhook Pods
269 podLabels: {}
270
271 image:
272 repository: quay.io/jetstack/cert-manager-webhook
273 # You can manage a registry with
274 # registry: quay.io
275 # repository: jetstack/cert-manager-webhook
276
277 # Override the image tag to deploy by setting this variable.
278 # If no value is set, the chart's appVersion will be used.
279 # tag: canary
280
281 # Setting a digest will override any tag
282 # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
283
284 pullPolicy: IfNotPresent
285
286 serviceAccount:
287 # Specifies whether a service account should be created
288 create: true
289 # The name of the service account to use.
290 # If not set and create is true, a name is generated using the fullname template
291 # name: ""
292 # Optional additional annotations to add to the controller's ServiceAccount
293 # annotations: {}
294 # Automount API credentials for a Service Account.
295 automountServiceAccountToken: true
296
297 # The port that the webhook should listen on for requests.
298 # In GKE private clusters, by default kubernetes apiservers are allowed to
299 # talk to the cluster nodes only on 443 and 10250. so configuring
300 # securePort: 10250, will work out of the box without needing to add firewall
301 # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
302 securePort: 10250
303
304 # Specifies if the webhook should be started in hostNetwork mode.
305 #
306 # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
307 # CNI (such as calico), because control-plane managed by AWS cannot communicate
308 # with pods' IP CIDR and admission webhooks are not working
309 #
310 # Since the default port for the webhook conflicts with kubelet on the host
311 # network, `webhook.securePort` should be changed to an available port if
312 # running in hostNetwork mode.
313 hostNetwork: false
314
315 # Specifies how the service should be handled. Useful if you want to expose the
316 # webhook to outside of the cluster. In some cases, the control plane cannot
317 # reach internal services.
318 serviceType: ClusterIP
319 # loadBalancerIP:
320
321 # Overrides the mutating webhook and validating webhook so they reach the webhook
322 # service using the `url` field instead of a service.
323 url: {}
324 # host:
325
326cainjector:
327 enabled: true
328 replicaCount: 1
329
330 strategy: {}
331 # type: RollingUpdate
332 # rollingUpdate:
333 # maxSurge: 0
334 # maxUnavailable: 1
335
336 # Pod Security Context to be set on the cainjector component Pod
337 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
338 securityContext:
339 runAsNonRoot: true
340
341 # Container Security Context to be set on the cainjector component container
342 # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
343 containerSecurityContext: {}
344 # capabilities:
345 # drop:
346 # - ALL
347 # readOnlyRootFilesystem: true
348 # runAsNonRoot: true
349
350
351 # Optional additional annotations to add to the cainjector Deployment
352 # deploymentAnnotations: {}
353
354 # Optional additional annotations to add to the cainjector Pods
355 # podAnnotations: {}
356
357 # Optional additional arguments for cainjector
358 extraArgs:
359 - --leader-elect=false
360
361 resources: {}
362 # requests:
363 # cpu: 10m
364 # memory: 32Mi
365
366 nodeSelector: {}
367
368 affinity: {}
369
370 tolerations: []
371
372 # Optional additional labels to add to the CA Injector Pods
373 podLabels: {}
374
375 image:
376 repository: quay.io/jetstack/cert-manager-cainjector
377 # You can manage a registry with
378 # registry: quay.io
379 # repository: jetstack/cert-manager-cainjector
380
381 # Override the image tag to deploy by setting this variable.
382 # If no value is set, the chart's appVersion will be used.
383 # tag: canary
384
385 # Setting a digest will override any tag
386 # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
387
388 pullPolicy: IfNotPresent
389
390 serviceAccount:
391 # Specifies whether a service account should be created
392 create: true
393 # The name of the service account to use.
394 # If not set and create is true, a name is generated using the fullname template
395 # name: ""
396 # Optional additional annotations to add to the controller's ServiceAccount
397 # annotations: {}
398 # Automount API credentials for a Service Account.
399 automountServiceAccountToken: true