global: # Labels to apply to all resources # Please note that this does not add labels to the resources created dynamically by the controllers. # For these resources, you have to add the labels in the template in the cert-manager custom resource: # eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress # ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress # eg. secretTemplate in CertificateSpec # ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec commonLabels: {} # team_name: dev # Optional priority class to be used for the cert-manager pods priorityClassName: "" rbac: create: true # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles aggregateClusterRoles: true podSecurityPolicy: enabled: false useAppArmor: true # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose. logLevel: 2 installCRDs: true replicaCount: 1 strategy: type: RollingUpdate rollingUpdate: maxSurge: 0 maxUnavailable: 1 # Comma separated list of feature gates that should be enabled on the # controller pod & webhook pod. featureGates: "" image: repository: quay.io/jetstack/cert-manager-controller # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # tag: canary pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} # Automount API credentials for a Service Account. # Optional additional labels to add to the controller's ServiceAccount # labels: {} automountServiceAccountToken: true # Automounting API credentials for a particular pod # automountServiceAccountToken: true # Additional command line flags to pass to cert-manager controller binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-controller: --help extraArgs: [] # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # - --enable-certificate-owner-ref=true # Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver # - --controllers=*,-certificaterequests-approver extraEnv: [] # - name: SOME_VAR # value: 'some value' resources: {} # requests: # cpu: 10m # memory: 32Mi # Pod Security Context # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Container Security Context to be set on the controller component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true # Optional DNS settings, useful if you have a public and private DNS zone for # the same domain on Route 53. What follows is an example of ensuring # cert-manager can access an ingress or DNS TXT records at all times. # NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for # the cluster to work. # podDnsPolicy: "None" podDnsConfig: nameservers: - "192.168.1.53" - "192.168.1.1" prometheus: enabled: true servicemonitor: enabled: false prometheusInstance: default targetPort: 9402 path: /metrics interval: 60s scrapeTimeout: 30s labels: {} annotations: {} honorLabels: false # Use these variables to configure the HTTP_PROXY environment variables # http_proxy: "http://proxy:8080" # https_proxy: "https://proxy:8080" # no_proxy: 127.0.0.1,localhost webhook: replicaCount: 1 timeoutSeconds: 10 # Used to configure options for the webhook pod. # This allows setting options that'd usually be provided via flags. # An APIVersion and Kind must be specified in your values.yaml file. # Flags will override options that are set here. config: # apiVersion: webhook.config.cert-manager.io/v1alpha1 # kind: WebhookConfiguration # The port that the webhook should listen on for requests. # In GKE private clusters, by default kubernetes apiservers are allowed to # talk to the cluster nodes only on 443 and 10250. so configuring # securePort: 10250, will work out of the box without needing to add firewall # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000. # This should be uncommented and set as a default by the chart once we graduate # the apiVersion of WebhookConfiguration past v1alpha1. # securePort: 10250 strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 # maxUnavailable: 1 # Pod Security Context to be set on the webhook component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Container Security Context to be set on the webhook component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # Optional additional annotations to add to the webhook Deployment # deploymentAnnotations: {} # Optional additional annotations to add to the webhook Pods # podAnnotations: {} # Optional additional annotations to add to the webhook Service # serviceAnnotations: {} # Optional additional annotations to add to the webhook MutatingWebhookConfiguration # mutatingWebhookConfigurationAnnotations: {} # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration # validatingWebhookConfigurationAnnotations: {} # Additional command line flags to pass to cert-manager webhook binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook: --help extraArgs: [] # Path to a file containing a WebhookConfiguration object used to configure the webhook # - --config= resources: {} # requests: # cpu: 10m # memory: 32Mi ## Liveness and readiness probe values ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: failureThreshold: 3 initialDelaySeconds: 60 periodSeconds: 10 successThreshold: 1 timeoutSeconds: 1 readinessProbe: failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 5 successThreshold: 1 timeoutSeconds: 1 nodeSelector: kubernetes.io/os: linux affinity: {} tolerations: [] topologySpreadConstraints: [] # Optional additional labels to add to the Webhook Pods podLabels: {} # Optional additional labels to add to the Webhook Service serviceLabels: {} image: repository: quay.io/jetstack/cert-manager-webhook # You can manage a registry with # registry: quay.io # repository: jetstack/cert-manager-webhook # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # tag: canary # Setting a digest will override any tag # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} # Optional additional labels to add to the webhook's ServiceAccount # labels: {} # Automount API credentials for a Service Account. automountServiceAccountToken: true # Automounting API credentials for a particular pod # automountServiceAccountToken: true # The port that the webhook should listen on for requests. # In GKE private clusters, by default kubernetes apiservers are allowed to # talk to the cluster nodes only on 443 and 10250. so configuring # securePort: 10250, will work out of the box without needing to add firewall # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000 securePort: 10250 # Specifies if the webhook should be started in hostNetwork mode. # # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom # CNI (such as calico), because control-plane managed by AWS cannot communicate # with pods' IP CIDR and admission webhooks are not working # # Since the default port for the webhook conflicts with kubelet on the host # network, `webhook.securePort` should be changed to an available port if # running in hostNetwork mode. hostNetwork: false # Specifies how the service should be handled. Useful if you want to expose the # webhook to outside of the cluster. In some cases, the control plane cannot # reach internal services. serviceType: ClusterIP # loadBalancerIP: # Overrides the mutating webhook and validating webhook so they reach the webhook # service using the `url` field instead of a service. url: {} # host: # Enables default network policies for webhooks. networkPolicy: enabled: false ingress: - from: - ipBlock: cidr: 0.0.0.0/0 egress: - ports: - port: 80 protocol: TCP - port: 443 protocol: TCP - port: 53 protocol: TCP - port: 53 protocol: UDP to: - ipBlock: cidr: 0.0.0.0/0 cainjector: enabled: true replicaCount: 1 strategy: {} # type: RollingUpdate # rollingUpdate: # maxSurge: 0 # maxUnavailable: 1 # Pod Security Context to be set on the cainjector component Pod # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ securityContext: runAsNonRoot: true seccompProfile: type: RuntimeDefault # Container Security Context to be set on the cainjector component container # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/ containerSecurityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL # readOnlyRootFilesystem: true # runAsNonRoot: true # Optional additional annotations to add to the cainjector Deployment # deploymentAnnotations: {} # Optional additional annotations to add to the cainjector Pods # podAnnotations: {} # Additional command line flags to pass to cert-manager cainjector binary. # To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector: --help extraArgs: [] # Enable profiling for cainjector # - --enable-profiling=true resources: {} # requests: # cpu: 10m # memory: 32Mi nodeSelector: kubernetes.io/os: linux affinity: {} tolerations: [] topologySpreadConstraints: [] # Optional additional labels to add to the CA Injector Pods podLabels: {} image: repository: quay.io/jetstack/cert-manager-cainjector # You can manage a registry with # registry: quay.io # repository: jetstack/cert-manager-cainjector # Override the image tag to deploy by setting this variable. # If no value is set, the chart's appVersion will be used. # tag: canary # Setting a digest will override any tag # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 pullPolicy: IfNotPresent serviceAccount: # Specifies whether a service account should be created create: true # The name of the service account to use. # If not set and create is true, a name is generated using the fullname template # name: "" # Optional additional annotations to add to the controller's ServiceAccount # annotations: {} # Automount API credentials for a Service Account. # Optional additional labels to add to the cainjector's ServiceAccount # labels: {} automountServiceAccountToken: true # Automounting API credentials for a particular pod # automountServiceAccountToken: true