cert-manager
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# This file has been modified by Chainguard, Inc.
2
#
3
# Copyright Chainguard, Inc. All Rights Reserved.
4
# Chainguard, Inc. modifications are subject to the license
5
# available at: https://www.chainguard.dev/legal/software-license-agreement
6
#
7
# Copyright Broadcom, Inc. All Rights Reserved.
8
# SPDX-License-Identifier: APACHE-2.0
9
10
## Global Docker image parameters
11
## Please, note that this will override the image parameters, including dependencies, configured to use the global value
12
## Current available global Docker image parameters: imageRegistry and imagePullSecrets
13
## @section Global parameters
14
## @param global.imageRegistry Global Docker image registry
15
## @param global.imagePullSecrets Global Docker registry secret names as an array
16
## @param global.defaultStorageClass Global default StorageClass for Persistent Volume(s)
17
## @param global.storageClass DEPRECATED: use global.defaultStorageClass instead
18
##
19
global:
20
imageRegistry: ""
21
imagePullSecrets: []
22
defaultStorageClass: ""
23
storageClass: ""
24
## Security parameters
25
##
26
security:
27
## @param global.security.allowInsecureImages Allows skipping image verification
28
allowInsecureImages: false
29
## Compatibility adaptations for Kubernetes platforms
30
##
31
compatibility:
32
## Compatibility adaptations for Openshift
33
##
34
openshift:
35
## @param global.compatibility.openshift.adaptSecurityContext Adapt the securityContext sections of the deployment to make them compatible with Openshift restricted-v2 SCC: remove runAsUser, runAsGroup and fsGroup and let the platform use their allowed default IDs. Possible values: auto (apply if the detected running cluster is Openshift), force (perform the adaptation always), disabled (do not perform adaptation)
36
##
37
adaptSecurityContext: auto
38
org: ""
39
## @section Common parameters
40
41
## @param kubeVersion Override Kubernetes version
42
##
43
kubeVersion: ""
44
## @param nameOverride String to partially override common.names.fullname
45
##
46
nameOverride: ""
47
## @param fullnameOverride String to fully override common.names.fullname
48
##
49
fullnameOverride: ""
50
## @param commonLabels Labels to add to all deployed objects
51
##
52
commonLabels: {}
53
## @param commonAnnotations Annotations to add to all deployed objects
54
##
55
commonAnnotations: {}
56
## @param extraDeploy Array of extra objects to deploy with the release
57
##
58
extraDeploy: []
59
## @param logLevel Set up cert-manager log level
60
##
61
logLevel: 2
62
## @param clusterResourceNamespace Namespace used to store DNS provider credentials etc. for ClusterIssuer resources. If empty, uses the namespace where the controller is deployed.
63
##
64
clusterResourceNamespace: ""
65
## @param leaderElection.namespace Namespace which leaderElection works.
66
##
67
leaderElection:
68
namespace: "kube-system"
69
## @param installCRDs Flag to install cert-manager CRDs
70
##
71
installCRDs: false
72
## @param replicaCount Number of cert-manager replicas
73
##
74
replicaCount: 1
75
## @section Controller deployment parameters
76
77
## Controller deployment parameters
78
##
79
controller:
80
## @param controller.replicaCount Number of Controller replicas
81
##
82
replicaCount: 1
83
## Iamguarded cert-manager image
84
## @param controller.image.registry [default: REGISTRY_NAME] Controller image registry
85
## @param controller.image.repository [default: REPOSITORY_NAME/cert-manager] Controller image repository
86
## @skip controller.image.tag Controller image tag (immutable tags are recommended)
87
## @param controller.image.digest Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
88
## @param controller.image.pullPolicy Controller image pull policy
89
## @param controller.image.pullSecrets Controller image pull secrets
90
## @param controller.image.debug Controller image debug mode
91
##
92
image:
93
registry: cgr.dev
94
repository: chainguard-private/cert-manager-controller-iamguarded
95
tag: 1.19.4
96
digest: ""
97
## Specify a imagePullPolicy
98
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
99
##
100
##
101
pullPolicy: IfNotPresent
102
## Optionally specify an array of imagePullSecrets.
103
## Secrets must be manually created in the namespace.
104
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
105
## E.g:
106
## pullSecrets:
107
## - myRegistryKeySecretName
108
##
109
pullSecrets: []
110
## Set to true if you would like to see extra information on logs
111
##
112
debug: false
113
acmesolver:
114
## @param controller.acmesolver.image.registry [default: REGISTRY_NAME] Controller image registry
115
## @param controller.acmesolver.image.repository [default: REPOSITORY_NAME/acmesolver] Controller image repository
116
## @skip controller.acmesolver.image.tag Controller image tag (immutable tags are recommended)
117
## @param controller.acmesolver.image.digest Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
118
## @param controller.acmesolver.image.pullPolicy Controller image pull policy
119
## @param controller.acmesolver.image.pullSecrets Controller image pull secrets
120
## @param controller.acmesolver.image.debug Controller image debug mode
121
##
122
image:
123
registry: cgr.dev
124
repository: chainguard-private/cert-manager-acmesolver-iamguarded
125
tag: 1.19.4
126
digest: ""
127
## Specify a imagePullPolicy
128
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
129
##
130
pullPolicy: IfNotPresent
131
## Optionally specify an array of imagePullSecrets.
132
## Secrets must be manually created in the namespace.
133
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
134
## E.g:
135
## pullSecrets:
136
## - myRegistryKeySecretName
137
##
138
pullSecrets: []
139
## Set to true if you would like to see extra information on logs
140
##
141
debug: false
142
## Controller containers' resource requests and limits
143
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
144
## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
145
##
146
resourcesPreset: "nano"
147
## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
148
## Example:
149
## resources:
150
## requests:
151
## cpu: 2
152
## memory: 512Mi
153
## limits:
154
## cpu: 3
155
## memory: 1024Mi
156
##
157
resources: {}
158
## controller pods' Security Context
159
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
160
## @param controller.podSecurityContext.enabled Enabled Controller pods' Security Context
161
## @param controller.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
162
## @param controller.podSecurityContext.sysctls Set kernel settings using the sysctl interface
163
## @param controller.podSecurityContext.supplementalGroups Set filesystem extra groups
164
## @param controller.podSecurityContext.fsGroup Set Controller pod's Security Context fsGroup
165
##
166
podSecurityContext:
167
enabled: true
168
fsGroupChangePolicy: Always
169
sysctls: []
170
supplementalGroups: []
171
fsGroup: 1001
172
## controller containers' Security Context
173
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
174
## @param controller.containerSecurityContext.enabled Enabled controller containers' Security Context
175
## @param controller.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
176
## @param controller.containerSecurityContext.runAsUser Set controller containers' Security Context runAsUser
177
## @param controller.containerSecurityContext.runAsGroup Set controller containers' Security Context runAsGroup
178
## @param controller.containerSecurityContext.runAsNonRoot Set controller containers' Security Context runAsNonRoot
179
## @param controller.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
180
## @param controller.containerSecurityContext.privileged Set controller container's Security Context privileged
181
## @param controller.containerSecurityContext.allowPrivilegeEscalation Set controller container's Security Context allowPrivilegeEscalation
182
## @param controller.containerSecurityContext.capabilities.drop List of capabilities to be dropped
183
## @param controller.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
184
##
185
containerSecurityContext:
186
enabled: true
187
seLinuxOptions: {}
188
runAsUser: 1001
189
runAsGroup: 1001
190
runAsNonRoot: true
191
privileged: false
192
allowPrivilegeEscalation: false
193
capabilities:
194
drop: ["ALL"]
195
seccompProfile:
196
type: "RuntimeDefault"
197
readOnlyRootFilesystem: true
198
## @param controller.podAffinityPreset Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
199
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
200
##
201
podAffinityPreset: ""
202
## @param controller.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
203
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
204
##
205
podAntiAffinityPreset: soft
206
## Node affinity preset
207
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
208
## @param controller.nodeAffinityPreset.type Node affinity preset type. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard`
209
## @param controller.nodeAffinityPreset.key Node label key to match. Ignored if `controller.affinity` is set
210
## @param controller.nodeAffinityPreset.values Node label values to match. Ignored if `controller.affinity` is set
211
##
212
nodeAffinityPreset:
213
type: ""
214
key: ""
215
## E.g.
216
## values:
217
## - e2e-az1
218
## - e2e-az2
219
##
220
values: []
221
## @param controller.affinity Affinity for cert-manager Controller
222
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
223
## NOTE: `controller.podAffinityPreset`, `controller.podAntiAffinityPreset`, and `controller.nodeAffinityPreset` will be ignored when it's set
224
##
225
affinity: {}
226
## @param controller.nodeSelector Node labels for pod assignment
227
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
228
##
229
nodeSelector: {}
230
## Controller Container port
231
## @param controller.containerPorts.http Controller HTTP container port
232
## @param controller.containerPorts.health Controller Health container port
233
##
234
containerPorts:
235
http: 9402
236
health: 9403
237
## @param controller.command Override Controller default command
238
##
239
command: []
240
## @param controller.args Override Controller default args
241
##
242
args: []
243
## @param controller.priorityClassName Controller pod priority class name
244
##
245
priorityClassName: ""
246
## @param controller.runtimeClassName Name of the runtime class to be used by pod(s)
247
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
248
##
249
runtimeClassName: ""
250
## @param controller.schedulerName Name of the k8s scheduler (other than default)
251
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
252
##
253
schedulerName: ""
254
## @param controller.topologySpreadConstraints Topology Spread Constraints for pod assignment
255
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
256
## The value is evaluated as a template
257
##
258
topologySpreadConstraints: []
259
## @param controller.automountServiceAccountToken Mount Service Account token in pod
260
##
261
automountServiceAccountToken: true
262
## @param controller.hostAliases Custom host aliases for Controller pods
263
## ref: https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
264
##
265
hostAliases: []
266
## @param controller.tolerations Tolerations for pod assignment
267
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
268
##
269
tolerations: []
270
## @param controller.podLabels Extra labels for Controller pods
271
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
272
##
273
podLabels: {}
274
## @param controller.podAnnotations Annotations for Controller pods
275
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
276
##
277
podAnnotations: {}
278
## @param controller.dnsPolicy Controller pod DNS policy
279
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
280
##
281
dnsPolicy: ""
282
## @param controller.dnsConfig Controller pod DNS config. Required if `controller.dnsPolicy` is set to `None`
283
## Ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
284
## E.g:
285
## dnsConfig:
286
## nameservers:
287
## - "1.1.1.1"
288
##
289
dnsConfig: {}
290
## @param controller.lifecycleHooks Add lifecycle hooks to the Controller deployment
291
##
292
lifecycleHooks: {}
293
## @param controller.updateStrategy.type Controller deployment update strategy
294
## @param controller.updateStrategy.rollingUpdate Controller deployment rolling update configuration parameters
295
##
296
updateStrategy:
297
type: RollingUpdate
298
rollingUpdate: {}
299
## @param controller.extraArgs Extra arguments to pass to the Controller container
300
## E.g:
301
## extraArgs:
302
## - name: FOO
303
## value: "bar"
304
##
305
extraArgs: []
306
## @param controller.extraEnvVars Add extra environment variables to the Controller container
307
## E.g:
308
## extraEnvVars:
309
## - name: FOO
310
## value: "bar"
311
##
312
extraEnvVars: []
313
## @param controller.extraEnvVarsCM Name of existing ConfigMap containing extra env vars
314
##
315
extraEnvVarsCM: ""
316
## @param controller.extraEnvVarsSecret Name of existing Secret containing extra env vars
317
##
318
extraEnvVarsSecret: ""
319
## @param controller.extraVolumes Optionally specify extra list of additional volumes for Controller pods
320
##
321
extraVolumes: []
322
## @param controller.extraVolumeMounts Optionally specify extra list of additional volumeMounts for Controller container(s)
323
##
324
extraVolumeMounts: []
325
## @param controller.initContainers Add additional init containers to the Controller pods
326
## ref: https://kubernetes.io/docs/concepts/workloads/pods/init-containers/
327
## E.g:
328
## initContainers:
329
## - name: your-image-name
330
## image: your-image
331
## imagePullPolicy: Always
332
## ports:
333
## - name: portname
334
## containerPort: 1234
335
##
336
initContainers: []
337
## @param controller.sidecars Add additional sidecar containers to the Controller pod
338
## E.g:
339
## sidecars:
340
## - name: your-image-name
341
## image: your-image
342
## imagePullPolicy: Always
343
## ports:
344
## - name: portname
345
## containerPort: 1234
346
##
347
sidecars: []
348
## @param controller.livenessProbe.enabled Enable livenessProbe
349
## @param controller.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
350
## @param controller.livenessProbe.periodSeconds Period seconds for livenessProbe
351
## @param controller.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
352
## @param controller.livenessProbe.failureThreshold Failure threshold for livenessProbe
353
## @param controller.livenessProbe.successThreshold Success threshold for livenessProbe
354
##
355
livenessProbe:
356
enabled: true
357
initialDelaySeconds: 60
358
periodSeconds: 10
359
timeoutSeconds: 1
360
successThreshold: 1
361
failureThreshold: 3
362
## @param controller.readinessProbe.enabled Enable readinessProbe
363
## @param controller.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
364
## @param controller.readinessProbe.periodSeconds Period seconds for readinessProbe
365
## @param controller.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
366
## @param controller.readinessProbe.failureThreshold Failure threshold for readinessProbe
367
## @param controller.readinessProbe.successThreshold Success threshold for readinessProbe
368
##
369
readinessProbe:
370
enabled: true
371
initialDelaySeconds: 5
372
periodSeconds: 5
373
timeoutSeconds: 1
374
successThreshold: 1
375
failureThreshold: 3
376
## @param controller.startupProbe.enabled Enable startupProbe
377
## @param controller.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
378
## @param controller.startupProbe.periodSeconds Period seconds for startupProbe
379
## @param controller.startupProbe.timeoutSeconds Timeout seconds for startupProbe
380
## @param controller.startupProbe.failureThreshold Failure threshold for startupProbe
381
## @param controller.startupProbe.successThreshold Success threshold for startupProbe
382
##
383
startupProbe:
384
enabled: false
385
initialDelaySeconds: 5
386
periodSeconds: 5
387
timeoutSeconds: 1
388
successThreshold: 1
389
failureThreshold: 3
390
## Custom Startup probes for controller
391
## @param controller.customStartupProbe Override default startup probe
392
##
393
customStartupProbe: {}
394
## Custom Liveness probes for controller
395
## @param controller.customLivenessProbe Override default liveness probe
396
##
397
customLivenessProbe: {}
398
## Custom Rediness probes controller
399
## @param controller.customReadinessProbe Override default readiness probe
400
##
401
customReadinessProbe: {}
402
## ServiceAccount configuration
403
##
404
serviceAccount:
405
## @param controller.serviceAccount.create Specifies whether a ServiceAccount should be created
406
##
407
create: true
408
## @param controller.serviceAccount.name The name of the ServiceAccount to use.
409
## If not set and create is true, a name is generated using the common.names.fullname template
410
##
411
name: ""
412
## @param controller.serviceAccount.annotations Additional custom annotations for the ServiceAccount
413
##
414
annotations: {}
415
## @param controller.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
416
##
417
automountServiceAccountToken: false
418
## Controller Network Policies
419
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
420
##
421
networkPolicy:
422
## @param controller.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
423
##
424
enabled: true
425
## @param controller.networkPolicy.allowExternal Don't require client label for connections
426
## The Policy model to apply. When set to false, only pods with the correct
427
## client label will have network access to the ports Cert Manager Controller is listening
428
## on. When true, Cert Manager Controller will accept connections from any source
429
## (with the correct destination port).
430
##
431
allowExternal: true
432
## @param controller.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
433
##
434
allowExternalEgress: true
435
## @param controller.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
436
##
437
kubeAPIServerPorts: [443, 6443, 8443]
438
## @param controller.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
439
## e.g:
440
## extraIngress:
441
## - ports:
442
## - port: 1234
443
## from:
444
## - podSelector:
445
## - matchLabels:
446
## - role: frontend
447
## - podSelector:
448
## - matchExpressions:
449
## - key: role
450
## operator: In
451
## values:
452
## - frontend
453
extraIngress: []
454
## @param controller.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
455
## e.g:
456
## extraEgress:
457
## - ports:
458
## - port: 1234
459
## to:
460
## - podSelector:
461
## - matchLabels:
462
## - role: frontend
463
## - podSelector:
464
## - matchExpressions:
465
## - key: role
466
## operator: In
467
## values:
468
## - frontend
469
##
470
extraEgress: []
471
## @param controller.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
472
## @param controller.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
473
##
474
ingressNSMatchLabels: {}
475
ingressNSPodMatchLabels: {}
476
## @param controller.pdb.create Enable/disable a Pod Disruption Budget creation
477
## @param controller.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
478
## @param controller.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `controller.pdb.minAvailable` and `controller.pdb.maxUnavailable` are empty.
479
##
480
pdb:
481
create: true
482
minAvailable: ""
483
maxUnavailable: ""
484
## @section Webhook deployment parameters
485
486
## Webhook deployment parameters
487
##
488
webhook:
489
## @param webhook.replicaCount Number of Webhook replicas
490
##
491
replicaCount: 1
492
## Iamguarded cert-manager Webhook image
493
## @param webhook.image.registry [default: REGISTRY_NAME] Webhook image registry
494
## @param webhook.image.repository [default: REPOSITORY_NAME/cert-manager-webhook] Webhook image repository
495
## @skip webhook.image.tag Webhook image tag (immutable tags are recommended)
496
## @param webhook.image.digest Webhook image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
497
## @param webhook.image.pullPolicy Webhook image pull policy
498
## @param webhook.image.pullSecrets Webhook image pull secrets
499
## @param webhook.image.debug Webhook image debug mode
500
##
501
image:
502
registry: cgr.dev
503
repository: chainguard-private/cert-manager-webhook-iamguarded
504
tag: 1.19.4
505
digest: ""
506
## Specify a imagePullPolicy
507
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
508
##
509
pullPolicy: IfNotPresent
510
## Optionally specify an array of imagePullSecrets.
511
## Secrets must be manually created in the namespace.
512
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
513
## E.g:
514
## pullSecrets:
515
## - myRegistryKeySecretName
516
##
517
pullSecrets: []
518
## Set to true if you would like to see extra information on logs
519
##
520
debug: false
521
## @param webhook.timeoutSeconds [default: 30] How many seconds the webhook should wait for a response before timing out
522
## ref: https://cert-manager.io/docs/troubleshooting/webhook/#error-context-deadline-exceeded
523
## Default value is configured to 30 seconds (the maximum value allowed by Kubernetes)
524
##
525
timeoutSeconds: 30
526
## Webhook containers' resource requests and limits
527
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
528
## @param webhook.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
529
##
530
resourcesPreset: "nano"
531
## @param webhook.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
532
## Example:
533
## resources:
534
## requests:
535
## cpu: 2
536
## memory: 512Mi
537
## limits:
538
## cpu: 3
539
## memory: 1024Mi
540
##
541
resources: {}
542
## webhook pods' Security Context
543
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
544
## @param webhook.podSecurityContext.enabled Enabled Webhook pods' Security Context
545
## @param webhook.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
546
## @param webhook.podSecurityContext.sysctls Set kernel settings using the sysctl interface
547
## @param webhook.podSecurityContext.supplementalGroups Set filesystem extra groups
548
## @param webhook.podSecurityContext.fsGroup Set Webhook pod's Security Context fsGroup
549
##
550
podSecurityContext:
551
enabled: true
552
fsGroupChangePolicy: Always
553
sysctls: []
554
supplementalGroups: []
555
fsGroup: 1001
556
## webhook containers' Security Context
557
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
558
## @param webhook.containerSecurityContext.enabled Enabled webhook containers' Security Context
559
## @param webhook.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
560
## @param webhook.containerSecurityContext.runAsUser Set webhook containers' Security Context runAsUser
561
## @param webhook.containerSecurityContext.runAsGroup Set webhook containers' Security Context runAsGroup
562
## @param webhook.containerSecurityContext.runAsNonRoot Set webhook containers' Security Context runAsNonRoot
563
## @param webhook.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
564
## @param webhook.containerSecurityContext.privileged Set webhook container's Security Context privileged
565
## @param webhook.containerSecurityContext.allowPrivilegeEscalation Set webhook container's Security Context allowPrivilegeEscalation
566
## @param webhook.containerSecurityContext.capabilities.drop List of capabilities to be dropped
567
## @param webhook.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
568
##
569
containerSecurityContext:
570
enabled: true
571
seLinuxOptions: {}
572
runAsUser: 1001
573
runAsGroup: 1001
574
runAsNonRoot: true
575
privileged: false
576
allowPrivilegeEscalation: false
577
capabilities:
578
drop: ["ALL"]
579
seccompProfile:
580
type: "RuntimeDefault"
581
readOnlyRootFilesystem: true
582
## @param webhook.podAffinityPreset Pod affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard`
583
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
584
##
585
podAffinityPreset: ""
586
## @param webhook.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard`
587
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
588
##
589
podAntiAffinityPreset: soft
590
## Node affinity preset
591
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
592
## @param webhook.nodeAffinityPreset.type Node affinity preset type. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard`
593
## @param webhook.nodeAffinityPreset.key Node label key to match. Ignored if `webhook.affinity` is set
594
## @param webhook.nodeAffinityPreset.values Node label values to match. Ignored if `webhook.affinity` is set
595
##
596
nodeAffinityPreset:
597
type: ""
598
key: ""
599
## E.g.
600
## values:
601
## - e2e-az1
602
## - e2e-az2
603
##
604
values: []
605
## @param webhook.affinity Affinity for cert-manager Webhook
606
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
607
## NOTE: `webhook.podAffinityPreset`, `webhook.podAntiAffinityPreset`, and `webhook.nodeAffinityPreset` will be ignored when it's set
608
##
609
affinity: {}
610
## @param webhook.nodeSelector Node labels for pod assignment
611
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
612
##
613
nodeSelector: {}
614
## Webhook Container port
615
## @param webhook.containerPorts.https Webhook HTTPS container port
616
## @param webhook.containerPorts.health Webhook health container port
617
##
618
containerPorts:
619
https: 10250
620
health: 6080
621
## Webhook https port
622
## @param webhook.service.ports.https Webhook HTTPS service port
623
##
624
service:
625
ports:
626
https: 443
627
## @param webhook.command Override Webhook default command
628
##
629
command: []
630
## @param webhook.args Override Webhook default args
631
##
632
args: []
633
## @param webhook.livenessProbe.enabled Enable livenessProbe
634
## @param webhook.livenessProbe.path Path for livenessProbe
635
## @param webhook.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
636
## @param webhook.livenessProbe.periodSeconds Period seconds for livenessProbe
637
## @param webhook.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
638
## @param webhook.livenessProbe.failureThreshold Failure threshold for livenessProbe
639
## @param webhook.livenessProbe.successThreshold Success threshold for livenessProbe
640
##
641
livenessProbe:
642
enabled: true
643
path: /livez
644
initialDelaySeconds: 60
645
periodSeconds: 10
646
timeoutSeconds: 1
647
successThreshold: 1
648
failureThreshold: 3
649
## @param webhook.readinessProbe.enabled Enable readinessProbe
650
## @param webhook.readinessProbe.path Path for readinessProbe
651
## @param webhook.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
652
## @param webhook.readinessProbe.periodSeconds Period seconds for readinessProbe
653
## @param webhook.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
654
## @param webhook.readinessProbe.failureThreshold Failure threshold for readinessProbe
655
## @param webhook.readinessProbe.successThreshold Success threshold for readinessProbe
656
##
657
readinessProbe:
658
enabled: true
659
path: /healthz
660
initialDelaySeconds: 5
661
periodSeconds: 5
662
timeoutSeconds: 1
663
successThreshold: 1
664
failureThreshold: 3
665
## Custom Startup probes for webhook
666
## @param webhook.customStartupProbe Override default startup probe
667
##
668
customStartupProbe: {}
669
## Custom Liveness probes for webhook
670
## @param webhook.customLivenessProbe Override default liveness probe
671
##
672
customLivenessProbe: {}
673
## Custom Rediness probes webhook
674
## @param webhook.customReadinessProbe Override default readiness probe
675
##
676
customReadinessProbe: {}
677
## @param webhook.priorityClassName Webhook pod priority class name
678
##
679
priorityClassName: ""
680
## @param webhook.runtimeClassName Name of the runtime class to be used by pod(s)
681
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
682
##
683
runtimeClassName: ""
684
## @param webhook.schedulerName Name of the k8s scheduler (other than default)
685
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
686
##
687
schedulerName: ""
688
## @param webhook.topologySpreadConstraints Topology Spread Constraints for pod assignment
689
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
690
## The value is evaluated as a template
691
##
692
topologySpreadConstraints: []
693
## @param webhook.automountServiceAccountToken Mount Service Account token in pod
694
##
695
automountServiceAccountToken: true
696
## @param webhook.hostAliases Custom host aliases for Webhook pods
697
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
698
##
699
hostAliases: []
700
## @param webhook.tolerations Tolerations for pod assignment
701
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
702
##
703
tolerations: []
704
## @param webhook.podLabels Extra labels for Webhook pods
705
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
706
##
707
podLabels: {}
708
## @param webhook.podAnnotations Annotations for Webhook pods
709
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
710
##
711
podAnnotations: {}
712
## @param webhook.lifecycleHooks Add lifecycle hooks to the Webhook deployment
713
##
714
lifecycleHooks: {}
715
## @param webhook.updateStrategy.type Webhook deployment update strategy
716
## @param webhook.updateStrategy.rollingUpdate Controller deployment rolling update configuration parameters
717
##
718
updateStrategy:
719
type: RollingUpdate
720
rollingUpdate: {}
721
## @param webhook.extraArgs Extra arguments to pass to the Webhook container
722
## E.g:
723
## extraArgs:
724
## - name: FOO
725
## value: "bar"
726
##
727
extraArgs: []
728
## @param webhook.extraEnvVars Add extra environment variables to the Webhook container
729
## E.g:
730
## extraEnvVars:
731
## - name: FOO
732
## value: "bar"
733
##
734
extraEnvVars: []
735
## @param webhook.extraEnvVarsCM Name of existing ConfigMap containing extra env vars
736
##
737
extraEnvVarsCM: ""
738
## @param webhook.extraEnvVarsSecret Name of existing Secret containing extra env vars
739
##
740
extraEnvVarsSecret: ""
741
## @param webhook.extraVolumes Optionally specify extra list of additional volumes for Webhook pods
742
##
743
extraVolumes: []
744
## @param webhook.extraVolumeMounts Optionally specify extra list of additional volumeMounts for Webhook container
745
##
746
extraVolumeMounts: []
747
## @param webhook.initContainers Add additional init containers to the Webhook pods
748
## E.g:
749
## initContainers:
750
## - name: your-image-name
751
## image: your-image
752
## imagePullPolicy: Always
753
## ports:
754
## - name: portname
755
## containerPort: 1234
756
##
757
initContainers: []
758
## @param webhook.sidecars Add additional sidecar containers to the Webhook pod
759
## E.g:
760
## sidecars:
761
## - name: your-image-name
762
## image: your-image
763
## imagePullPolicy: Always
764
## ports:
765
## - name: portname
766
## containerPort: 1234
767
##
768
sidecars: []
769
## ServiceAccount configuration
770
##
771
serviceAccount:
772
## @param webhook.serviceAccount.create Specifies whether a ServiceAccount should be created
773
##
774
create: true
775
## @param webhook.serviceAccount.name The name of the ServiceAccount to use.
776
## If not set and create is true, a name is generated using the common.names.fullname template
777
##
778
name: ""
779
## @param webhook.serviceAccount.annotations Additional custom annotations for the ServiceAccount
780
##
781
annotations: {}
782
## @param webhook.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
783
##
784
automountServiceAccountToken: false
785
## @param webhook.hostNetwork Specifies hostNetwork value
786
##
787
hostNetwork: false
788
## Webhook Network Policies
789
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
790
##
791
networkPolicy:
792
## @param webhook.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
793
##
794
enabled: true
795
## @param webhook.networkPolicy.allowExternal Don't require client label for connections
796
## The Policy model to apply. When set to false, only pods with the correct
797
## client label will have network access to the ports Cert Manager Webhook is listening
798
## on. When true, Cert Manager Webhook will accept connections from any source
799
## (with the correct destination port).
800
##
801
allowExternal: true
802
## @param webhook.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
803
##
804
allowExternalEgress: true
805
## @param webhook.networkPolicy.kubeAPIServerPorts [array] List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security)
806
##
807
kubeAPIServerPorts: [443, 6443, 8443]
808
## @param webhook.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
809
## e.g:
810
## extraIngress:
811
## - ports:
812
## - port: 1234
813
## from:
814
## - podSelector:
815
## - matchLabels:
816
## - role: frontend
817
## - podSelector:
818
## - matchExpressions:
819
## - key: role
820
## operator: In
821
## values:
822
## - frontend
823
extraIngress: []
824
## @param webhook.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
825
## e.g:
826
## extraEgress:
827
## - ports:
828
## - port: 1234
829
## to:
830
## - podSelector:
831
## - matchLabels:
832
## - role: frontend
833
## - podSelector:
834
## - matchExpressions:
835
## - key: role
836
## operator: In
837
## values:
838
## - frontend
839
##
840
extraEgress: []
841
## @param webhook.networkPolicy.ingressNSMatchLabels [object] Labels to match to allow traffic from other namespaces
842
## @param webhook.networkPolicy.ingressNSPodMatchLabels [object] Pod labels to match to allow traffic from other namespaces
843
##
844
ingressNSMatchLabels: {}
845
ingressNSPodMatchLabels: {}
846
## @param webhook.pdb.create Enable/disable a Pod Disruption Budget creation
847
## @param webhook.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
848
## @param webhook.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `webhook.pdb.minAvailable` and `webhook.pdb.maxUnavailable` are empty.
849
##
850
pdb:
851
create: true
852
minAvailable: ""
853
maxUnavailable: ""
854
## @section CAInjector deployment parameters
855
856
## CAInjector deployment parameters
857
##
858
cainjector:
859
## @param cainjector.replicaCount Number of CAInjector replicas
860
##
861
replicaCount: 1
862
## Iamguarded CAInjector image
863
## @param cainjector.image.registry [default: REGISTRY_NAME] CAInjector image registry
864
## @param cainjector.image.repository [default: REPOSITORY_NAME/cainjector] CAInjector image repository
865
## @skip cainjector.image.tag CAInjector image tag (immutable tags are recommended)
866
## @param cainjector.image.digest CAInjector image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag
867
## @param cainjector.image.pullPolicy CAInjector image pull policy
868
## @param cainjector.image.pullSecrets CAInjector image pull secrets
869
## @param cainjector.image.debug CAInjector image debug mode
870
##
871
image:
872
registry: cgr.dev
873
repository: chainguard-private/cert-manager-cainjector-iamguarded
874
tag: 1.19.4
875
digest: ""
876
## Specify a imagePullPolicy
877
## ref: https://kubernetes.io/docs/concepts/containers/images/#pre-pulled-images
878
##
879
pullPolicy: IfNotPresent
880
## Optionally specify an array of imagePullSecrets.
881
## Secrets must be manually created in the namespace.
882
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
883
## E.g:
884
## pullSecrets:
885
## - myRegistryKeySecretName
886
##
887
pullSecrets: []
888
## Set to true if you would like to see extra information on logs
889
##
890
debug: false
891
## CAInjector containers' resource requests and limits
892
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
893
##
894
## @param cainjector.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, micro, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production).
895
##
896
resourcesPreset: "nano"
897
## @param cainjector.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
898
## Example:
899
## resources:
900
## requests:
901
## cpu: 2
902
## memory: 512Mi
903
## limits:
904
## cpu: 3
905
## memory: 1024Mi
906
##
907
resources: {}
908
## cainjector pods' Security Context
909
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
910
## @param cainjector.podSecurityContext.enabled Enabled CAInjector pods' Security Context
911
## @param cainjector.podSecurityContext.fsGroupChangePolicy Set filesystem group change policy
912
## @param cainjector.podSecurityContext.sysctls Set kernel settings using the sysctl interface
913
## @param cainjector.podSecurityContext.supplementalGroups Set filesystem extra groups
914
## @param cainjector.podSecurityContext.fsGroup Set CAInjector pod's Security Context fsGroup
915
##
916
podSecurityContext:
917
enabled: true
918
fsGroupChangePolicy: Always
919
sysctls: []
920
supplementalGroups: []
921
fsGroup: 1001
922
## cainjector containers' Security Context
923
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
924
## @param cainjector.containerSecurityContext.enabled Enabled cainjector containers' Security Context
925
## @param cainjector.containerSecurityContext.seLinuxOptions [object,nullable] Set SELinux options in container
926
## @param cainjector.containerSecurityContext.runAsUser Set cainjector containers' Security Context runAsUser
927
## @param cainjector.containerSecurityContext.runAsGroup Set cainjector containers' Security Context runAsGroup
928
## @param cainjector.containerSecurityContext.runAsNonRoot Set cainjector containers' Security Context runAsNonRoot
929
## @param cainjector.containerSecurityContext.readOnlyRootFilesystem Set read only root file system pod's Security Conte
930
## @param cainjector.containerSecurityContext.privileged Set cainjector container's Security Context privileged
931
## @param cainjector.containerSecurityContext.allowPrivilegeEscalation Set cainjector container's Security Context allowPrivilegeEscalation
932
## @param cainjector.containerSecurityContext.capabilities.drop List of capabilities to be dropped
933
## @param cainjector.containerSecurityContext.seccompProfile.type Set container's Security Context seccomp profile
934
##
935
containerSecurityContext:
936
enabled: true
937
seLinuxOptions: {}
938
runAsUser: 1001
939
runAsGroup: 1001
940
runAsNonRoot: true
941
privileged: false
942
allowPrivilegeEscalation: false
943
capabilities:
944
drop: ["ALL"]
945
seccompProfile:
946
type: "RuntimeDefault"
947
readOnlyRootFilesystem: true
948
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
949
## @param cainjector.podAffinityPreset Pod affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard`
950
##
951
podAffinityPreset: ""
952
## @param cainjector.podAntiAffinityPreset Pod anti-affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard`
953
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#inter-pod-affinity-and-anti-affinity
954
##
955
podAntiAffinityPreset: soft
956
## Node affinity preset
957
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/#node-affinity
958
## @param cainjector.nodeAffinityPreset.type Node affinity preset type. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard`
959
## @param cainjector.nodeAffinityPreset.key Node label key to match. Ignored if `cainjector.affinity` is set
960
## @param cainjector.nodeAffinityPreset.values Node label values to match. Ignored if `cainjector.affinity` is set
961
##
962
nodeAffinityPreset:
963
type: ""
964
key: ""
965
## E.g.
966
## values:
967
## - e2e-az1
968
## - e2e-az2
969
##
970
values: []
971
## @param cainjector.affinity Affinity for cert-manager CAInjector
972
## ref: https://kubernetes.io/docs/concepts/configuration/assign-pod-node/#affinity-and-anti-affinity
973
## NOTE: `cainjector.podAffinityPreset`, `cainjector.podAntiAffinityPreset`, and `cainjector.nodeAffinityPreset` will be ignored when it's set
974
##
975
affinity: {}
976
## @param cainjector.nodeSelector Node labels for pod assignment
977
## ref: https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
978
##
979
nodeSelector: {}
980
## @param cainjector.command Override CAInjector default command
981
##
982
command: []
983
## @param cainjector.args Override CAInjector default args
984
##
985
args: []
986
## @param cainjector.priorityClassName CAInjector pod priority class name
987
##
988
priorityClassName: ""
989
## @param cainjector.runtimeClassName Name of the runtime class to be used by pod(s)
990
## ref: https://kubernetes.io/docs/concepts/containers/runtime-class/
991
##
992
runtimeClassName: ""
993
## @param cainjector.schedulerName Name of the k8s scheduler (other than default)
994
## ref: https://kubernetes.io/docs/tasks/administer-cluster/configure-multiple-schedulers/
995
##
996
schedulerName: ""
997
## @param cainjector.topologySpreadConstraints Topology Spread Constraints for pod assignment
998
## https://kubernetes.io/docs/concepts/workloads/pods/pod-topology-spread-constraints/
999
## The value is evaluated as a template
1000
##
1001
topologySpreadConstraints: []
1002
## @param cainjector.automountServiceAccountToken Mount Service Account token in pod
1003
##
1004
automountServiceAccountToken: true
1005
## @param cainjector.hostAliases Custom host aliases for CAInjector pods
1006
## https://kubernetes.io/docs/concepts/services-networking/add-entries-to-pod-etc-hosts-with-host-aliases/
1007
##
1008
hostAliases: []
1009
## @param cainjector.tolerations Tolerations for pod assignment
1010
## ref: https://kubernetes.io/docs/concepts/configuration/taint-and-toleration/
1011
##
1012
tolerations: []
1013
## @param cainjector.podLabels Extra labels for CAInjector pods
1014
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
1015
##
1016
podLabels: {}
1017
## @param cainjector.podAnnotations Annotations for CAInjector pods
1018
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1019
##
1020
podAnnotations: {}
1021
## @param cainjector.lifecycleHooks Add lifecycle hooks to the CAInjector deployment
1022
##
1023
lifecycleHooks: {}
1024
## @param cainjector.updateStrategy.type Controller deployment update strategy
1025
## @param cainjector.updateStrategy.rollingUpdate Controller deployment rolling update configuration parameters
1026
updateStrategy:
1027
type: RollingUpdate
1028
rollingUpdate: {}
1029
## @param cainjector.livenessProbe.enabled Enable livenessProbe
1030
## @param cainjector.livenessProbe.initialDelaySeconds Initial delay seconds for livenessProbe
1031
## @param cainjector.livenessProbe.periodSeconds Period seconds for livenessProbe
1032
## @param cainjector.livenessProbe.timeoutSeconds Timeout seconds for livenessProbe
1033
## @param cainjector.livenessProbe.failureThreshold Failure threshold for livenessProbe
1034
## @param cainjector.livenessProbe.successThreshold Success threshold for livenessProbe
1035
##
1036
livenessProbe:
1037
enabled: true
1038
initialDelaySeconds: 60
1039
periodSeconds: 10
1040
timeoutSeconds: 1
1041
successThreshold: 1
1042
failureThreshold: 3
1043
## @param cainjector.readinessProbe.enabled Enable readinessProbe
1044
## @param cainjector.readinessProbe.initialDelaySeconds Initial delay seconds for readinessProbe
1045
## @param cainjector.readinessProbe.periodSeconds Period seconds for readinessProbe
1046
## @param cainjector.readinessProbe.timeoutSeconds Timeout seconds for readinessProbe
1047
## @param cainjector.readinessProbe.failureThreshold Failure threshold for readinessProbe
1048
## @param cainjector.readinessProbe.successThreshold Success threshold for readinessProbe
1049
##
1050
readinessProbe:
1051
enabled: true
1052
initialDelaySeconds: 5
1053
periodSeconds: 5
1054
timeoutSeconds: 1
1055
successThreshold: 1
1056
failureThreshold: 3
1057
## @param cainjector.startupProbe.enabled Enable startupProbe
1058
## @param cainjector.startupProbe.initialDelaySeconds Initial delay seconds for startupProbe
1059
## @param cainjector.startupProbe.periodSeconds Period seconds for startupProbe
1060
## @param cainjector.startupProbe.timeoutSeconds Timeout seconds for startupProbe
1061
## @param cainjector.startupProbe.failureThreshold Failure threshold for startupProbe
1062
## @param cainjector.startupProbe.successThreshold Success threshold for startupProbe
1063
##
1064
startupProbe:
1065
enabled: false
1066
initialDelaySeconds: 5
1067
periodSeconds: 5
1068
timeoutSeconds: 1
1069
successThreshold: 1
1070
failureThreshold: 3
1071
## Custom Startup probes for cainjector
1072
## @param cainjector.customStartupProbe Override default startup probe
1073
##
1074
customStartupProbe: {}
1075
## Custom Liveness probes for cainjector
1076
## @param cainjector.customLivenessProbe Override default liveness probe
1077
##
1078
customLivenessProbe: {}
1079
## Custom Rediness probes cainjector
1080
## @param cainjector.customReadinessProbe Override default readiness probe
1081
##
1082
customReadinessProbe: {}
1083
## @param cainjector.extraArgs Extra arguments to pass to the CAInjector container
1084
## E.g:
1085
## extraArgs:
1086
## - name: FOO
1087
## value: "bar"
1088
##
1089
extraArgs: []
1090
## @param cainjector.extraEnvVars Add extra environment variables to the CAInjector container
1091
## E.g:
1092
## extraEnvVars:
1093
## - name: FOO
1094
## value: "bar"
1095
##
1096
extraEnvVars: []
1097
## @param cainjector.extraEnvVarsCM Name of existing ConfigMap containing extra env vars
1098
##
1099
extraEnvVarsCM: ""
1100
## @param cainjector.extraEnvVarsSecret Name of existing Secret containing extra env vars
1101
##
1102
extraEnvVarsSecret: ""
1103
## @param cainjector.extraVolumes Optionally specify extra list of additional volumes for CAInjector pods
1104
##
1105
extraVolumes: []
1106
## @param cainjector.extraVolumeMounts Optionally specify extra list of additional volumeMounts for CAInjector container(s)
1107
##
1108
extraVolumeMounts: []
1109
## @param cainjector.initContainers Add additional init containers to the CAInjector pods
1110
## E.g:
1111
## initContainers:
1112
## - name: your-image-name
1113
## image: your-image
1114
## imagePullPolicy: Always
1115
## ports:
1116
## - name: portname
1117
## containerPort: 1234
1118
##
1119
initContainers: []
1120
## @param cainjector.sidecars Add additional sidecar containers to the CAInjector pod
1121
## E.g:
1122
## sidecars:
1123
## - name: your-image-name
1124
## image: your-image
1125
## imagePullPolicy: Always
1126
## ports:
1127
## - name: portname
1128
## containerPort: 1234
1129
##
1130
sidecars: []
1131
## ServiceAccount configuration
1132
##
1133
serviceAccount:
1134
## @param cainjector.serviceAccount.create Specifies whether a ServiceAccount should be created
1135
##
1136
create: true
1137
## @param cainjector.serviceAccount.name The name of the ServiceAccount to use.
1138
## If not set and create is true, a name is generated using the common.names.fullname template
1139
##
1140
name: ""
1141
## @param cainjector.serviceAccount.annotations Additional custom annotations for the ServiceAccount
1142
##
1143
annotations: {}
1144
## @param cainjector.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
1145
##
1146
automountServiceAccountToken: false
1147
networkPolicy:
1148
## @param cainjector.networkPolicy.enabled Specifies whether a NetworkPolicy should be created
1149
##
1150
enabled: true
1151
## @param cainjector.networkPolicy.allowExternalEgress Allow the pod to access any range of port and all destinations.
1152
##
1153
allowExternalEgress: true
1154
## @param cainjector.networkPolicy.extraIngress [array] Add extra ingress rules to the NetworkPolicy
1155
## e.g:
1156
## extraIngress:
1157
## - ports:
1158
## - port: 1234
1159
## from:
1160
## - podSelector:
1161
## - matchLabels:
1162
## - role: frontend
1163
## - podSelector:
1164
## - matchExpressions:
1165
## - key: role
1166
## operator: In
1167
## values:
1168
## - frontend
1169
extraIngress: []
1170
## @param cainjector.networkPolicy.extraEgress [array] Add extra ingress rules to the NetworkPolicy
1171
## e.g:
1172
## extraEgress:
1173
## - ports:
1174
## - port: 1234
1175
## to:
1176
## - podSelector:
1177
## - matchLabels:
1178
## - role: frontend
1179
## - podSelector:
1180
## - matchExpressions:
1181
## - key: role
1182
## operator: In
1183
## values:
1184
## - frontend
1185
##
1186
extraEgress: []
1187
## @param cainjector.pdb.create Enable/disable a Pod Disruption Budget creation
1188
## @param cainjector.pdb.minAvailable Minimum number/percentage of pods that should remain scheduled
1189
## @param cainjector.pdb.maxUnavailable Maximum number/percentage of pods that may be made unavailable. Defaults to `1` if both `cainjector.pdb.minAvailable` and `cainjector.pdb.maxUnavailable` are empty.
1190
##
1191
pdb:
1192
create: true
1193
minAvailable: ""
1194
maxUnavailable: ""
1195
## @section Metrics Parameters
1196
metrics:
1197
## @param metrics.enabled Start metrics
1198
##
1199
enabled: true
1200
## Prometheus Service Monitor
1201
## ref: https://github.com/coreos/prometheus-operator
1202
## https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1203
##
1204
## @param metrics.podAnnotations [object] Annotations for cert-manager exporter pods
1205
## ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations/
1206
##
1207
podAnnotations:
1208
prometheus.io/path: "/metrics"
1209
prometheus.io/scrape: "true"
1210
prometheus.io/port: "{{ .Values.controller.containerPorts.http }}"
1211
## Prometheus Operator ServiceMonitor resource
1212
##
1213
serviceMonitor:
1214
## @param metrics.serviceMonitor.path The path which the ServiceMonitor will monitor
1215
##
1216
path: /metrics
1217
## @param metrics.serviceMonitor.targetPort The port in which the ServiceMonitor will monitor
1218
##
1219
targetPort: 9402
1220
## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
1221
##
1222
enabled: false
1223
## @param metrics.serviceMonitor.namespace Namespace which Prometheus is running in
1224
## e.g:
1225
## namespace: monitoring
1226
##
1227
namespace: ""
1228
## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
1229
##
1230
jobLabel: ""
1231
## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
1232
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1233
##
1234
interval: 60s
1235
## @param metrics.serviceMonitor.scrapeTimeout Timeout after which the scrape is ended
1236
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
1237
##
1238
scrapeTimeout: 30s
1239
## @param metrics.serviceMonitor.relabelings RelabelConfigs to apply to samples before scraping
1240
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1241
##
1242
relabelings: []
1243
## @param metrics.serviceMonitor.metricRelabelings MetricRelabelConfigs to apply to samples before ingestion
1244
## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
1245
##
1246
metricRelabelings: []
1247
## @param metrics.serviceMonitor.selector ServiceMonitor selector labels
1248
##
1249
## selector:
1250
## prometheus: my-prometheus
1251
##
1252
selector: {}
1253
## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
1254
##
1255
labels: {}
1256
## @param metrics.serviceMonitor.additionalLabels DEPRECATED. Use metrics.serviceMonitor.labels instead.
1257
##
1258
additionalLabels: {}
1259
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
1260
##
1261
honorLabels: false
1262
## @section Other Parameters
1263
1264
## RBAC configuration
1265
## @param rbac.create Specifies whether RBAC resources should be created
1266
##
1267
rbac:
1268
create: true
1269