Distributed Issuer Helm values¶

fullnameOverride¶

Override the distributed-issuer.fullname value. This value is used as part of most of the names of the resources created by this Helm chart.

nameOverride¶

Override the distributed-issuer.name value, which is used to annotate some of the resources that are created by this Chart (using app.kubernetes.io/name).

CRDs¶

The CRDs installed by this chart are annotated with helm.sh/resource-policy: keep. This prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to remove the remaining CRDs manually.

crds.forceRemoveValidationAnnotations¶

The x-kubernetes-validations annotation is not supported in Kubernetes 1.22 or earlier. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.

Venafi Connection¶

venafiConnection.include¶

When set to false, the rendered output does not contain the VenafiConnection CRD and RBAC. This is useful for when the VenafiConnection CRD is already installed separately. When true, you must set both deployment.config.bootstrap.tpp.connection.create: false and deployment.config.bootstrap.ngts.connection.create: false, because you cannot install the VenafiConnection CRD and a VenafiConnection resource in the same chart.

venafiConnection.serviceAccountNamespace¶

The namespace in which the venafi-connection service account lives. This is the service account that is used to create JWT tokens for SAs or read credential secrets. (defaults to the namespace in which the controller is running)

imageRegistry¶

The container registry used for distributed-issuer images by default. This can include path prefixes (e.g. artifactory.example.com/docker).

imageNamespace¶

The repository namespace used for distributed-issuer images by default, for example venafi-images or custom-team.

image.repository¶

Full repository override (takes precedence over imageRegistry, imageNamespace, and image.name). For example, registry.ngts.paloaltonetworks.com/distributed-issuer/distributed-issuer.

image.name¶

The image name for distributed-issuer. This is used (together with imageRegistry and imageNamespace) to construct the full image reference.

image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest¶

Setting a digest pins the image. If a tag is also set, the rendered reference will include both image:tag@digest, though only the digest will be used for pulling.

image.pullPolicy¶

Override the image pullPolicy.

deployment.enabled¶

Toggle for running the Distributed Issuer controller inside the kubernetes cluster as an in-cluster Certificate Authority (CA).

deployment.config.bootstrap.selfSigned.enabled¶

Set to true, to bootstrap using a self-signed certificate.

deployment.config.bootstrap.selfSigned.csr.commonName¶

Set the common name of the self-signed certificate

deployment.config.bootstrap.tpp.enabled¶

Set to true, to bootstrap from TPP server.

deployment.config.bootstrap.tpp.configurationDN¶

The DN of the Distributed Issuer configuration in TPP server.
For example:
\VED\Policy\us-west-1\service-mesh\distributed-issuer

deployment.config.bootstrap.tpp.connection.create¶

When set to true, the rendered output will include a VenafiConnection resource and some associated RBAC. These will be installed in the same namespace as Distributed Issuer. This is useful for when the VenafiConnection CRDs have already been installed by another Venafi component. When true, you must set venafiConnection.include: false because the VenafiConnection CRD can not be installed in the same Helm chart as a VenafiConnection resource. When true, you must also supply url, and one of: usernamePassword.enabled: true or serviceAccountToken.enabled: true. When false, you only need fill in the name field. In this case you must manually create the VenafiConnection with the given name and associated RBAC.

deployment.config.bootstrap.tpp.connection.name¶

The name of a VenafiConnection resource in the same namespace as Distributed Issuer. If create: true this name can be omitted and by default the chart name will be used. If create: false this name is a required field and you are responsible for creating the VenafiConnection resource and the associated RBAC.

deployment.config.bootstrap.tpp.connection.url¶

The base URL of your TPP server server, for example https://tpp.example.internal.

deployment.config.bootstrap.tpp.connection.clientID¶

The OAuth clientID (TPP Application Integration ID) to authenticate with.

deployment.config.bootstrap.tpp.connection.usernamePassword.enabled¶

Enable username-password authentication. You must put the credentials in a Secret called name, in the same namespace as Distributed Issuer, with the following keys: username, password.

deployment.config.bootstrap.tpp.connection.usernamePassword.name¶

Override the name of the username-password Secret. By default a Secret with the full chart name is assumed. For example: distributed-issuer-credentials.

deployment.config.bootstrap.tpp.connection.serviceAccountToken.enabled¶

Enable JWT authentication using a Kubernetes ServiceAcccount token.

deployment.config.bootstrap.tpp.connection.serviceAccountToken.audiences¶

Audiences are the intendend audiences of the token. A recipient of a token must identify themself with an identifier in the list of audiences of the token, and otherwise should reject the token. A token issued for multiple audiences may be used to authenticate against any of the audiences listed but implies a high degree of trust between the target audiences.

deployment.config.bootstrap.tpp.csr.instanceNaming¶

A name for the Distributed Issuer instance (should be unique). This, plus a suffix defined by the Issuer Sub CA provider, will be the common name of the Distributed Issuer CA certificate. Supports environment variable substitution using {ENV_VAR_NAME} syntax. If the specified environment variable is set (has a value), that value will be substituted. If not specified, defaults to the Helm release name.

deployment.config.bootstrap.ngts.enabled¶

Set to true, to bootstrap from NGTS.

deployment.config.bootstrap.ngts.connection.create¶

When set to true, the rendered output will include a VenafiConnection resource and some associated RBAC. These will be installed in the same namespace as Distributed Issuer. This is useful for when the VenafiConnection CRDs have already been installed by another Venafi component. When true, you must set venafiConnection.include: false because the VenafiConnection CRD can not be installed in the same Helm chart as a VenafiConnection resource. When true, you must also supply tsgID or url, and privateKeySecret.enabled: true. When false, you only need fill in the name field. In this case you must manually create the VenafiConnection with the given name and associated RBAC.

deployment.config.bootstrap.ngts.connection.name¶

The name of a VenafiConnection resource in the same namespace as Distributed Issuer. If create: true this name can be omitted and by default the chart name will be used. If create: false this name is a required field and you are responsible for creating the VenafiConnection resource and the associated RBAC.

deployment.config.bootstrap.ngts.connection.tsgID¶

The NGTS TSGID, used to construct the data plane API URL.
https://<tsgID>.ngts.paloaltonetworks.com will be used as the API URL if url is not set.

deployment.config.bootstrap.ngts.connection.url¶

The NGTS data plane API endpoint.

deployment.config.bootstrap.ngts.connection.privateKeySecret.enabled¶

Enable private key authentication.
You must put the credentials in a Secret called secretName, in the same namespace as Distributed Issuer, with the secretKey key containing the private key.

deployment.config.bootstrap.ngts.connection.privateKeySecret.secretName¶

Provide the name of the Secret containing the private key linked to your NGTS service account. The svc-acct.key key in this Secret should contain the PEM encoded private key.

deployment.config.bootstrap.ngts.connection.privateKeySecret.clientID¶

The ClientID of your NGTS service account associated with the desired configuration.

deployment.config.bootstrap.ngts.csr.instanceNaming¶

A name for the Distributed Issuer instance (should be unique). This, plus a suffix defined by the Issuer Sub CA provider, will be the common name of the Distributed Issuer CA certificate. Supports environment variable substitution using {ENV_VAR_NAME} syntax. If the specified environment variable is set (has a value), that value will be substituted. If not specified, defaults to the Helm release name.

deployment.config.policies¶

DevMode: Policies to be included in the config.
Only allowed when using a DevMode bootstrap method.

For example:

policies:
- name: Sample Policy
  validityPeriod: P7D
  keyAlgorithm:
    defaultValue: EC_P256
    allowedValues:
    - EC_P256
  keyUsages:
  - digitalSignature
  extendedKeyUsages:
  - ANY

deployment.config.controller.enabled¶

Enable the Kubernetes Controller of Distributed Issuer to listen for cert-manager Certificates

deployment.config.controller.certManager.caRootChainPopulation¶

Automatically populate the status.ca field with the CA information when set to true

deployment.config.controller.certManager.checkApproval¶

Set to False if you want Distributed Issuer to issue CertificateRequest resources without waiting for them to be approved.

deployment.config.server.grpc.enabled¶

Enable the GRPC server of Distributed Issuer

deployment.config.server.grpc.port¶

Port of the GRPC server

deployment.config.server.grpc.ipAddress¶

Interface that the GRPC Server will listen on

deployment.config.server.grpc.dnsNames¶

DNS Names that the GRPC Server will listen on

deployment.config.server.rest.enabled¶

Enable the Rest server of Distributed Issuer

deployment.config.server.rest.port¶

Port of the Rest server

deployment.config.server.rest.ipAddress¶

Interface that the Rest Server will listen on

deployment.config.server.rest.dnsNames¶

DNS Names that the Rest Server will listen on

deployment.replicaCount¶

A Minimum of 2 is needed to achieve active-passive standby HA.

deployment.mlock¶

It is not recommended to disable mlock except for development or testing!

deployment.logLevel¶

Log level. 0=Info, 1=Debug, 2=Trace. Use 6-9 for increasingly verbose HTTP request logging.

deployment.logFormat¶

Log format, either 'text' or 'json'.

deployment.imagePullSecrets¶

Set a list of image pull secrets

For example:
- name: jss-pull-secret

deployment.nodeSelector¶

It is recommended to set a nodeSelector for resource isolation.

For example:

distributed-issuer-runner: "true"

deployment.resources¶

We usually recommend not to specify default resources and to leave this as a conscious choice for the user. This also increases chances charts run on environments with little resources, such as Minikube. If you do want to specify resources, uncomment the following lines, adjust them as necessary, and remove the curly braces after 'resources:'.

For example:

limits:
  cpu: 100m
  memory: 512Mi
requests:
  cpu: 100m
  memory: 512Mi

deployment.tolerations¶

deployment.affinity¶

deployment.extraVolumes¶

For example:
- name: ca-bundle-cert

secret:
  secretName: <secret-name>

deployment.extraVolumeMounts¶

For example:
- mountPath: /etc/ssl/certs/

name: ca-bundle-cert

deployment.extraEnv¶

Additional environment variables to add to the Pod.
For example:

extraEnv:
- name: SOME_VAR
  value: 'some value'

deployment.metrics.enabled¶

Enable the metrics server.
If false, the metrics server will be disabled and the other metrics fields below will be ignored.

deployment.metrics.port¶

The TCP port for exposing Prometheus metrics on 0.0.0.0 on the HTTP path '/metrics'.

deployment.metrics.podmonitor.enabled¶

Create a PodMonitor to add the metrics to Prometheus, if you are using Prometheus Operator. See https://prometheus-operator.dev/docs/operator/api/#monitoring.coreos.com/v1.PodMonitor

deployment.metrics.podmonitor.namespace¶

The namespace that the pod monitor should live in.
Defaults to the paloalto namespace.

deployment.metrics.podmonitor.prometheusInstance¶

Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.

deployment.metrics.podmonitor.interval¶

The interval to scrape metrics.

deployment.metrics.podmonitor.scrapeTimeout¶

The timeout before a metrics scrape fails.

deployment.metrics.podmonitor.labels¶

Additional labels to add to the PodMonitor.

deployment.metrics.podmonitor.annotations¶

Additional annotations to add to the PodMonitor.

deployment.metrics.podmonitor.honorLabels¶

Keep labels from scraped data, overriding server-side labels.

deployment.metrics.podmonitor.endpointAdditionalProperties¶

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance

serviceAccount.annotations¶

Set annotations on the Distributed Issuer Service Account.

service.type¶

Type of the Service

service.annotations¶

Optional additional annotations to add to the service.

crd.enabled¶

Installs the CRD in the cluster. Required to enable Distributed Issuer with the given group.

crd.groupName¶

Group name of the issuer.

crd.approver.enabled¶

Enable or disable the creation of a ClusterRole and ClusterRoleBinding to allow an approver to approve CertificateRequest resources which use the Distributed Issuer issuer group name.

crd.approver.subject.kind¶

crd.approver.subject.namespace¶

crd.approver.subject.name¶

overrideSignerSubject¶

Optional subject to assign permissions to sign Distributed Issuer. CertificateRequests. This should be used when Distributed Issuer is running outside the cluster, and likely takes the identity of a Kubernetes User.

For example:

apiGroup: rbac.authorization.k8s.io
kind: User
name: distributed-issuer

openshift.securityContextConstraint.enabled¶

Include RBAC to allow the DaemonSet to "use" the specified
SecurityContextConstraints.

This value can either be a boolean true or false, or the string detect. If set to detect then the securityContextConstraint is automatically enabled for openshift installs.

openshift.securityContextConstraint.name¶

Name of the SecurityContextConstraints to create RBAC for.

acceptTerms¶