Enterprise cert-manager Helm values¶

An enterprise version of cert-manager. The component adds certificates and certificate issuers as resource types in Kubernetes clusters and simplifies the process of obtaining, renewing, and using certificates

The following cert-manager Helm values are supported by the Venafi Kubernetes Manifest tool.

Global¶

global.imagePullSecrets¶

[]

Reference to one or more secrets to be used when pulling images. For more information, see Pull an Image from a Private Registry.

For example:

imagePullSecrets:
  - name: "image-pull-secret"

global.commonLabels¶

{}

Labels to apply to all resources.
Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the cert-manager documentation.

For example, secretTemplate in CertificateSpec
For more information, see the cert-manager documentation.

global.revisionHistoryLimit¶

The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10).

global.priorityClassName¶

""

The optional priority class to be used for the cert-manager pods.

global.rbac.create¶

true

Create required ClusterRoles and ClusterRoleBindings for cert-manager.

global.rbac.aggregateClusterRoles¶

true

Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see User-facing roles.

global.podSecurityPolicy.enabled¶

false

Create PodSecurityPolicy for cert-manager.

global.podSecurityPolicy.useAppArmor¶

true

Configure the PodSecurityPolicy to use AppArmor.

global.logLevel¶

2

Set the verbosity of cert-manager. A range of 0 - 6. with 6 being the most verbose.

global.leaderElection.namespace¶

kube-system

Override the namespace used for the leader election lease.

global.leaderElection.leaseDuration¶

The dureation that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate.

global.leaderElection.renewDeadline¶

The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.

global.leaderElection.retryPeriod¶

The duration the clients should wait between attempting acquisition and renewal of a leadership.

installCRDs¶

false

Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs.

Controller¶

replicaCount¶

1

The number of replicas of the cert-manager controller to run.

The default is 1, but in production set this to 2 or 3 to provide high availability.

If replicas > 1, consider setting podDisruptionBudget.enabled=true.

strategy¶

{}

Deployment update strategy for the cert-manager controller deployment. For more information, see the Kubernetes documentation.

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

podDisruptionBudget.enabled¶

false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining cert-manager
Pod is currently running.

podDisruptionBudget.minAvailable¶

This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if maxUnavailable is set.

podDisruptionBudget.maxUnavailable¶

This onfigures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if minAvailable is set.

featureGates¶

""

A comma-separated list of feature gates that should be enabled on the controller pod.

maxConcurrentChallenges¶

60

The maximum number of challenges that can be scheduled as 'processing' at once.

image.registry¶

The container registry to pull the manager image from.

image.repository¶

quay.io/jetstack/cert-manager-controller

The container image for the cert-manager controller.

image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest¶

Setting a digest will override any tag.

image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

clusterResourceNamespace¶

""

Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart.

namespace¶

""

This namespace allows you to define where the services are installed into. If not set then they use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart).

serviceAccount.create¶

true

Specifies whether a service account should be created.

serviceAccount.name¶

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

serviceAccount.annotations¶

Optional additional annotations to add to the controller's Service Account.

serviceAccount.labels¶

Optional additional labels to add to the controller's Service Account.

serviceAccount.automountServiceAccountToken¶

true

Automount API credentials for a Service Account.

automountServiceAccountToken¶

Automounting API credentials for a particular pod.

enableCertificateOwnerRef¶

false

When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted.

config¶

{}

This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags. An APIVersion and Kind must be specified in your values.yaml file. Flags will override options that are set here.

For example:

config:
  apiVersion: controller.config.cert-manager.io/v1alpha1
  kind: ControllerConfiguration
  logging:
    verbosity: 2
    format: text
  leaderElectionConfig:
    namespace: kube-system
  kubernetesAPIQPS: 9000
  kubernetesAPIBurst: 9000
  numberOfConcurrentWorkers: 200
  featureGates:
    AdditionalCertificateOutputFormats: true
    DisallowInsecureCSRUsageDefinition: true
    ExperimentalCertificateSigningRequestControllers: true
    ExperimentalGatewayAPISupport: true
    LiteralCertificateSubject: true
    SecretsFilteredCaching: true
    ServerSideApply: true
    StableCertificateRequestName: true
    UseCertificateRequestBasicConstraints: true
    ValidateCAA: true
  metricsTLSConfig:
    dynamic:
      secretNamespace: "cert-manager"
      secretName: "cert-manager-metrics-ca"
      dnsNames:
      - cert-manager-metrics
      - cert-manager-metrics.cert-manager
      - cert-manager-metrics.cert-manager.svc

dns01RecursiveNameservers¶

""

A comma-separated string with the host and port of the recursive nameservers cert-manager should query.

dns01RecursiveNameserversOnly¶

false

Forces cert-manager to use only the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.

extraArgs¶

[]

Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help.

Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificiateRequests approver.

For example:

extraArgs:
  - --controllers=*,-certificaterequests-approver

extraEnv¶

[]

Additional environment variables to pass to cert-manager controller binary.

resources¶

{}

Resources to provide to the cert-manager controller pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

securityContext¶

runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context.
For more information, see Configure a Security Context for a Pod or Container.

containerSecurityContext¶

allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the controller component container. For more information, see Configure a Security Context for a Pod or Container.

volumes¶

[]

Additional volumes to add to the cert-manager controller pod.

volumeMounts¶

[]

Additional volume mounts to add to the cert-manager controller container.

deploymentAnnotations¶

Optional additional annotations to add to the controller Deployment.

podAnnotations¶

Optional additional annotations to add to the controller Pods.

podLabels¶

{}

Optional additional labels to add to the controller Pods.

serviceAnnotations¶

Optional annotations to add to the controller Service.

serviceLabels¶

Optional additional labels to add to the controller Service.

podDnsPolicy¶

Pod DNS policy.
For more information, see Pod's DNS Policy.

podDnsConfig¶

Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. For more information, see Pod's DNS Config.

nodeSelector¶

kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

ingressShim.defaultIssuerName¶

Optional default issuer to use for ingress resources.

ingressShim.defaultIssuerKind¶

Optional default issuer kind to use for ingress resources.

ingressShim.defaultIssuerGroup¶

Optional default issuer group to use for ingress resources.

http_proxy¶

Configures the HTTP_PROXY environment variable where a HTTP proxy is required.

https_proxy¶

Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.

no_proxy¶

Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.

affinity¶

{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

tolerations¶

[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints¶

[]

A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller

livenessProbe¶

enabled: true
failureThreshold: 8
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15

LivenessProbe settings for the controller container of the controller Pod.

This is enabled by default, in order to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. For more information see the following on the
Kubernetes GitHub repository

enableServiceLinks¶

false

enableServiceLinks indicates whether information about services should be injected into the pod's environment variables, matching the syntax of Docker links.

Prometheus¶

prometheus.enabled¶

true

Enable Prometheus monitoring for the cert-manager controller to use with the. Prometheus Operator. Either prometheus.servicemonitor.enabled or
prometheus.podmonitor.enabled can be used to create a ServiceMonitor/PodMonitor
resource.

prometheus.servicemonitor.enabled¶

false

Create a ServiceMonitor to add cert-manager to Prometheus.

prometheus.servicemonitor.prometheusInstance¶

default

Specifies the prometheus label on the created ServiceMonitor. This is used when different Prometheus instances have label selectors matching different ServiceMonitors.

prometheus.servicemonitor.targetPort¶

9402

The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics.

prometheus.servicemonitor.path¶

/metrics

The path to scrape for metrics.

prometheus.servicemonitor.interval¶

60s

The interval to scrape metrics.

prometheus.servicemonitor.scrapeTimeout¶

30s

The timeout before a metrics scrape fails.

prometheus.servicemonitor.labels¶

{}

Additional labels to add to the ServiceMonitor.

prometheus.servicemonitor.annotations¶

{}

Additional annotations to add to the ServiceMonitor.

prometheus.servicemonitor.honorLabels¶

false

Keep labels from scraped data, overriding server-side labels.

prometheus.servicemonitor.endpointAdditionalProperties¶

{}

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance

prometheus.podmonitor.enabled¶

false

Create a PodMonitor to add cert-manager to Prometheus.

prometheus.podmonitor.prometheusInstance¶

default

Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.

prometheus.podmonitor.path¶

/metrics

The path to scrape for metrics.

prometheus.podmonitor.interval¶

60s

The interval to scrape metrics.

prometheus.podmonitor.scrapeTimeout¶

30s

The timeout before a metrics scrape fails.

prometheus.podmonitor.labels¶

{}

Additional labels to add to the PodMonitor.

prometheus.podmonitor.annotations¶

{}

Additional annotations to add to the PodMonitor.

prometheus.podmonitor.honorLabels¶

false

Keep labels from scraped data, overriding server-side labels.

prometheus.podmonitor.endpointAdditionalProperties¶

{}

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance

Webhook¶

webhook.replicaCount¶

1

Number of replicas of the cert-manager webhook to run.

The default is 1, but in production set this to 2 or 3 to provide high availability.

If replicas > 1, consider setting webhook.podDisruptionBudget.enabled=true.

webhook.timeoutSeconds¶

30

The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see
Validating webhook configuration v1.

The default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If this timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.

webhook.config¶

{}

This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags. An APIVersion and Kind must be specified in your values.yaml file.
Flags override options that are set here.

For example:

apiVersion: webhook.config.cert-manager.io/v1alpha1
kind: WebhookConfiguration
# The port that the webhook listens on for requests.
# In GKE private clusters, by default Kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. Configuring
# securePort: 10250 therefore will work out-of-the-box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
# This should be uncommented and set as a default by the chart once
# the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
securePort: 10250

webhook.strategy¶

{}

The eployment update strategy for the cert-manager webhook deployment. For more information, see the Kubernetes documentation

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

webhook.securityContext¶

runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context to be set on the webhook component Pod. For more information, see Configure a Security Context for a Pod or Container.

webhook.containerSecurityContext¶

allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the webhook component container. For more information, see Configure a Security Context for a Pod or Container.

webhook.podDisruptionBudget.enabled¶

false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining cert-manager
Pod is currently running.

webhook.podDisruptionBudget.minAvailable¶

This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if maxUnavailable is set.

webhook.podDisruptionBudget.maxUnavailable¶

This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if minAvailable is set.

webhook.deploymentAnnotations¶

Optional additional annotations to add to the webhook Deployment.

webhook.podAnnotations¶

Optional additional annotations to add to the webhook Pods.

webhook.serviceAnnotations¶

Optional additional annotations to add to the webhook Service.

webhook.mutatingWebhookConfigurationAnnotations¶

Optional additional annotations to add to the webhook MutatingWebhookConfiguration.

webhook.validatingWebhookConfigurationAnnotations¶

Optional additional annotations to add to the webhook ValidatingWebhookConfiguration.

webhook.validatingWebhookConfiguration.namespaceSelector¶

matchExpressions:
  - key: cert-manager.io/disable-validation
    operator: NotIn
    values:
      - "true"

Configure spec.namespaceSelector for validating webhooks.

webhook.mutatingWebhookConfiguration.namespaceSelector¶

{}

Configure spec.namespaceSelector for mutating webhooks.

webhook.extraArgs¶

[]

Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help.

webhook.featureGates¶

""

Comma separated list of feature gates that should be enabled on the webhook pod.

webhook.resources¶

{}

Resources to provide to the cert-manager webhook pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

webhook.livenessProbe¶

failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1

Liveness probe values.
For more information, see Container probes.

webhook.readinessProbe¶

failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1

Readiness probe values.
For more information, see Container probes.

webhook.nodeSelector¶

kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

webhook.affinity¶

{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

webhook.tolerations¶

[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

webhook.topologySpreadConstraints¶

[]

A list of Kubernetes TopologySpreadConstraints, if required. For more information, see Topology spread constraint v1 core.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller

webhook.podLabels¶

{}

Optional additional labels to add to the Webhook Pods.

webhook.serviceLabels¶

{}

Optional additional labels to add to the Webhook Service.

webhook.image.registry¶

The container registry to pull the webhook image from.

webhook.image.repository¶

quay.io/jetstack/cert-manager-webhook

The container image for the cert-manager webhook

webhook.image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.

webhook.image.digest¶

Setting a digest will override any tag

webhook.image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

webhook.serviceAccount.create¶

true

Specifies whether a service account should be created.

webhook.serviceAccount.name¶

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

webhook.serviceAccount.annotations¶

Optional additional annotations to add to the controller's Service Account.

webhook.serviceAccount.labels¶

Optional additional labels to add to the webhook's Service Account.

webhook.serviceAccount.automountServiceAccountToken¶

true

Automount API credentials for a Service Account.

webhook.automountServiceAccountToken¶

Automounting API credentials for a particular pod.

webhook.securePort¶

10250

The port that the webhook listens on for requests. In GKE private clusters, by default Kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. Configuring securePort: 10250, therefore will work out-of-the-box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.

webhook.hostNetwork¶

false

Specifies if the webhook should be started in hostNetwork mode.

Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working

Since the default port for the webhook conflicts with kubelet on the host network, webhook.securePort should be changed to an available port if running in hostNetwork mode.

webhook.serviceType¶

ClusterIP

Specifies how the service should be handled. Useful if you want to expose the webhook outside of the cluster. In some cases, the control plane cannot reach internal services.

webhook.loadBalancerIP¶

Specify the load balancer IP for the created service.

webhook.url¶

{}

Overrides the mutating webhook and validating webhook so they reach the webhook service using the url field instead of a service.

webhook.networkPolicy.enabled¶

false

Create network policies for the webhooks.

webhook.networkPolicy.ingress¶

- from:
    - ipBlock:
        cidr: 0.0.0.0/0

Ingress rule for the webhook network policy. By default, it allows all inbound traffic.

webhook.networkPolicy.egress¶

- ports:
    - port: 80
      protocol: TCP
    - port: 443
      protocol: TCP
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
    - port: 6443
      protocol: TCP
  to:
    - ipBlock:
        cidr: 0.0.0.0/0

Egress rule for the webhook network policy. By default, it allows all outbound traffic to ports 80 and 443, as well as DNS ports.

webhook.volumes¶

[]

Additional volumes to add to the cert-manager controller pod.

webhook.volumeMounts¶

[]

Additional volume mounts to add to the cert-manager controller container.

webhook.enableServiceLinks¶

false

enableServiceLinks indicates whether information about services should be injected into the pod's environment variables, matching the syntax of Docker links.

CA Injector¶

cainjector.enabled¶

true

Create the CA Injector deployment

cainjector.replicaCount¶

1

The number of replicas of the cert-manager cainjector to run.

The default is 1, but in production set this to 2 or 3 to provide high availability.

If replicas > 1, consider setting cainjector.podDisruptionBudget.enabled=true.

cainjector.config¶

{}

This is used to configure options for the cainjector pod. It allows setting options that are usually provided via flags. An APIVersion and Kind must be specified in your values.yaml file.
Flags override options that are set here.

For example:

apiVersion: cainjector.config.cert-manager.io/v1alpha1
kind: CAInjectorConfiguration
logging:
 verbosity: 2
 format: text
leaderElectionConfig:
 namespace: kube-system

cainjector.strategy¶

{}

Deployment update strategy for the cert-manager cainjector deployment. For more information, see the Kubernetes documentation.

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

cainjector.securityContext¶

runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context to be set on the cainjector component Pod. For more information, see Configure a Security Context for a Pod or Container.

cainjector.containerSecurityContext¶

allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the cainjector component container. For more information, see Configure a Security Context for a Pod or Container.

cainjector.podDisruptionBudget.enabled¶

false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining cert-manager
Pod is currently running.

cainjector.podDisruptionBudget.minAvailable¶

It configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if maxUnavailable is set.

cainjector.podDisruptionBudget.maxUnavailable¶

it configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if minAvailable is set.

cainjector.deploymentAnnotations¶

Optional additional annotations to add to the cainjector Deployment.

cainjector.podAnnotations¶

Optional additional annotations to add to the cainjector Pods.

cainjector.extraArgs¶

[]

Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help.

cainjector.featureGates¶

""

Comma separated list of feature gates that should be enabled on the cainjector pod.

cainjector.resources¶

{}

Resources to provide to the cert-manager cainjector pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

cainjector.nodeSelector¶

kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

cainjector.affinity¶

{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

cainjector.tolerations¶

[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

cainjector.topologySpreadConstraints¶

[]

A list of Kubernetes TopologySpreadConstraints, if required. For more information, see Topology spread constraint v1 core.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller

cainjector.podLabels¶

{}

Optional additional labels to add to the CA Injector Pods.

cainjector.image.registry¶

The container registry to pull the cainjector image from.

cainjector.image.repository¶

quay.io/jetstack/cert-manager-controller

The container image for the cert-manager cainjector.

cainjector.image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.

cainjector.image.digest¶

Setting a digest will override any tag.

cainjector.image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

cainjector.serviceAccount.create¶

true

Specifies whether a service account should be created.

cainjector.serviceAccount.name¶

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

cainjector.serviceAccount.annotations¶

Optional additional annotations to add to the controller's Service Account.

cainjector.serviceAccount.labels¶

Optional additional labels to add to the cainjector's Service Account.

cainjector.serviceAccount.automountServiceAccountToken¶

true

Automount API credentials for a Service Account.

cainjector.automountServiceAccountToken¶

Automounting API credentials for a particular pod.

cainjector.volumes¶

[]

Additional volumes to add to the cert-manager controller pod.

cainjector.volumeMounts¶

[]

Additional volume mounts to add to the cert-manager controller container.

cainjector.enableServiceLinks¶

false

enableServiceLinks indicates whether information about services should be injected into the pod's environment variables, matching the syntax of Docker links.

ACME Solver¶

acmesolver.image.registry¶

The container registry to pull the acmesolver image from.

acmesolver.image.repository¶

quay.io/jetstack/cert-manager-acmesolver

The container image for the cert-manager acmesolver.

acmesolver.image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

acmesolver.image.digest¶

Setting a digest will override any tag.

acmesolver.image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

Startup API Check¶

This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, ensure that they are not injected into this Job's pod. Otherwise, the installation may time out owing to the Job never being completed because the sidecar proxy does not exit. For more information, see this note.

startupapicheck.enabled¶

true

Enables the startup api check.

startupapicheck.securityContext¶

runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context to be set on the startupapicheck component Pod. For more information, see Configure a Security Context for a Pod or Container.

startupapicheck.containerSecurityContext¶

allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the controller component container. For more information, see Configure a Security Context for a Pod or Container.

startupapicheck.timeout¶

1m

Timeout for 'kubectl check api' command.

startupapicheck.backoffLimit¶

4

Job backoffLimit.

startupapicheck.jobAnnotations¶

helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "1"

Optional additional annotations to add to the startupapicheck Job.

startupapicheck.podAnnotations¶

Optional additional annotations to add to the startupapicheck Pods.

startupapicheck.extraArgs¶

- -v

Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help.

Verbose loggingv is enabled by default so that if startupapicheck fails, you can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example.

startupapicheck.resources¶

{}

Resources to provide to the cert-manager controller pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

startupapicheck.nodeSelector¶

kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

startupapicheck.affinity¶

{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.
For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

startupapicheck.tolerations¶

[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

startupapicheck.podLabels¶

{}

Optional additional labels to add to the startupapicheck Pods.

startupapicheck.image.registry¶

The container registry to pull the startupapicheck image from.

startupapicheck.image.repository¶

quay.io/jetstack/cert-manager-startupapicheck

The container image for the cert-manager startupapicheck.

startupapicheck.image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

startupapicheck.image.digest¶

Setting a digest will override any tag.

startupapicheck.image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

startupapicheck.rbac.annotations¶

helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"

Annotations for the startup API Check job RBAC and PSP resources.

startupapicheck.automountServiceAccountToken¶

Automounting API credentials for a particular pod.

startupapicheck.serviceAccount.create¶

true

Specifies whether a service account should be created.

startupapicheck.serviceAccount.name¶

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

startupapicheck.serviceAccount.annotations¶

helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"

Optional additional annotations to add to the Job's Service Account.

startupapicheck.serviceAccount.automountServiceAccountToken¶

true

Automount API credentials for a Service Account.

startupapicheck.serviceAccount.labels¶

Optional additional labels to add to the startupapicheck's Service Account.

startupapicheck.volumes¶

[]

Additional volumes to add to the cert-manager controller pod.

startupapicheck.volumeMounts¶

[]

Additional volume mounts to add to the cert-manager controller container.

startupapicheck.enableServiceLinks¶

false

enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.