2022-11-21 20:47:48 +00:00
|
|
|
global:
|
|
|
|
# Labels to apply to all resources
|
|
|
|
# Please note that this does not add labels to the resources created dynamically by the controllers.
|
|
|
|
# For these resources, you have to add the labels in the template in the cert-manager custom resource:
|
|
|
|
# eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
|
|
|
|
# ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
|
|
|
|
# eg. secretTemplate in CertificateSpec
|
|
|
|
# ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
|
|
|
|
commonLabels: {}
|
|
|
|
# team_name: dev
|
|
|
|
|
|
|
|
# Optional priority class to be used for the cert-manager pods
|
|
|
|
priorityClassName: ""
|
|
|
|
rbac:
|
|
|
|
create: true
|
|
|
|
# Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
|
|
|
|
aggregateClusterRoles: true
|
|
|
|
|
|
|
|
podSecurityPolicy:
|
|
|
|
enabled: false
|
|
|
|
useAppArmor: true
|
|
|
|
|
|
|
|
# Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
|
|
|
|
logLevel: 2
|
|
|
|
|
2024-09-29 15:27:02 +00:00
|
|
|
leaderElection:
|
|
|
|
namespace: "cert-manager"
|
|
|
|
|
|
|
|
crds:
|
|
|
|
enabled: true
|
|
|
|
|
|
|
|
|
2022-11-21 20:47:48 +00:00
|
|
|
replicaCount: 1
|
|
|
|
|
|
|
|
strategy:
|
|
|
|
type: RollingUpdate
|
|
|
|
rollingUpdate:
|
|
|
|
maxSurge: 0
|
|
|
|
maxUnavailable: 1
|
|
|
|
|
|
|
|
# Comma separated list of feature gates that should be enabled on the
|
|
|
|
# controller pod & webhook pod.
|
|
|
|
featureGates: ""
|
|
|
|
|
|
|
|
image:
|
|
|
|
repository: quay.io/jetstack/cert-manager-controller
|
|
|
|
# Override the image tag to deploy by setting this variable.
|
|
|
|
# If no value is set, the chart's appVersion will be used.
|
|
|
|
# tag: canary
|
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
|
|
serviceAccount:
|
|
|
|
# Specifies whether a service account should be created
|
|
|
|
create: true
|
|
|
|
# The name of the service account to use.
|
|
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
|
|
# name: ""
|
|
|
|
# Optional additional annotations to add to the controller's ServiceAccount
|
|
|
|
# annotations: {}
|
|
|
|
# Automount API credentials for a Service Account.
|
|
|
|
# Optional additional labels to add to the controller's ServiceAccount
|
|
|
|
# labels: {}
|
|
|
|
automountServiceAccountToken: true
|
|
|
|
|
|
|
|
# Automounting API credentials for a particular pod
|
|
|
|
# automountServiceAccountToken: true
|
|
|
|
|
|
|
|
# Additional command line flags to pass to cert-manager controller binary.
|
|
|
|
# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
|
|
|
|
extraArgs: []
|
|
|
|
# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
|
|
|
# - --enable-certificate-owner-ref=true
|
|
|
|
# Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
|
|
|
|
# - --controllers=*,-certificaterequests-approver
|
|
|
|
|
|
|
|
extraEnv: []
|
|
|
|
# - name: SOME_VAR
|
|
|
|
# value: 'some value'
|
|
|
|
|
|
|
|
resources: {}
|
|
|
|
# requests:
|
|
|
|
# cpu: 10m
|
|
|
|
# memory: 32Mi
|
|
|
|
|
|
|
|
# Pod Security Context
|
|
|
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
|
securityContext:
|
|
|
|
runAsNonRoot: true
|
|
|
|
seccompProfile:
|
|
|
|
type: RuntimeDefault
|
|
|
|
|
|
|
|
# Container Security Context to be set on the controller component container
|
|
|
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
|
containerSecurityContext:
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
capabilities:
|
|
|
|
drop:
|
|
|
|
- ALL
|
|
|
|
readOnlyRootFilesystem: true
|
|
|
|
runAsNonRoot: true
|
|
|
|
|
|
|
|
# Optional DNS settings, useful if you have a public and private DNS zone for
|
|
|
|
# the same domain on Route 53. What follows is an example of ensuring
|
|
|
|
# cert-manager can access an ingress or DNS TXT records at all times.
|
|
|
|
# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
|
|
|
|
# the cluster to work.
|
|
|
|
# podDnsPolicy: "None"
|
|
|
|
podDnsConfig:
|
|
|
|
nameservers:
|
2022-11-22 07:31:33 +00:00
|
|
|
- "192.168.1.53"
|
2022-11-21 20:47:48 +00:00
|
|
|
- "192.168.1.1"
|
|
|
|
|
|
|
|
prometheus:
|
|
|
|
enabled: true
|
|
|
|
servicemonitor:
|
|
|
|
enabled: false
|
|
|
|
prometheusInstance: default
|
|
|
|
targetPort: 9402
|
|
|
|
path: /metrics
|
|
|
|
interval: 60s
|
|
|
|
scrapeTimeout: 30s
|
|
|
|
labels: {}
|
|
|
|
annotations: {}
|
|
|
|
honorLabels: false
|
|
|
|
|
|
|
|
# Use these variables to configure the HTTP_PROXY environment variables
|
|
|
|
# http_proxy: "http://proxy:8080"
|
|
|
|
# https_proxy: "https://proxy:8080"
|
|
|
|
# no_proxy: 127.0.0.1,localhost
|
|
|
|
|
|
|
|
webhook:
|
|
|
|
replicaCount: 1
|
|
|
|
timeoutSeconds: 10
|
|
|
|
|
|
|
|
# Used to configure options for the webhook pod.
|
|
|
|
# This allows setting options that'd usually be provided via flags.
|
|
|
|
# An APIVersion and Kind must be specified in your values.yaml file.
|
|
|
|
# Flags will override options that are set here.
|
|
|
|
config:
|
|
|
|
# apiVersion: webhook.config.cert-manager.io/v1alpha1
|
|
|
|
# kind: WebhookConfiguration
|
|
|
|
|
|
|
|
# The port that the webhook should listen on for requests.
|
|
|
|
# In GKE private clusters, by default kubernetes apiservers are allowed to
|
|
|
|
# talk to the cluster nodes only on 443 and 10250. so configuring
|
|
|
|
# securePort: 10250, will work out of the box without needing to add firewall
|
|
|
|
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
|
|
|
|
# This should be uncommented and set as a default by the chart once we graduate
|
|
|
|
# the apiVersion of WebhookConfiguration past v1alpha1.
|
|
|
|
# securePort: 10250
|
|
|
|
|
|
|
|
strategy: {}
|
|
|
|
# type: RollingUpdate
|
|
|
|
# rollingUpdate:
|
|
|
|
# maxSurge: 0
|
|
|
|
# maxUnavailable: 1
|
|
|
|
|
|
|
|
# Pod Security Context to be set on the webhook component Pod
|
|
|
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
|
securityContext:
|
|
|
|
runAsNonRoot: true
|
|
|
|
seccompProfile:
|
|
|
|
type: RuntimeDefault
|
|
|
|
|
|
|
|
# Container Security Context to be set on the webhook component container
|
|
|
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
|
containerSecurityContext:
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
capabilities:
|
|
|
|
drop:
|
|
|
|
- ALL
|
|
|
|
# readOnlyRootFilesystem: true
|
|
|
|
# runAsNonRoot: true
|
|
|
|
|
|
|
|
# Optional additional annotations to add to the webhook Deployment
|
|
|
|
# deploymentAnnotations: {}
|
|
|
|
|
|
|
|
# Optional additional annotations to add to the webhook Pods
|
|
|
|
# podAnnotations: {}
|
|
|
|
|
|
|
|
# Optional additional annotations to add to the webhook Service
|
|
|
|
# serviceAnnotations: {}
|
|
|
|
|
|
|
|
# Optional additional annotations to add to the webhook MutatingWebhookConfiguration
|
|
|
|
# mutatingWebhookConfigurationAnnotations: {}
|
|
|
|
|
|
|
|
# Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
|
|
|
|
# validatingWebhookConfigurationAnnotations: {}
|
|
|
|
|
|
|
|
# Additional command line flags to pass to cert-manager webhook binary.
|
|
|
|
# To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
|
|
|
|
extraArgs: []
|
|
|
|
# Path to a file containing a WebhookConfiguration object used to configure the webhook
|
|
|
|
# - --config=<path-to-config-file>
|
|
|
|
|
|
|
|
resources: {}
|
|
|
|
# requests:
|
|
|
|
# cpu: 10m
|
|
|
|
# memory: 32Mi
|
|
|
|
|
|
|
|
## Liveness and readiness probe values
|
|
|
|
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
|
|
|
|
##
|
|
|
|
livenessProbe:
|
|
|
|
failureThreshold: 3
|
|
|
|
initialDelaySeconds: 60
|
|
|
|
periodSeconds: 10
|
|
|
|
successThreshold: 1
|
|
|
|
timeoutSeconds: 1
|
|
|
|
readinessProbe:
|
|
|
|
failureThreshold: 3
|
|
|
|
initialDelaySeconds: 5
|
|
|
|
periodSeconds: 5
|
|
|
|
successThreshold: 1
|
|
|
|
timeoutSeconds: 1
|
|
|
|
|
|
|
|
nodeSelector:
|
|
|
|
kubernetes.io/os: linux
|
|
|
|
|
|
|
|
affinity: {}
|
|
|
|
|
|
|
|
tolerations: []
|
|
|
|
|
|
|
|
topologySpreadConstraints: []
|
|
|
|
|
|
|
|
# Optional additional labels to add to the Webhook Pods
|
|
|
|
podLabels: {}
|
|
|
|
|
|
|
|
# Optional additional labels to add to the Webhook Service
|
|
|
|
serviceLabels: {}
|
|
|
|
|
|
|
|
image:
|
|
|
|
repository: quay.io/jetstack/cert-manager-webhook
|
|
|
|
# You can manage a registry with
|
|
|
|
# registry: quay.io
|
|
|
|
# repository: jetstack/cert-manager-webhook
|
|
|
|
|
|
|
|
# Override the image tag to deploy by setting this variable.
|
|
|
|
# If no value is set, the chart's appVersion will be used.
|
|
|
|
# tag: canary
|
|
|
|
|
|
|
|
# Setting a digest will override any tag
|
|
|
|
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
|
|
|
|
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
|
|
serviceAccount:
|
|
|
|
# Specifies whether a service account should be created
|
|
|
|
create: true
|
|
|
|
# The name of the service account to use.
|
|
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
|
|
# name: ""
|
|
|
|
# Optional additional annotations to add to the controller's ServiceAccount
|
|
|
|
# annotations: {}
|
|
|
|
# Optional additional labels to add to the webhook's ServiceAccount
|
|
|
|
# labels: {}
|
|
|
|
# Automount API credentials for a Service Account.
|
|
|
|
automountServiceAccountToken: true
|
|
|
|
|
|
|
|
# Automounting API credentials for a particular pod
|
|
|
|
# automountServiceAccountToken: true
|
|
|
|
|
|
|
|
# The port that the webhook should listen on for requests.
|
|
|
|
# In GKE private clusters, by default kubernetes apiservers are allowed to
|
|
|
|
# talk to the cluster nodes only on 443 and 10250. so configuring
|
|
|
|
# securePort: 10250, will work out of the box without needing to add firewall
|
|
|
|
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
|
|
|
|
securePort: 10250
|
|
|
|
|
|
|
|
# Specifies if the webhook should be started in hostNetwork mode.
|
|
|
|
#
|
|
|
|
# Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
|
|
|
|
# CNI (such as calico), because control-plane managed by AWS cannot communicate
|
|
|
|
# with pods' IP CIDR and admission webhooks are not working
|
|
|
|
#
|
|
|
|
# Since the default port for the webhook conflicts with kubelet on the host
|
|
|
|
# network, `webhook.securePort` should be changed to an available port if
|
|
|
|
# running in hostNetwork mode.
|
|
|
|
hostNetwork: false
|
|
|
|
|
|
|
|
# Specifies how the service should be handled. Useful if you want to expose the
|
|
|
|
# webhook to outside of the cluster. In some cases, the control plane cannot
|
|
|
|
# reach internal services.
|
|
|
|
serviceType: ClusterIP
|
|
|
|
# loadBalancerIP:
|
|
|
|
|
|
|
|
# Overrides the mutating webhook and validating webhook so they reach the webhook
|
|
|
|
# service using the `url` field instead of a service.
|
|
|
|
url: {}
|
|
|
|
# host:
|
|
|
|
|
|
|
|
# Enables default network policies for webhooks.
|
|
|
|
networkPolicy:
|
|
|
|
enabled: false
|
|
|
|
ingress:
|
|
|
|
- from:
|
|
|
|
- ipBlock:
|
|
|
|
cidr: 0.0.0.0/0
|
|
|
|
egress:
|
|
|
|
- ports:
|
|
|
|
- port: 80
|
|
|
|
protocol: TCP
|
|
|
|
- port: 443
|
|
|
|
protocol: TCP
|
|
|
|
- port: 53
|
|
|
|
protocol: TCP
|
|
|
|
- port: 53
|
|
|
|
protocol: UDP
|
|
|
|
to:
|
|
|
|
- ipBlock:
|
|
|
|
cidr: 0.0.0.0/0
|
|
|
|
|
|
|
|
cainjector:
|
|
|
|
enabled: true
|
|
|
|
replicaCount: 1
|
|
|
|
|
|
|
|
strategy: {}
|
|
|
|
# type: RollingUpdate
|
|
|
|
# rollingUpdate:
|
|
|
|
# maxSurge: 0
|
|
|
|
# maxUnavailable: 1
|
|
|
|
|
|
|
|
# Pod Security Context to be set on the cainjector component Pod
|
|
|
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
|
securityContext:
|
|
|
|
runAsNonRoot: true
|
|
|
|
seccompProfile:
|
|
|
|
type: RuntimeDefault
|
|
|
|
|
|
|
|
# Container Security Context to be set on the cainjector component container
|
|
|
|
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
|
containerSecurityContext:
|
|
|
|
allowPrivilegeEscalation: false
|
|
|
|
capabilities:
|
|
|
|
drop:
|
|
|
|
- ALL
|
|
|
|
# readOnlyRootFilesystem: true
|
|
|
|
# runAsNonRoot: true
|
|
|
|
|
|
|
|
|
|
|
|
# Optional additional annotations to add to the cainjector Deployment
|
|
|
|
# deploymentAnnotations: {}
|
|
|
|
|
|
|
|
# Optional additional annotations to add to the cainjector Pods
|
|
|
|
# podAnnotations: {}
|
|
|
|
|
|
|
|
# Additional command line flags to pass to cert-manager cainjector binary.
|
|
|
|
# To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
|
|
|
|
extraArgs: []
|
|
|
|
# Enable profiling for cainjector
|
|
|
|
# - --enable-profiling=true
|
|
|
|
|
|
|
|
resources: {}
|
|
|
|
# requests:
|
|
|
|
# cpu: 10m
|
|
|
|
# memory: 32Mi
|
|
|
|
|
|
|
|
nodeSelector:
|
|
|
|
kubernetes.io/os: linux
|
|
|
|
|
|
|
|
affinity: {}
|
|
|
|
|
|
|
|
tolerations: []
|
|
|
|
|
|
|
|
topologySpreadConstraints: []
|
|
|
|
|
|
|
|
# Optional additional labels to add to the CA Injector Pods
|
|
|
|
podLabels: {}
|
|
|
|
|
|
|
|
image:
|
|
|
|
repository: quay.io/jetstack/cert-manager-cainjector
|
|
|
|
# You can manage a registry with
|
|
|
|
# registry: quay.io
|
|
|
|
# repository: jetstack/cert-manager-cainjector
|
|
|
|
|
|
|
|
# Override the image tag to deploy by setting this variable.
|
|
|
|
# If no value is set, the chart's appVersion will be used.
|
|
|
|
# tag: canary
|
|
|
|
|
|
|
|
# Setting a digest will override any tag
|
|
|
|
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
|
|
|
|
|
|
|
pullPolicy: IfNotPresent
|
|
|
|
|
|
|
|
serviceAccount:
|
|
|
|
# Specifies whether a service account should be created
|
|
|
|
create: true
|
|
|
|
# The name of the service account to use.
|
|
|
|
# If not set and create is true, a name is generated using the fullname template
|
|
|
|
# name: ""
|
|
|
|
# Optional additional annotations to add to the controller's ServiceAccount
|
|
|
|
# annotations: {}
|
|
|
|
# Automount API credentials for a Service Account.
|
|
|
|
# Optional additional labels to add to the cainjector's ServiceAccount
|
|
|
|
# labels: {}
|
|
|
|
automountServiceAccountToken: true
|
|
|
|
|
|
|
|
# Automounting API credentials for a particular pod
|
|
|
|
# automountServiceAccountToken: true
|