Abstract
Documentation for the Cert Manager Helm Chart values.
Cert Manager Helm Chart Docs#
This folder contains a values file to deploy the Cert Manager Helm Chart along with a JSON schema file generated from that values file.
This is a copy
Any documentation here was originally sourced from the Cert Manager’s Helm Chart documentation. In the event of conflicts between this information and the source repository, the source repository should be considered the truth.
Schema Generation#
If you need to update the JSON schema, follow these steps.
Make sure the Helm
schema-genplugin is installed.helm plugin install https://github.com/karuppiah7890/helm-schema-gen
Use the plugin to generate the new schema.
helm schema-gen values.yaml
Usage#
Add the repository to Helm.
helm repo add jetstack https://charts.jetstack.io --force-update helm repo update
Edit the
values.yamlas you need.Create the namespace.
kubectl create ns cert-manager
Deploy the chart.
helm install \ cert-manager jetstack/cert-manager \ --namespace cert-manager \ --create-namespace \ --version v1.15.3 \ -f values.yaml
If the deployment succeeds, you’ll see something like this in your output.
NAME: cert-manager
LAST DEPLOYED: Mon Sep 30 17:08:34 2024
NAMESPACE: cert-manager
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
cert-manager v1.15.3 has been deployed successfully!
In order to begin issuing certificates, you will need to set up a ClusterIssuer
or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
More information on the different types of issuers and how to configure them
can be found in our documentation:
https://cert-manager.io/docs/configuration/
For information on how to configure cert-manager to automatically provision
Certificates for Ingress resources, take a look at the `ingress-shim`
documentation:
https://cert-manager.io/docs/usage/ingress/
Bootstrap a PKI#
We’ll be self-signing things since this is intended to run locally. Information on how that works is available in the cert-manager self-signed CA guide.
Bootstrap an in-cluster issuer.
kubectl -n cert-manager apply -f manifests/BootstrapCA.yaml
Issue a root CA cert.
kubectl -n cert-manager apply -f manifests/IssueCACert.yaml
This is described in the root CA issuance guide.
Start securing resources.
This process is described cert-manager ingress guide.
Values#
# +docs:section=Global
# Default values for cert-manager.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
global:
# Reference to one or more secrets to be used when pulling images.
# For more information, see [Pull an Image from a Private Registry](https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/).
#
# For example:
# imagePullSecrets:
# - name: "image-pull-secret"
imagePullSecrets: []
# Labels to apply to all resources.
# Please note that this does not add labels to the resources created dynamically by the controllers.
# For these resources, you have to add the labels in the template in the cert-manager custom resource:
# For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress).
# For example, secretTemplate in CertificateSpec
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec).
commonLabels: {}
# app.kubernetes.io/name: cert-manager
# The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10).
# +docs:property
# revisionHistoryLimit: 1
# The optional priority class to be used for the cert-manager pods.
priorityClassName: ""
rbac:
# Create required ClusterRoles and ClusterRoleBindings for cert-manager.
create: true
# Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles)
aggregateClusterRoles: true
podSecurityPolicy:
# Create PodSecurityPolicy for cert-manager.
#
# Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.
enabled: false
# Configure the PodSecurityPolicy to use AppArmor.
useAppArmor: true
# Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose.
logLevel: 2
leaderElection:
# Override the namespace used for the leader election lease.
namespace: "cert-manager"
# The duration that non-leader candidates will wait after observing af
# leadership renewal until attempting to acquire leadership of a led but
# unrenewed leader slot. This is effectively the maximum duration that a
# leader can be stopped before it is replaced by another candidate.
# +docs:property
# leaseDuration: 60s
# The interval between attempts by the acting master to renew a leadership
# slot before it stops leading. This must be less than or equal to the
# lease duration.
# +docs:property
# renewDeadline: 40s
# The duration the clients should wait between attempting acquisition and
# renewal of a leadership.
# +docs:property
# retryPeriod: 15s
# This option is equivalent to setting crds.enabled=true and crds.keep=true.
# Deprecated: use crds.enabled and crds.keep instead.
installCRDs: false
crds:
# This option decides if the CRDs should be installed
# as part of the Helm installation.
enabled: true
# This option makes it so that the "helm.sh/resource-policy": keep
# annotation is added to the CRD. This will prevent Helm from uninstalling
# the CRD when the Helm release is uninstalled.
# WARNING: when the CRDs are removed, all cert-manager custom resources
# (Certificates, Issuers, ...) will be removed too by the garbage collector.
keep: false
# +docs:section=Controller
# The number of replicas of the cert-manager controller to run.
#
# The default is 1, but in production set this to 2 or 3 to provide high
# availability.
#
# If `replicas > 1`, consider setting `podDisruptionBudget.enabled=true`.
#
# Note that cert-manager uses leader election to ensure that there can
# only be a single instance active at a time.
replicaCount: 1
# Deployment update strategy for the cert-manager controller deployment.
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
#
# For example:
# strategy:
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
strategy: {}
podDisruptionBudget:
# Enable or disable the PodDisruptionBudget resource.
#
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
# For example, the PodDisruptionBudget will block `kubectl drain`
# if it is used on the Node where the only remaining cert-manager
# Pod is currently running.
enabled: false
# This configures the minimum available pods for disruptions. It can either be set to
# an integer (e.g. 1) or a percentage value (e.g. 25%).
# It cannot be used if `maxUnavailable` is set.
# +docs:property
# minAvailable: 1
# This configures the maximum unavailable pods for disruptions. It can either be set to
# an integer (e.g. 1) or a percentage value (e.g. 25%).
# it cannot be used if `minAvailable` is set.
# +docs:property
# maxUnavailable: 1
# A comma-separated list of feature gates that should be enabled on the
# controller pod.
featureGates: ""
# The maximum number of challenges that can be scheduled as 'processing' at once.
maxConcurrentChallenges: 60
image:
# The container registry to pull the manager image from.
# +docs:property
# registry: quay.io
# The container image for the cert-manager controller.
# +docs:property
repository: quay.io/jetstack/cert-manager-controller
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion is used.
# +docs:property
# tag: vX.Y.Z
# Setting a digest will override any tag.
# +docs:property
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# Kubernetes imagePullPolicy on Deployment.
pullPolicy: IfNotPresent
# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
# resources. By default, the same namespace as cert-manager is deployed within is
# used. This namespace will not be automatically created by the Helm chart.
clusterResourceNamespace: "cert-manager"
# This namespace allows you to define where the services are installed into.
# If not set then they use the namespace of the release.
# This is helpful when installing cert manager as a chart dependency (sub chart).
namespace: "cert-manager"
serviceAccount:
# Specifies whether a service account should be created.
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
# +docs:property
# name: ""
# Optional additional annotations to add to the controller's Service Account.
# +docs:property
# annotations: {}
# Optional additional labels to add to the controller's Service Account.
# +docs:property
# labels: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Automounting API credentials for a particular pod.
# +docs:property
# automountServiceAccountToken: true
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted.
enableCertificateOwnerRef: true
# This property is used to configure options for the controller pod.
# This allows setting options that would usually be provided using flags.
# An APIVersion and Kind must be specified in your values.yaml file.
# Flags will override options that are set here.
#
# For example:
config:
apiVersion: controller.config.cert-manager.io/v1alpha1
kind: ControllerConfiguration
enableGatewayAPI: true
logging:
verbosity: 2
format: text
leaderElectionConfig:
namespace: kube-system
kubernetesAPIQPS: 9000
kubernetesAPIBurst: 9000
numberOfConcurrentWorkers: 200
featureGates:
AdditionalCertificateOutputFormats: true
DisallowInsecureCSRUsageDefinition: true
ExperimentalCertificateSigningRequestControllers: true
ExperimentalGatewayAPISupport: true
LiteralCertificateSubject: true
SecretsFilteredCaching: true
ServerSideApply: true
StableCertificateRequestName: true
UseCertificateRequestBasicConstraints: true
ValidateCAA: true
metricsTLSConfig:
dynamic:
secretNamespace: "cert-manager"
secretName: "cert-manager-metrics-ca"
dnsNames:
- cert-manager-metrics
- cert-manager-metrics.cert-manager
- cert-manager-metrics.cert-manager.svc
# config: {}
# Setting Nameservers for DNS01 Self Check.
# For more information, see the [cert-manager documentation](https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check).
# A comma-separated string with the host and port of the recursive nameservers cert-manager should query.
dns01RecursiveNameservers: "192.168.5.3:53,192.168.5.4:53"
# Forces cert-manager to use only the recursive nameservers for verification.
# Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.
dns01RecursiveNameserversOnly: false
# Option to disable cert-manager's build-in auto-approver. The auto-approver
# approves all CertificateRequests that reference issuers matching the 'approveSignerNames'
# option. This 'disableAutoApproval' option is useful when you want to make all approval decisions
# using a different approver (like approver-policy - https://github.com/cert-manager/approver-policy).
disableAutoApproval: false
# List of signer names that cert-manager will approve by default. CertificateRequests
# referencing these signer names will be auto-approved by cert-manager. Defaults to just
# approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty
# array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval,
# because eg. you are using approver-policy, you can enable 'disableAutoApproval'.
# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
# +docs:property
approveSignerNames:
- issuers.cert-manager.io/*
- clusterissuers.cert-manager.io/*
# Additional command line flags to pass to cert-manager controller binary.
# To see all available flags run `docker run quay.io/jetstack/cert-manager-controller:<version> --help`.
#
# Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificiateRequests approver.
#
# For example:
# extraArgs:
# - --controllers=*,-certificaterequests-approver
extraArgs: []
# Additional environment variables to pass to cert-manager controller binary.
extraEnv: []
# - name: SOME_VAR
# value: 'some value'
# Resources to provide to the cert-manager controller pod.
#
# For example:
# requests:
# cpu: 10m
# memory: 32Mi
#
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
resources: {}
# Pod Security Context.
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the controller component container.
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
# Additional volumes to add to the cert-manager controller pod.
volumes: []
# Additional volume mounts to add to the cert-manager controller container.
volumeMounts: []
# Optional additional annotations to add to the controller Deployment.
# +docs:property
# deploymentAnnotations: {}
# Optional additional annotations to add to the controller Pods.
# +docs:property
# podAnnotations: {}
# Optional additional labels to add to the controller Pods.
podLabels: {}
# Optional annotations to add to the controller Service.
# +docs:property
# serviceAnnotations: {}
# Optional additional labels to add to the controller Service.
# +docs:property
# serviceLabels: {}
# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
# +docs:property
# serviceIPFamilyPolicy: ""
# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
# +docs:property
# serviceIPFamilies: []
# Optional DNS settings. These are useful if you have a public and private DNS zone for
# the same domain on Route 53. The following is an example of ensuring
# cert-manager can access an ingress or DNS TXT records at all times.
# Note that this requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
# the cluster to work.
# Pod DNS policy.
# For more information, see [Pod's DNS Policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy).
# +docs:property
# podDnsPolicy: "None"
# Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy
# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified.
# For more information, see [Pod's DNS Config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config).
# +docs:property
# podDnsConfig:
# nameservers:
# - "1.1.1.1"
# - "8.8.8.8"
# Optional hostAliases for cert-manager-controller pods. May be useful when performing ACME DNS-01 self checks.
hostAliases: []
# - ip: 127.0.0.1
# hostnames:
# - foo.local
# - bar.local
# - ip: 10.1.2.3
# hostnames:
# - foo.remote
# - bar.remote
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
# matching labels.
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
#
# This default ensures that Pods are only scheduled to Linux nodes.
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
# +docs:property
nodeSelector:
kubernetes.io/os: linux
# +docs:ignore
ingressShim: {}
# Optional default issuer to use for ingress resources.
# +docs:property=ingressShim.defaultIssuerName
# defaultIssuerName: ""
# Optional default issuer kind to use for ingress resources.
# +docs:property=ingressShim.defaultIssuerKind
# defaultIssuerKind: ""
# Optional default issuer group to use for ingress resources.
# +docs:property=ingressShim.defaultIssuerGroup
# defaultIssuerGroup: ""
# Use these variables to configure the HTTP_PROXY environment variables.
# Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
# +docs:property
# http_proxy: "http://proxy:8080"
# Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
# +docs:property
# https_proxy: "https://proxy:8080"
# Configures the NO_PROXY environment variable where a HTTP proxy is required,
# but certain domains should be excluded.
# +docs:property
# no_proxy: 127.0.0.1,localhost
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
#
# For example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
#
# For example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
#
# For example:
# topologySpreadConstraints:
# - maxSkew: 2
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels:
# app.kubernetes.io/instance: cert-manager
# app.kubernetes.io/component: controller
topologySpreadConstraints: []
# LivenessProbe settings for the controller container of the controller Pod.
#
# This is enabled by default, in order to enable the clock-skew liveness probe that
# restarts the controller in case of a skew between the system clock and the monotonic clock.
# LivenessProbe durations and thresholds are based on those used for the Kubernetes
# controller-manager. For more information see the following on the
# [Kubernetes GitHub repository](https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245)
# +docs:property
livenessProbe:
enabled: true
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 15
successThreshold: 1
failureThreshold: 8
# enableServiceLinks indicates whether information about services should be
# injected into the pod's environment variables, matching the syntax of Docker
# links.
enableServiceLinks: false
# +docs:section=Prometheus
prometheus:
# Enable Prometheus monitoring for the cert-manager controller to use with the
# Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or
# `prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment
# resources. Additionally, a service is created which can be used together
# with your own ServiceMonitor (managed outside of this Helm chart).
# Otherwise, a ServiceMonitor/ PodMonitor is created.
enabled: true
servicemonitor:
# Create a ServiceMonitor to add cert-manager to Prometheus.
enabled: false
# Specifies the `prometheus` label on the created ServiceMonitor. This is
# used when different Prometheus instances have label selectors matching
# different ServiceMonitors.
prometheusInstance: default
# The target port to set on the ServiceMonitor. This must match the port that the
# cert-manager controller is listening on for metrics.
targetPort: 9402
# The path to scrape for metrics.
path: /metrics
# The interval to scrape metrics.
interval: 60s
# The timeout before a metrics scrape fails.
scrapeTimeout: 30s
# Additional labels to add to the ServiceMonitor.
labels: {}
# Additional annotations to add to the ServiceMonitor.
annotations: {}
# Keep labels from scraped data, overriding server-side labels.
honorLabels: false
# EndpointAdditionalProperties allows setting additional properties on the
# endpoint such as relabelings, metricRelabelings etc.
#
# For example:
# endpointAdditionalProperties:
# relabelings:
# - action: replace
# sourceLabels:
# - __meta_kubernetes_pod_node_name
# targetLabel: instance
#
# +docs:property
endpointAdditionalProperties: {}
# Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in a error.
podmonitor:
# Create a PodMonitor to add cert-manager to Prometheus.
enabled: false
# Specifies the `prometheus` label on the created PodMonitor. This is
# used when different Prometheus instances have label selectors matching
# different PodMonitors.
prometheusInstance: default
# The path to scrape for metrics.
path: /metrics
# The interval to scrape metrics.
interval: 60s
# The timeout before a metrics scrape fails.
scrapeTimeout: 30s
# Additional labels to add to the PodMonitor.
labels: {}
# Additional annotations to add to the PodMonitor.
annotations: {}
# Keep labels from scraped data, overriding server-side labels.
honorLabels: false
# EndpointAdditionalProperties allows setting additional properties on the
# endpoint such as relabelings, metricRelabelings etc.
#
# For example:
# endpointAdditionalProperties:
# relabelings:
# - action: replace
# sourceLabels:
# - __meta_kubernetes_pod_node_name
# targetLabel: instance
#
# +docs:property
endpointAdditionalProperties: {}
# +docs:section=Webhook
webhook:
# Number of replicas of the cert-manager webhook to run.
#
# The default is 1, but in production set this to 2 or 3 to provide high
# availability.
#
# If `replicas > 1`, consider setting `webhook.podDisruptionBudget.enabled=true`.
replicaCount: 1
# The number of seconds the API server should wait for the webhook to respond before treating the call as a failure.
# The value must be between 1 and 30 seconds. For more information, see
# [Validating webhook configuration v1](https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/).
#
# The default is set to the maximum value of 30 seconds as
# users sometimes report that the connection between the K8S API server and
# the cert-manager webhook server times out.
# If *this* timeout is reached, the error message will be "context deadline exceeded",
# which doesn't help the user diagnose what phase of the HTTPS connection timed out.
# For example, it could be during DNS resolution, TCP connection, TLS
# negotiation, HTTP negotiation, or slow HTTP response from the webhook
# server.
# By setting this timeout to its maximum value the underlying timeout error
# message has more chance of being returned to the end user.
timeoutSeconds: 30
# This is used to configure options for the webhook pod.
# This allows setting options that would usually be provided using flags.
# An APIVersion and Kind must be specified in your values.yaml file.
# Flags override options that are set here.
#
# For example:
# apiVersion: webhook.config.cert-manager.io/v1alpha1
# kind: WebhookConfiguration
# # The port that the webhook listens on for requests.
# # In GKE private clusters, by default Kubernetes apiservers are allowed to
# # talk to the cluster nodes only on 443 and 10250. Configuring
# # securePort: 10250 therefore will work out-of-the-box without needing to add firewall
# # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
# # This should be uncommented and set as a default by the chart once
# # the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
# securePort: 10250
config: {}
# The update strategy for the cert-manager webhook deployment.
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy)
#
# For example:
# strategy:
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
strategy: {}
# Pod Security Context to be set on the webhook component Pod.
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the webhook component container.
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
podDisruptionBudget:
# Enable or disable the PodDisruptionBudget resource.
#
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
# For example, the PodDisruptionBudget will block `kubectl drain`
# if it is used on the Node where the only remaining cert-manager
# Pod is currently running.
enabled: false
# This property configures the minimum available pods for disruptions. Can either be set to
# an integer (e.g. 1) or a percentage value (e.g. 25%).
# It cannot be used if `maxUnavailable` is set.
# +docs:property
# minAvailable: 1
# This property configures the maximum unavailable pods for disruptions. Can either be set to
# an integer (e.g. 1) or a percentage value (e.g. 25%).
# It cannot be used if `minAvailable` is set.
# +docs:property
# maxUnavailable: 1
# Optional additional annotations to add to the webhook Deployment.
# +docs:property
# deploymentAnnotations: {}
# Optional additional annotations to add to the webhook Pods.
# +docs:property
# podAnnotations: {}
# Optional additional annotations to add to the webhook Service.
# +docs:property
# serviceAnnotations: {}
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration.
# +docs:property
# mutatingWebhookConfigurationAnnotations: {}
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration.
# +docs:property
# validatingWebhookConfigurationAnnotations: {}
validatingWebhookConfiguration:
# Configure spec.namespaceSelector for validating webhooks.
# +docs:property
namespaceSelector:
matchExpressions:
- key: "cert-manager.io/disable-validation"
operator: "NotIn"
values:
- "true"
mutatingWebhookConfiguration:
# Configure spec.namespaceSelector for mutating webhooks.
# +docs:property
namespaceSelector: {}
# matchLabels:
# key: value
# matchExpressions:
# - key: kubernetes.io/metadata.name
# operator: NotIn
# values:
# - kube-system
# Additional command line flags to pass to cert-manager webhook binary.
# To see all available flags run `docker run quay.io/jetstack/cert-manager-webhook:<version> --help`.
extraArgs: []
# Path to a file containing a WebhookConfiguration object used to configure the webhook.
# - --config=<path-to-config-file>
# Comma separated list of feature gates that should be enabled on the
# webhook pod.
featureGates: ""
# Resources to provide to the cert-manager webhook pod.
#
# For example:
# requests:
# cpu: 10m
# memory: 32Mi
#
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
resources: {}
# Liveness probe values.
# For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
#
# +docs:property
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
# Readiness probe values.
# For more information, see [Container probes](https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes).
#
# +docs:property
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
# matching labels.
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
#
# This default ensures that Pods are only scheduled to Linux nodes.
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
# +docs:property
nodeSelector:
kubernetes.io/os: linux
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
#
# For example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
#
# For example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
#
# For example:
# topologySpreadConstraints:
# - maxSkew: 2
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels:
# app.kubernetes.io/instance: cert-manager
# app.kubernetes.io/component: controller
topologySpreadConstraints: []
# Optional additional labels to add to the Webhook Pods.
podLabels: {}
# Optional additional labels to add to the Webhook Service.
serviceLabels: {}
# Optionally set the IP family policy for the controller Service to configure dual-stack; see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services).
serviceIPFamilyPolicy: ""
# Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
serviceIPFamilies: []
image:
# The container registry to pull the webhook image from.
# +docs:property
# registry: quay.io
# The container image for the cert-manager webhook
# +docs:property
repository: quay.io/jetstack/cert-manager-webhook
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# +docs:property
# tag: vX.Y.Z
# Setting a digest will override any tag
# +docs:property
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# Kubernetes imagePullPolicy on Deployment.
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created.
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
# +docs:property
# name: ""
# Optional additional annotations to add to the controller's Service Account.
# +docs:property
# annotations: {}
# Optional additional labels to add to the webhook's Service Account.
# +docs:property
# labels: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Automounting API credentials for a particular pod.
# +docs:property
# automountServiceAccountToken: true
# The port that the webhook listens on for requests.
# In GKE private clusters, by default Kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. Configuring
# securePort: 10250, therefore will work out-of-the-box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
securePort: 10250
# Specifies if the webhook should be started in hostNetwork mode.
#
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
# CNI (such as calico), because control-plane managed by AWS cannot communicate
# with pods' IP CIDR and admission webhooks are not working
#
# Since the default port for the webhook conflicts with kubelet on the host
# network, `webhook.securePort` should be changed to an available port if
# running in hostNetwork mode.
hostNetwork: false
# Specifies how the service should be handled. Useful if you want to expose the
# webhook outside of the cluster. In some cases, the control plane cannot
# reach internal services.
serviceType: ClusterIP
# Specify the load balancer IP for the created service.
# +docs:property
# loadBalancerIP: "10.10.10.10"
# Overrides the mutating webhook and validating webhook so they reach the webhook
# service using the `url` field instead of a service.
url: {}
# host:
# Enables default network policies for webhooks.
networkPolicy:
# Create network policies for the webhooks.
enabled: false
# Ingress rule for the webhook network policy. By default, it allows all
# inbound traffic.
# +docs:property
ingress:
- from:
- ipBlock:
cidr: 0.0.0.0/0
# Egress rule for the webhook network policy. By default, it allows all
# outbound traffic to ports 80 and 443, as well as DNS ports.
# +docs:property
egress:
- ports:
- port: 80
protocol: TCP
- port: 443
protocol: TCP
- port: 53
protocol: TCP
- port: 53
protocol: UDP
# On OpenShift and OKD, the Kubernetes API server listens on.
# port 6443.
- port: 6443
protocol: TCP
to:
- ipBlock:
cidr: 0.0.0.0/0
# Additional volumes to add to the cert-manager controller pod.
volumes: []
# Additional volume mounts to add to the cert-manager controller container.
volumeMounts: []
# enableServiceLinks indicates whether information about services should be
# injected into the pod's environment variables, matching the syntax of Docker
# links.
enableServiceLinks: false
# +docs:section=CA Injector
cainjector:
# Create the CA Injector deployment
enabled: true
# The number of replicas of the cert-manager cainjector to run.
#
# The default is 1, but in production set this to 2 or 3 to provide high
# availability.
#
# If `replicas > 1`, consider setting `cainjector.podDisruptionBudget.enabled=true`.
#
# Note that cert-manager uses leader election to ensure that there can
# only be a single instance active at a time.
replicaCount: 1
# This is used to configure options for the cainjector pod.
# It allows setting options that are usually provided via flags.
# An APIVersion and Kind must be specified in your values.yaml file.
# Flags override options that are set here.
#
# For example:
# apiVersion: cainjector.config.cert-manager.io/v1alpha1
# kind: CAInjectorConfiguration
# logging:
# verbosity: 2
# format: text
# leaderElectionConfig:
# namespace: kube-system
config: {}
# Deployment update strategy for the cert-manager cainjector deployment.
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
#
# For example:
# strategy:
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
strategy: {}
# Pod Security Context to be set on the cainjector component Pod
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the cainjector component container
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
podDisruptionBudget:
# Enable or disable the PodDisruptionBudget resource.
#
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
# For example, the PodDisruptionBudget will block `kubectl drain`
# if it is used on the Node where the only remaining cert-manager
# Pod is currently running.
enabled: false
# `minAvailable` configures the minimum available pods for disruptions. It can either be set to
# an integer (e.g. 1) or a percentage value (e.g. 25%).
# Cannot be used if `maxUnavailable` is set.
# +docs:property
# minAvailable: 1
# `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to
# an integer (e.g. 1) or a percentage value (e.g. 25%).
# Cannot be used if `minAvailable` is set.
# +docs:property
# maxUnavailable: 1
# Optional additional annotations to add to the cainjector Deployment.
# +docs:property
# deploymentAnnotations: {}
# Optional additional annotations to add to the cainjector Pods.
# +docs:property
# podAnnotations: {}
# Additional command line flags to pass to cert-manager cainjector binary.
# To see all available flags run `docker run quay.io/jetstack/cert-manager-cainjector:<version> --help`.
extraArgs: []
# Enable profiling for cainjector.
# - --enable-profiling=true
# Comma separated list of feature gates that should be enabled on the
# cainjector pod.
featureGates: ""
# Resources to provide to the cert-manager cainjector pod.
#
# For example:
# requests:
# cpu: 10m
# memory: 32Mi
#
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
resources: {}
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
# matching labels.
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
#
# This default ensures that Pods are only scheduled to Linux nodes.
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
# +docs:property
nodeSelector:
kubernetes.io/os: linux
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
#
# For example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
#
# For example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
# A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
#
# For example:
# topologySpreadConstraints:
# - maxSkew: 2
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels:
# app.kubernetes.io/instance: cert-manager
# app.kubernetes.io/component: controller
topologySpreadConstraints: []
# Optional additional labels to add to the CA Injector Pods.
podLabels: {}
image:
# The container registry to pull the cainjector image from.
# +docs:property
# registry: quay.io
# The container image for the cert-manager cainjector
# +docs:property
repository: quay.io/jetstack/cert-manager-cainjector
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion will be used.
# +docs:property
# tag: vX.Y.Z
# Setting a digest will override any tag.
# +docs:property
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# Kubernetes imagePullPolicy on Deployment.
pullPolicy: IfNotPresent
serviceAccount:
# Specifies whether a service account should be created.
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template
# +docs:property
# name: ""
# Optional additional annotations to add to the controller's Service Account.
# +docs:property
# annotations: {}
# Optional additional labels to add to the cainjector's Service Account.
# +docs:property
# labels: {}
# Automount API credentials for a Service Account.
automountServiceAccountToken: true
# Automounting API credentials for a particular pod.
# +docs:property
# automountServiceAccountToken: true
# Additional volumes to add to the cert-manager controller pod.
volumes: []
# Additional volume mounts to add to the cert-manager controller container.
volumeMounts: []
# enableServiceLinks indicates whether information about services should be
# injected into the pod's environment variables, matching the syntax of Docker
# links.
enableServiceLinks: false
# +docs:section=ACME Solver
acmesolver:
image:
# The container registry to pull the acmesolver image from.
# +docs:property
# registry: quay.io
# The container image for the cert-manager acmesolver.
# +docs:property
repository: quay.io/jetstack/cert-manager-acmesolver
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion is used.
# +docs:property
# tag: vX.Y.Z
# Setting a digest will override any tag.
# +docs:property
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# Kubernetes imagePullPolicy on Deployment.
pullPolicy: IfNotPresent
# +docs:section=Startup API Check
# This startupapicheck is a Helm post-install hook that waits for the webhook
# endpoints to become available.
# The check is implemented using a Kubernetes Job - if you are injecting mesh
# sidecar proxies into cert-manager pods, ensure that they
# are not injected into this Job's pod. Otherwise, the installation may time out
# owing to the Job never being completed because the sidecar proxy does not exit.
# For more information, see [this note](https://github.com/cert-manager/cert-manager/pull/4414).
startupapicheck:
# Enables the startup api check.
enabled: true
# Pod Security Context to be set on the startupapicheck component Pod.
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
# Container Security Context to be set on the controller component container.
# For more information, see [Configure a Security Context for a Pod or Container](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
# +docs:property
containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
# Timeout for 'kubectl check api' command.
timeout: 1m
# Job backoffLimit
backoffLimit: 4
# Optional additional annotations to add to the startupapicheck Job.
# +docs:property
jobAnnotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "1"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Optional additional annotations to add to the startupapicheck Pods.
# +docs:property
# podAnnotations: {}
# Additional command line flags to pass to startupapicheck binary.
# To see all available flags run `docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help`.
#
# Verbose logging is enabled by default so that if startupapicheck fails, you
# can know what exactly caused the failure. Verbose logs include details of
# the webhook URL, IP address and TCP connect errors for example.
# +docs:property
extraArgs:
- -v
# Resources to provide to the cert-manager controller pod.
#
# For example:
# requests:
# cpu: 10m
# memory: 32Mi
#
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
resources: {}
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
# matching labels.
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
#
# This default ensures that Pods are only scheduled to Linux nodes.
# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
# +docs:property
nodeSelector:
kubernetes.io/os: linux
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
# For example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
#
# For example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
# Optional additional labels to add to the startupapicheck Pods.
podLabels: {}
image:
# The container registry to pull the startupapicheck image from.
# +docs:property
# registry: quay.io
# The container image for the cert-manager startupapicheck.
# +docs:property
repository: quay.io/jetstack/cert-manager-startupapicheck
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion is used.
# +docs:property
# tag: vX.Y.Z
# Setting a digest will override any tag.
# +docs:property
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# Kubernetes imagePullPolicy on Deployment.
pullPolicy: IfNotPresent
rbac:
# annotations for the startup API Check job RBAC and PSP resources.
# +docs:property
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automounting API credentials for a particular pod.
# +docs:property
# automountServiceAccountToken: true
serviceAccount:
# Specifies whether a service account should be created.
create: true
# The name of the service account to use.
# If not set and create is true, a name is generated using the fullname template.
# +docs:property
# name: ""
# Optional additional annotations to add to the Job's Service Account.
# +docs:property
annotations:
helm.sh/hook: post-install
helm.sh/hook-weight: "-5"
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
# Automount API credentials for a Service Account.
# +docs:property
automountServiceAccountToken: true
# Optional additional labels to add to the startupapicheck's Service Account.
# +docs:property
# labels: {}
# Additional volumes to add to the cert-manager controller pod.
volumes: []
# Additional volume mounts to add to the cert-manager controller container.
volumeMounts: []
# enableServiceLinks indicates whether information about services should be
# injected into pod's environment variables, matching the syntax of Docker
# links.
enableServiceLinks: false
###
# Create dynamic manifests via values.
#
# For example:
# extraObjects:
# - |
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: '{{ template "cert-manager.name" . }}-extra-configmap'
extraObjects: []
cert-manager is a Kubernetes addon to automate the management and issuance of TLS certificates from various issuing sources.
It will ensure certificates are valid and up to date periodically, and attempt to renew certificates at an appropriate time before expiry.
Prerequisites#
Kubernetes 1.22+
Installing the Chart#
Full installation instructions, including details on how to configure extra functionality in cert-manager can be found in the installation docs.
Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources. This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
kubectl apply \
-f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.crds.yaml
To install the chart with the release name cert-manager
## Add the Jetstack Helm repository
helm repo add jetstack https://charts.jetstack.io --force-update
## Install the cert-manager helm chart
helm install cert-manager --namespace cert-manager \
--version v1.15.3 jetstack/cert-manager
In order to begin issuing certificates, you will need to set up a ClusterIssuer or Issuer resource (for example, by creating a ‘letsencrypt-staging’ issuer).
More information on the different types of issuers and how to configure them can be found in our documentation.
For information on how to configure cert-manager to automatically provision Certificates for Ingress resources, take a look at the Securing Ingresses documentation.
Tip
List all releases using helm list
Upgrading the Chart#
Special considerations may be required when upgrading the Helm chart, and these are documented in our full upgrading guide.
Warning
Please check here before performing upgrades!
Uninstalling the Chart#
To uninstall/delete the cert-manager deployment:
helm delete cert-manager --namespace cert-manager
The command removes all the Kubernetes components associated with the chart and deletes the release.
If you want to completely uninstall cert-manager from your cluster, you will also need to delete the previously installed CustomResourceDefinition resources:
kubectl delete \
-f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.crds.yaml
Configuration#
Global#
global.imagePullSecrets ~ array#
Default value:
[]
Reference to one or more secrets to be used when pulling images. For more information, see Pull an Image from a Private Registry.
For example:
imagePullSecrets:
- name: "image-pull-secret"
global.commonLabels ~ object#
Default value:
{}
Labels to apply to all resources. Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the cert-manager documentation. For example, secretTemplate in CertificateSpec For more information, see the cert-manager documentation.
global.revisionHistoryLimit ~ number#
The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10).
global.priorityClassName ~ string#
Default value:
""
The optional priority class to be used for the cert-manager pods.
global.rbac.create ~ bool#
Default value:
true
Create required ClusterRoles and ClusterRoleBindings for cert-manager.
global.rbac.aggregateClusterRoles ~ bool#
Default value:
true
Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see User-facing roles
global.podSecurityPolicy.enabled ~ bool#
Default value:
false
Create PodSecurityPolicy for cert-manager.
Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.
global.podSecurityPolicy.useAppArmor ~ bool#
Default value:
true
Configure the PodSecurityPolicy to use AppArmor.
global.logLevel ~ number#
Default value:
2
Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose.
global.leaderElection.namespace ~ string#
Default value:
kube-system
Override the namespace used for the leader election lease.
global.leaderElection.leaseDuration ~ string#
The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate.
global.leaderElection.renewDeadline ~ string#
The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
global.leaderElection.retryPeriod ~ string#
The duration the clients should wait between attempting acquisition and renewal of a leadership.
installCRDs ~ bool#
Default value:
false
This option is equivalent to setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead.
crds.enabled ~ bool#
Default value:
false
This option decides if the CRDs should be installed as part of the Helm installation.
crds.keep ~ bool#
Default value:
true
This option makes it so that the “helm.sh/resource-policy”: keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources (Certificates, Issuers, …) will be removed too by the garbage collector.
Controller#
replicaCount ~ number#
Default value:
1
The number of replicas of the cert-manager controller to run.
The default is 1, but in production set this to 2 or 3 to provide high availability.
If replicas > 1, consider setting podDisruptionBudget.enabled=true.
Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.
strategy ~ object#
Default value:
{}
Deployment update strategy for the cert-manager controller deployment. For more information, see the Kubernetes documentation.
For example:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
podDisruptionBudget.enabled ~ bool#
Default value:
false
Enable or disable the PodDisruptionBudget resource.
This prevents downtime during voluntary disruptions such as during a Node
upgrade. For example, the PodDisruptionBudget will block kubectl drain
if it is used on the Node where the only remaining cert-manager
Pod is currently running.
featureGates ~ string#
Default value:
""
A comma-separated list of feature gates that should be enabled on the controller pod.
maxConcurrentChallenges ~ number#
Default value:
60
The maximum number of challenges that can be scheduled as ‘processing’ at once.
image.registry ~ string#
The container registry to pull the manager image from.
image.repository ~ string#
Default value:
quay.io/jetstack/cert-manager-controller
The container image for the cert-manager controller.
image.tag ~ string#
Override the image tag to deploy by setting this variable. If no value is set, the chart’s appVersion is used.
image.digest ~ string#
Setting a digest will override any tag.
image.pullPolicy ~ string#
Default value:
IfNotPresent
Kubernetes imagePullPolicy on Deployment.
clusterResourceNamespace ~ string#
Default value:
""
Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart.
namespace ~ string#
Default value:
""
This namespace allows you to define where the services are installed into. If not set then they use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart).
serviceAccount.create ~ bool#
Default value:
true
Specifies whether a service account should be created.
serviceAccount.name ~ string#
The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
serviceAccount.annotations ~ object#
Optional additional annotations to add to the controller’s Service Account.
serviceAccount.labels ~ object#
Optional additional labels to add to the controller’s Service Account.
serviceAccount.automountServiceAccountToken ~ bool#
Default value:
true
Automount API credentials for a Service Account.
automountServiceAccountToken ~ bool#
Automounting API credentials for a particular pod.
enableCertificateOwnerRef ~ bool#
Default value:
false
When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted.
config ~ object#
Default value:
{}
This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags. An APIVersion and Kind must be specified in your values.yaml file. Flags will override options that are set here.
For example:
config:
apiVersion: controller.config.cert-manager.io/v1alpha1
kind: ControllerConfiguration
logging:
verbosity: 2
format: text
leaderElectionConfig:
namespace: kube-system
kubernetesAPIQPS: 9000
kubernetesAPIBurst: 9000
numberOfConcurrentWorkers: 200
featureGates:
AdditionalCertificateOutputFormats: true
DisallowInsecureCSRUsageDefinition: true
ExperimentalCertificateSigningRequestControllers: true
ExperimentalGatewayAPISupport: true
LiteralCertificateSubject: true
SecretsFilteredCaching: true
ServerSideApply: true
StableCertificateRequestName: true
UseCertificateRequestBasicConstraints: true
ValidateCAA: true
metricsTLSConfig:
dynamic:
secretNamespace: "cert-manager"
secretName: "cert-manager-metrics-ca"
dnsNames:
- cert-manager-metrics
- cert-manager-metrics.cert-manager
- cert-manager-metrics.cert-manager.svc
dns01RecursiveNameservers ~ string#
Default value:
""
A comma-separated string with the host and port of the recursive nameservers cert-manager should query.
dns01RecursiveNameserversOnly ~ bool#
Default value:
false
Forces cert-manager to use only the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.
disableAutoApproval ~ bool#
Default value:
false
Option to disable cert-manager’s build-in auto-approver. The auto-approver approves all CertificateRequests that reference issuers matching the ‘approveSignerNames’ option. This ‘disableAutoApproval’ option is useful when you want to make all approval decisions using a different approver (like approver-policy - cert-manager/approver-policy).
approveSignerNames ~ array#
Default value:
- issuers.cert-manager.io/* - clusterissuers.cert-manager.io/*
List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable ‘disableAutoApproval’. ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
extraArgs ~ array#
Default value:
[]
Additional command line flags to pass to cert-manager controller binary. To
see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help.
Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificiateRequests approver.
For example:
extraArgs:
- --controllers=*,-certificaterequests-approver
extraEnv ~ array#
Default value:
[]
Additional environment variables to pass to cert-manager controller binary.
resources ~ object#
Default value:
{}
Resources to provide to the cert-manager controller pod.
For example:
requests:
cpu: 10m
memory: 32Mi
For more information, see Resource Management for Pods and Containers.
securityContext ~ object#
Default value:
runAsNonRoot: true seccompProfile: type: RuntimeDefault
Pod Security Context. For more information, see Configure a Security Context for a Pod or Container.
containerSecurityContext ~ object#
Default value:
allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true
Container Security Context to be set on the controller component container. For more information, see Configure a Security Context for a Pod or Container.
volumes ~ array#
Default value:
[]
Additional volumes to add to the cert-manager controller pod.
volumeMounts ~ array#
Default value:
[]
Additional volume mounts to add to the cert-manager controller container.
deploymentAnnotations ~ object#
Optional additional annotations to add to the controller Deployment.
podAnnotations ~ object#
Optional additional annotations to add to the controller Pods.
podLabels ~ object#
Default value:
{}
Optional additional labels to add to the controller Pods.
serviceAnnotations ~ object#
Optional annotations to add to the controller Service.
serviceLabels ~ object#
Optional additional labels to add to the controller Service.
serviceIPFamilyPolicy ~ string#
Optionally set the IP family policy for the controller Service to configure dual-stack; see Configure dual-stack.
serviceIPFamilies ~ array#
Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
podDnsPolicy ~ string#
Pod DNS policy. For more information, see Pod’s DNS Policy.
podDnsConfig ~ object#
Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy settings. However, when a Pod’s dnsPolicy is set to “None”, the dnsConfig field has to be specified. For more information, see Pod’s DNS Config.
hostAliases ~ array#
Default value:
[]
Optional hostAliases for cert-manager-controller pods. May be useful when performing ACME DNS-01 self checks.
nodeSelector ~ object#
Default value:
kubernetes.io/os: linux
The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.
This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
ingressShim.defaultIssuerName ~ string#
Optional default issuer to use for ingress resources.
ingressShim.defaultIssuerKind ~ string#
Optional default issuer kind to use for ingress resources.
ingressShim.defaultIssuerGroup ~ string#
Optional default issuer group to use for ingress resources.
http_proxy ~ string#
Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
https_proxy ~ string#
Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
no_proxy ~ string#
Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
affinity ~ object#
Default value:
{}
A Kubernetes Affinity, if required. For more information, see Affinity v1 core.
For example:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: foo.bar.com/role
operator: In
values:
- master
tolerations ~ array#
Default value:
[]
A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.
For example:
tolerations:
- key: foo.bar.com/role
operator: Equal
value: master
effect: NoSchedule
topologySpreadConstraints ~ array#
Default value:
[]
A list of Kubernetes TopologySpreadConstraints, if required. For more information, see Topology spread constraint v1 core
For example:
topologySpreadConstraints:
- maxSkew: 2
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
livenessProbe ~ object#
Default value:
enabled: true failureThreshold: 8 initialDelaySeconds: 10 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 15
LivenessProbe settings for the controller container of the controller Pod.
This is enabled by default, in order to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. For more information see the following on the Kubernetes GitHub repository
enableServiceLinks ~ bool#
Default value:
false
enableServiceLinks indicates whether information about services should be injected into the pod’s environment variables, matching the syntax of Docker links.
Prometheus#
prometheus.enabled ~ bool#
Default value:
true
Enable Prometheus monitoring for the cert-manager controller to use with the.
Prometheus Operator. If this option is enabled without enabling
prometheus.servicemonitor.enabled or
prometheus.podmonitor.enabled, ‘prometheus.io’ annotations are added to the cert-manager Deployment
resources. Additionally, a service is created which can be used together with
your own ServiceMonitor (managed outside of this Helm chart). Otherwise, a ServiceMonitor/ PodMonitor is created.
prometheus.servicemonitor.enabled ~ bool#
Default value:
false
Create a ServiceMonitor to add cert-manager to Prometheus.
prometheus.servicemonitor.prometheusInstance ~ string#
Default value:
default
Specifies the prometheus label on the created ServiceMonitor. This is used
when different Prometheus instances have label selectors matching different ServiceMonitors.
prometheus.servicemonitor.targetPort ~ number#
Default value:
9402
The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics.
prometheus.servicemonitor.path ~ string#
Default value:
/metrics
The path to scrape for metrics.
prometheus.servicemonitor.interval ~ string#
Default value:
60s
The interval to scrape metrics.
prometheus.servicemonitor.scrapeTimeout ~ string#
Default value:
30s
The timeout before a metrics scrape fails.
prometheus.servicemonitor.labels ~ object#
Default value:
{}
Additional labels to add to the ServiceMonitor.
prometheus.servicemonitor.annotations ~ object#
Default value:
{}
Additional annotations to add to the ServiceMonitor.
prometheus.servicemonitor.honorLabels ~ bool#
Default value:
false
Keep labels from scraped data, overriding server-side labels.
prometheus.servicemonitor.endpointAdditionalProperties ~ object#
Default value:
{}
EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
For example:
endpointAdditionalProperties:
relabelings:
- action: replace
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: instance
prometheus.podmonitor.enabled ~ bool#
Default value:
false
Create a PodMonitor to add cert-manager to Prometheus.
prometheus.podmonitor.prometheusInstance ~ string#
Default value:
default
Specifies the prometheus label on the created PodMonitor. This is used when
different Prometheus instances have label selectors matching different PodMonitors.
prometheus.podmonitor.path ~ string#
Default value:
/metrics
The path to scrape for metrics.
prometheus.podmonitor.interval ~ string#
Default value:
60s
The interval to scrape metrics.
prometheus.podmonitor.scrapeTimeout ~ string#
Default value:
30s
The timeout before a metrics scrape fails.
prometheus.podmonitor.labels ~ object#
Default value:
{}
Additional labels to add to the PodMonitor.
prometheus.podmonitor.annotations ~ object#
Default value:
{}
Additional annotations to add to the PodMonitor.
prometheus.podmonitor.honorLabels ~ bool#
Default value:
false
Keep labels from scraped data, overriding server-side labels.
prometheus.podmonitor.endpointAdditionalProperties ~ object#
Default value:
{}
EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.
For example:
endpointAdditionalProperties:
relabelings:
- action: replace
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: instance
Webhook#
webhook.replicaCount ~ number#
Default value:
1
Number of replicas of the cert-manager webhook to run.
The default is 1, but in production set this to 2 or 3 to provide high availability.
If replicas > 1, consider setting webhook.podDisruptionBudget.enabled=true.
webhook.timeoutSeconds ~ number#
Default value:
30
The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see Validating webhook configuration v1.
The default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If this timeout is reached, the error message will be “context deadline exceeded”, which doesn’t help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.
webhook.config ~ object#
Default value:
{}
This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags. An APIVersion and Kind must be specified in your values.yaml file. Flags override options that are set here.
For example:
apiVersion: webhook.config.cert-manager.io/v1alpha1
kind: WebhookConfiguration
# The port that the webhook listens on for requests.
# In GKE private clusters, by default Kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. Configuring
# securePort: 10250 therefore will work out-of-the-box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
# This should be uncommented and set as a default by the chart once
# the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
securePort: 10250
webhook.strategy ~ object#
Default value:
{}
The update strategy for the cert-manager webhook deployment. For more information, see the Kubernetes documentation
For example:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
webhook.securityContext ~ object#
Default value:
runAsNonRoot: true seccompProfile: type: RuntimeDefault
Pod Security Context to be set on the webhook component Pod. For more information, see Configure a Security Context for a Pod or Container.
webhook.containerSecurityContext ~ object#
Default value:
allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true
Container Security Context to be set on the webhook component container. For more information, see Configure a Security Context for a Pod or Container.
webhook.podDisruptionBudget.enabled ~ bool#
Default value:
false
Enable or disable the PodDisruptionBudget resource.
This prevents downtime during voluntary disruptions such as during a Node
upgrade. For example, the PodDisruptionBudget will block kubectl drain if it
is used on the Node where the only remaining cert-manager
Pod is currently running.
webhook.deploymentAnnotations ~ object#
Optional additional annotations to add to the webhook Deployment.
webhook.podAnnotations ~ object#
Optional additional annotations to add to the webhook Pods.
webhook.serviceAnnotations ~ object#
Optional additional annotations to add to the webhook Service.
webhook.mutatingWebhookConfigurationAnnotations ~ object#
Optional additional annotations to add to the webhook MutatingWebhookConfiguration.
webhook.validatingWebhookConfigurationAnnotations ~ object#
Optional additional annotations to add to the webhook ValidatingWebhookConfiguration.
webhook.validatingWebhookConfiguration.namespaceSelector ~ object#
Default value:
matchExpressions: - key: cert-manager.io/disable-validation operator: NotIn values: - "true"
Configure spec.namespaceSelector for validating webhooks.
webhook.mutatingWebhookConfiguration.namespaceSelector ~ object#
Default value:
{}
Configure spec.namespaceSelector for mutating webhooks.
webhook.extraArgs ~ array#
Default value:
[]
Additional command line flags to pass to cert-manager webhook binary. To see
all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help.
webhook.featureGates ~ string#
Default value:
""
Comma separated list of feature gates that should be enabled on the webhook pod.
webhook.resources ~ object#
Default value:
{}
Resources to provide to the cert-manager webhook pod.
For example:
requests:
cpu: 10m
memory: 32Mi
For more information, see Resource Management for Pods and Containers.
webhook.livenessProbe ~ object#
Default value:
failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1
Liveness probe values. For more information, see Container probes.
webhook.readinessProbe ~ object#
Default value:
failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1
Readiness probe values. For more information, see Container probes.
webhook.nodeSelector ~ object#
Default value:
kubernetes.io/os: linux
The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.
This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
webhook.affinity ~ object#
Default value:
{}
A Kubernetes Affinity, if required. For more information, see Affinity v1 core.
For example:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: foo.bar.com/role
operator: In
values:
- master
webhook.tolerations ~ array#
Default value:
[]
A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.
For example:
tolerations:
- key: foo.bar.com/role
operator: Equal
value: master
effect: NoSchedule
webhook.topologySpreadConstraints ~ array#
Default value:
[]
A list of Kubernetes TopologySpreadConstraints, if required. For more information, see Topology spread constraint v1 core.
For example:
topologySpreadConstraints:
- maxSkew: 2
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
webhook.podLabels ~ object#
Default value:
{}
Optional additional labels to add to the Webhook Pods.
webhook.serviceLabels ~ object#
Default value:
{}
Optional additional labels to add to the Webhook Service.
webhook.serviceIPFamilyPolicy ~ string#
Default value:
""
Optionally set the IP family policy for the controller Service to configure dual-stack; see Configure dual-stack.
webhook.serviceIPFamilies ~ array#
Default value:
[]
Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.
webhook.image.registry ~ string#
The container registry to pull the webhook image from.
webhook.image.repository ~ string#
Default value:
quay.io/jetstack/cert-manager-webhook
The container image for the cert-manager webhook
webhook.image.tag ~ string#
Override the image tag to deploy by setting this variable. If no value is set, the chart’s appVersion will be used.
webhook.image.digest ~ string#
Setting a digest will override any tag
webhook.image.pullPolicy ~ string#
Default value:
IfNotPresent
Kubernetes imagePullPolicy on Deployment.
webhook.serviceAccount.create ~ bool#
Default value:
true
Specifies whether a service account should be created.
webhook.serviceAccount.name ~ string#
The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
webhook.serviceAccount.annotations ~ object#
Optional additional annotations to add to the controller’s Service Account.
webhook.serviceAccount.labels ~ object#
Optional additional labels to add to the webhook’s Service Account.
webhook.serviceAccount.automountServiceAccountToken ~ bool#
Default value:
true
Automount API credentials for a Service Account.
webhook.automountServiceAccountToken ~ bool#
Automounting API credentials for a particular pod.
webhook.securePort ~ number#
Default value:
10250
The port that the webhook listens on for requests. In GKE private clusters, by default Kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. Configuring securePort: 10250, therefore will work out-of-the-box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
webhook.hostNetwork ~ bool#
Default value:
false
Specifies if the webhook should be started in hostNetwork mode.
Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods’ IP CIDR and admission webhooks are not working
Since the default port for the webhook conflicts with kubelet on the host
network, webhook.securePort should be changed to an available port if running in hostNetwork mode.
webhook.serviceType ~ string#
Default value:
ClusterIP
Specifies how the service should be handled. Useful if you want to expose the webhook outside of the cluster. In some cases, the control plane cannot reach internal services.
webhook.loadBalancerIP ~ string#
Specify the load balancer IP for the created service.
webhook.url ~ object#
Default value:
{}
Overrides the mutating webhook and validating webhook so they reach the
webhook service using the url field instead of a service.
webhook.networkPolicy.enabled ~ bool#
Default value:
false
Create network policies for the webhooks.
webhook.networkPolicy.ingress ~ array#
Default value:
- from: - ipBlock: cidr: 0.0.0.0/0
Ingress rule for the webhook network policy. By default, it allows all inbound traffic.
webhook.networkPolicy.egress ~ array#
Default value:
- ports: - port: 80 protocol: TCP - port: 443 protocol: TCP - port: 53 protocol: TCP - port: 53 protocol: UDP - port: 6443 protocol: TCP to: - ipBlock: cidr: 0.0.0.0/0
Egress rule for the webhook network policy. By default, it allows all outbound traffic to ports 80 and 443, as well as DNS ports.
webhook.volumes ~ array#
Default value:
[]
Additional volumes to add to the cert-manager controller pod.
webhook.volumeMounts ~ array#
Default value:
[]
Additional volume mounts to add to the cert-manager controller container.
webhook.enableServiceLinks ~ bool#
Default value:
false
enableServiceLinks indicates whether information about services should be injected into the pod’s environment variables, matching the syntax of Docker links.
CA Injector#
cainjector.enabled ~ bool#
Default value:
true
Create the CA Injector deployment
cainjector.replicaCount ~ number#
Default value:
1
The number of replicas of the cert-manager cainjector to run.
The default is 1, but in production set this to 2 or 3 to provide high availability.
If replicas > 1, consider setting cainjector.podDisruptionBudget.enabled=true.
Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.
cainjector.config ~ object#
Default value:
{}
This is used to configure options for the cainjector pod. It allows setting options that are usually provided via flags. An APIVersion and Kind must be specified in your values.yaml file. Flags override options that are set here.
For example:
apiVersion: cainjector.config.cert-manager.io/v1alpha1
kind: CAInjectorConfiguration
logging:
verbosity: 2
format: text
leaderElectionConfig:
namespace: kube-system
cainjector.strategy ~ object#
Default value:
{}
Deployment update strategy for the cert-manager cainjector deployment. For more information, see the Kubernetes documentation.
For example:
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 0
maxUnavailable: 1
cainjector.securityContext ~ object#
Default value:
runAsNonRoot: true seccompProfile: type: RuntimeDefault
Pod Security Context to be set on the cainjector component Pod. For more information, see Configure a Security Context for a Pod or Container.
cainjector.containerSecurityContext ~ object#
Default value:
allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true
Container Security Context to be set on the cainjector component container. For more information, see Configure a Security Context for a Pod or Container.
cainjector.podDisruptionBudget.enabled ~ bool#
Default value:
false
Enable or disable the PodDisruptionBudget resource.
This prevents downtime during voluntary disruptions such as during a Node
upgrade. For example, the PodDisruptionBudget will block kubectl drain if
it is used on the Node where the only remaining cert-manager
Pod is currently running.
cainjector.deploymentAnnotations ~ object#
Optional additional annotations to add to the cainjector Deployment.
cainjector.podAnnotations ~ object#
Optional additional annotations to add to the cainjector Pods.
cainjector.extraArgs ~ array#
Default value:
[]
Additional command line flags to pass to cert-manager cainjector binary. To
see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help.
cainjector.featureGates ~ string#
Default value:
""
Comma separated list of feature gates that should be enabled on the cainjector pod.
cainjector.resources ~ object#
Default value:
{}
Resources to provide to the cert-manager cainjector pod.
For example:
requests:
cpu: 10m
memory: 32Mi
For more information, see Resource Management for Pods and Containers.
cainjector.nodeSelector ~ object#
Default value:
kubernetes.io/os: linux
The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.
This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
cainjector.affinity ~ object#
Default value:
{}
A Kubernetes Affinity, if required. For more information, see Affinity v1 core.
For example:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: foo.bar.com/role
operator: In
values:
- master
cainjector.tolerations ~ array#
Default value:
[]
A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.
For example:
tolerations:
- key: foo.bar.com/role
operator: Equal
value: master
effect: NoSchedule
cainjector.topologySpreadConstraints ~ array#
Default value:
[]
A list of Kubernetes TopologySpreadConstraints, if required. For more information, see Topology spread constraint v1 core.
For example:
topologySpreadConstraints:
- maxSkew: 2
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
cainjector.podLabels ~ object#
Default value:
{}
Optional additional labels to add to the CA Injector Pods.
cainjector.image.registry ~ string#
The container registry to pull the cainjector image from.
cainjector.image.repository ~ string#
Default value:
quay.io/jetstack/cert-manager-cainjector
The container image for the cert-manager cainjector
cainjector.image.tag ~ string#
Override the image tag to deploy by setting this variable. If no value is set, the chart’s appVersion will be used.
cainjector.image.digest ~ string#
Setting a digest will override any tag.
cainjector.image.pullPolicy ~ string#
Default value:
IfNotPresent
Kubernetes imagePullPolicy on Deployment.
cainjector.serviceAccount.create ~ bool#
Default value:
true
Specifies whether a service account should be created.
cainjector.serviceAccount.name ~ string#
The name of the service account to use. If not set and create is true, a name is generated using the fullname template
cainjector.serviceAccount.annotations ~ object#
Optional additional annotations to add to the controller’s Service Account.
cainjector.serviceAccount.labels ~ object#
Optional additional labels to add to the cainjector’s Service Account.
cainjector.serviceAccount.automountServiceAccountToken ~ bool#
Default value:
true
Automount API credentials for a Service Account.
cainjector.automountServiceAccountToken ~ bool#
Automounting API credentials for a particular pod.
cainjector.volumes ~ array#
Default value:
[]
Additional volumes to add to the cert-manager controller pod.
cainjector.volumeMounts ~ array#
Default value:
[]
Additional volume mounts to add to the cert-manager controller container.
cainjector.enableServiceLinks ~ bool#
Default value:
false
enableServiceLinks indicates whether information about services should be injected into the pod’s environment variables, matching the syntax of Docker links.
ACME Solver#
acmesolver.image.registry ~ string#
The container registry to pull the acmesolver image from.
acmesolver.image.repository ~ string#
Default value:
quay.io/jetstack/cert-manager-acmesolver
The container image for the cert-manager acmesolver.
acmesolver.image.tag ~ string#
Override the image tag to deploy by setting this variable. If no value is set, the chart’s appVersion is used.
acmesolver.image.digest ~ string#
Setting a digest will override any tag.
acmesolver.image.pullPolicy ~ string#
Default value:
IfNotPresent
Kubernetes imagePullPolicy on Deployment.
Startup API Check#
This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, ensure that they are not injected into this Job’s pod. Otherwise, the installation may time out owing to the Job never being completed because the sidecar proxy does not exit. For more information, see this note.
startupapicheck.enabled ~ bool#
Default value:
true
Enables the startup api check.
startupapicheck.securityContext ~ object#
Default value:
runAsNonRoot: true seccompProfile: type: RuntimeDefault
Pod Security Context to be set on the startupapicheck component Pod. For more information, see Configure a Security Context for a Pod or Container.
startupapicheck.containerSecurityContext ~ object#
Default value:
allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true
Container Security Context to be set on the controller component container. For more information, see Configure a Security Context for a Pod or Container.
startupapicheck.timeout ~ string#
Default value:
1m
Timeout for ‘kubectl check api’ command.
startupapicheck.backoffLimit ~ number#
Default value:
4
Job backoffLimit
startupapicheck.jobAnnotations ~ object#
Default value:
helm.sh/hook: post-install helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded helm.sh/hook-weight: "1"
Optional additional annotations to add to the startupapicheck Job.
startupapicheck.podAnnotations ~ object#
Optional additional annotations to add to the startupapicheck Pods.
startupapicheck.extraArgs ~ array#
Default value:
- -v
Additional command line flags to pass to startupapicheck binary. To see all
available flags run docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help.
Verbose logging is enabled by default so that if startupapicheck fails, you can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example.
startupapicheck.resources ~ object#
Default value:
{}
Resources to provide to the cert-manager controller pod.
For example:
requests:
cpu: 10m
memory: 32Mi
For more information, see Resource Management for Pods and Containers.
startupapicheck.nodeSelector ~ object#
Default value:
kubernetes.io/os: linux
The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.
This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
startupapicheck.affinity ~ object#
Default value:
{}
A Kubernetes Affinity, if required. For more information, see Affinity v1 core. For example:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: foo.bar.com/role
operator: In
values:
- master
startupapicheck.tolerations ~ array#
Default value:
[]
A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.
For example:
tolerations:
- key: foo.bar.com/role
operator: Equal
value: master
effect: NoSchedule
startupapicheck.podLabels ~ object#
Default value:
{}
Optional additional labels to add to the startupapicheck Pods.
startupapicheck.image.registry ~ string#
The container registry to pull the startupapicheck image from.
startupapicheck.image.repository ~ string#
Default value:
quay.io/jetstack/cert-manager-startupapicheck
The container image for the cert-manager startupapicheck.
startupapicheck.image.tag ~ string#
Override the image tag to deploy by setting this variable. If no value is set, the chart’s appVersion is used.
startupapicheck.image.digest ~ string#
Setting a digest will override any tag.
startupapicheck.image.pullPolicy ~ string#
Default value:
IfNotPresent
Kubernetes imagePullPolicy on Deployment.
startupapicheck.rbac.annotations ~ object#
Default value:
helm.sh/hook: post-install helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded helm.sh/hook-weight: "-5"
annotations for the startup API Check job RBAC and PSP resources.
startupapicheck.automountServiceAccountToken ~ bool#
Automounting API credentials for a particular pod.
startupapicheck.serviceAccount.create ~ bool#
Default value:
true
Specifies whether a service account should be created.
startupapicheck.serviceAccount.name ~ string#
The name of the service account to use. If not set and create is true, a name is generated using the fullname template.
startupapicheck.serviceAccount.annotations ~ object#
Default value:
helm.sh/hook: post-install helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded helm.sh/hook-weight: "-5"
Optional additional annotations to add to the Job’s Service Account.
startupapicheck.serviceAccount.automountServiceAccountToken ~ bool#
Default value:
true
Automount API credentials for a Service Account.
startupapicheck.serviceAccount.labels ~ object#
Optional additional labels to add to the startupapicheck’s Service Account.
startupapicheck.volumes ~ array#
Default value:
[]
Additional volumes to add to the cert-manager controller pod.
startupapicheck.volumeMounts ~ array#
Default value:
[]
Additional volume mounts to add to the cert-manager controller container.
startupapicheck.enableServiceLinks ~ bool#
Default value:
false
enableServiceLinks indicates whether information about services should be injected into pod’s environment variables, matching the syntax of Docker links.
extraObjects ~ array#
Default value:
[]
Create dynamic manifests via values.
For example:
extraObjects:
- |
apiVersion: v1
kind: ConfigMap
metadata:
name: '{{ template "cert-manager.name" . }}-extra-configmap'
Default Security Contexts#
The default pod-level and container-level security contexts, below, adhere to the restricted Pod Security Standards policies.
Default pod-level securityContext:
runAsNonRoot: true
seccompProfile:
type: RuntimeDefault
Default containerSecurityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
Assigning Values#
Specify each parameter using the --set key=value[,key=value] argument to helm install.
Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
helm install my-release -f values.yaml .
Tip: You can use the default values.yaml
Contributing#
This chart is maintained at github.com/cert-manager/cert-manager.