Skip to content

cert-manager Helm values

Global

global.imagePullSecrets

Property global.imagePullSecrets
Type array
Default
[]

Reference to one or more secrets to be used when pulling images. For more information, see Pull an Image from a Private Registry.

For example:

imagePullSecrets:
  - name: "image-pull-secret"

global.commonLabels

Property global.commonLabels
Type object
Default
{}

Labels to apply to all resources.
Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: For example, podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress. For more information, see the cert-manager documentation.
For example, secretTemplate in CertificateSpec
For more information, see the cert-manager documentation.

global.revisionHistoryLimit

Property global.revisionHistoryLimit
Type number
Default

The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10).

global.priorityClassName

Property global.priorityClassName
Type string
Default
""

The optional priority class to be used for the cert-manager pods.

global.rbac.create

Property global.rbac.create
Type bool
Default
true

Create required ClusterRoles and ClusterRoleBindings for cert-manager.

global.rbac.aggregateClusterRoles

Property global.rbac.aggregateClusterRoles
Type bool
Default
true

Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see User-facing roles

global.podSecurityPolicy.enabled

Property global.podSecurityPolicy.enabled
Type bool
Default
false

Create PodSecurityPolicy for cert-manager.

Note that PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in Kubernetes 1.25.

global.podSecurityPolicy.useAppArmor

Property global.podSecurityPolicy.useAppArmor
Type bool
Default
true

Configure the PodSecurityPolicy to use AppArmor.

global.logLevel

Property global.logLevel
Type number
Default
2

Set the verbosity of cert-manager. A range of 0 - 6, with 6 being the most verbose.

global.leaderElection.namespace

Property global.leaderElection.namespace
Type string
Default
kube-system

Override the namespace used for the leader election lease.

global.leaderElection.leaseDuration

Property global.leaderElection.leaseDuration
Type string
Default

The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate.

global.leaderElection.renewDeadline

Property global.leaderElection.renewDeadline
Type string
Default

The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.

global.leaderElection.retryPeriod

Property global.leaderElection.retryPeriod
Type string
Default

The duration the clients should wait between attempting acquisition and renewal of a leadership.

installCRDs

Property installCRDs
Type bool
Default
false

This option is equivalent to setting crds.enabled=true and crds.keep=true. Deprecated: use crds.enabled and crds.keep instead.

crds.enabled

Property crds.enabled
Type bool
Default
false

This option decides if the CRDs should be installed as part of the Helm installation.

crds.keep

Property crds.keep
Type bool
Default
true

This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources
(Certificates, Issuers, ...) will be removed too by the garbage collector.

Controller

replicaCount

Property replicaCount
Type number
Default
1

The number of replicas of the cert-manager controller to run.

The default is 1, but in production set this to 2 or 3 to provide high availability.

If replicas > 1, consider setting podDisruptionBudget.enabled=true.

Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.

strategy

Property strategy
Type object
Default
{}

Deployment update strategy for the cert-manager controller deployment. For more information, see the Kubernetes documentation.

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

podDisruptionBudget.enabled

Property podDisruptionBudget.enabled
Type bool
Default
false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining cert-manager
Pod is currently running.

podDisruptionBudget.minAvailable

Property podDisruptionBudget.minAvailable
Type unknown
Default

This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if maxUnavailable is set.

podDisruptionBudget.maxUnavailable

Property podDisruptionBudget.maxUnavailable
Type unknown
Default

This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if minAvailable is set.

featureGates

Property featureGates
Type string
Default
""

A comma-separated list of feature gates that should be enabled on the controller pod.

maxConcurrentChallenges

Property maxConcurrentChallenges
Type number
Default
60

The maximum number of challenges that can be scheduled as 'processing' at once.

image.registry

Property image.registry
Type string
Default

The container registry to pull the manager image from.

image.repository

Property image.repository
Type string
Default
quay.io/jetstack/cert-manager-controller

The container image for the cert-manager controller.

image.tag

Property image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest

Property image.digest
Type string
Default

Setting a digest will override any tag.

image.pullPolicy

Property image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on Deployment.

clusterResourceNamespace

Property clusterResourceNamespace
Type string
Default
""

Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart.

namespace

Property namespace
Type string
Default
""

This namespace allows you to define where the services are installed into. If not set then they use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart).

fullnameOverride

Property fullnameOverride
Type string
Default

Override the "cert-manager.fullname" value. This value is used as part of most of the names of the resources created by this Helm chart.

nameOverride

Property nameOverride
Type string
Default

Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use eg. "cainjector.name" which resolves to the value "cainjector").

serviceAccount.create

Property serviceAccount.create
Type bool
Default
true

Specifies whether a service account should be created.

serviceAccount.name

Property serviceAccount.name
Type string
Default

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

serviceAccount.annotations

Property serviceAccount.annotations
Type object
Default

Optional additional annotations to add to the controller's Service Account.

serviceAccount.labels

Property serviceAccount.labels
Type object
Default

Optional additional labels to add to the controller's Service Account.

serviceAccount.automountServiceAccountToken

Property serviceAccount.automountServiceAccountToken
Type bool
Default
true

Automount API credentials for a Service Account.

automountServiceAccountToken

Property automountServiceAccountToken
Type bool
Default

Automounting API credentials for a particular pod.

enableCertificateOwnerRef

Property enableCertificateOwnerRef
Type bool
Default
false

When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted.

config

Property config
Type object
Default
{}

This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.

If apiVersion and kind are unspecified they default to the current latest version (currently controller.config.cert-manager.io/v1alpha1). You can pin the version by specifying the apiVersion yourself.

For example:

config:
  apiVersion: controller.config.cert-manager.io/v1alpha1
  kind: ControllerConfiguration
  logging:
    verbosity: 2
    format: text
  leaderElectionConfig:
    namespace: kube-system
  kubernetesAPIQPS: 9000
  kubernetesAPIBurst: 9000
  numberOfConcurrentWorkers: 200
  featureGates:
    AdditionalCertificateOutputFormats: true
    DisallowInsecureCSRUsageDefinition: true
    ExperimentalCertificateSigningRequestControllers: true
    ExperimentalGatewayAPISupport: true
    LiteralCertificateSubject: true
    SecretsFilteredCaching: true
    ServerSideApply: true
    StableCertificateRequestName: true
    UseCertificateRequestBasicConstraints: true
    ValidateCAA: true
  # Configure the metrics server for TLS
  # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
  metricsTLSConfig:
    dynamic:
      secretNamespace: "cert-manager"
      secretName: "cert-manager-metrics-ca"
      dnsNames:
      - cert-manager-metrics

dns01RecursiveNameservers

Property dns01RecursiveNameservers
Type string
Default
""

A comma-separated string with the host and port of the recursive nameservers cert-manager should query.

dns01RecursiveNameserversOnly

Property dns01RecursiveNameserversOnly
Type bool
Default
false

Forces cert-manager to use only the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer owing to caching performed by the recursive nameservers.

disableAutoApproval

Property disableAutoApproval
Type bool
Default
false

Option to disable cert-manager's build-in auto-approver. The auto-approver approves all CertificateRequests that reference issuers matching the 'approveSignerNames' option. This 'disableAutoApproval' option is useful when you want to make all approval decisions using a different approver (like Approver Policy).

approveSignerNames

Property approveSignerNames
Type array
Default
- issuers.cert-manager.io/*
- clusterissuers.cert-manager.io/*

List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because e.g., you are using approver-policy, you can enable 'disableAutoApproval'. For more information, see CertificateRequest Approvals.

extraArgs

Property extraArgs
Type array
Default
[]

Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help.

Use this flag to enable or disable arbitrary controllers. For example, to disable the CertificateRequests approver.

For example:

extraArgs:
  - --controllers=*,-certificaterequests-approver

extraEnv

Property extraEnv
Type array
Default
[]

Additional environment variables to pass to cert-manager controller binary.
For example:

extraEnv:
- name: SOME_VAR
  value: 'some value'

resources

Property resources
Type object
Default
{}

Resources to provide to the cert-manager controller pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

securityContext

Property securityContext
Type object
Default
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context.
For more information, see Configure a Security Context for a Pod or Container.

containerSecurityContext

Property containerSecurityContext
Type object
Default
allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the controller component container. For more information, see Configure a Security Context for a Pod or Container.

volumes

Property volumes
Type array
Default
[]

Additional volumes to add to the cert-manager controller pod.

volumeMounts

Property volumeMounts
Type array
Default
[]

Additional volume mounts to add to the cert-manager controller container.

deploymentAnnotations

Property deploymentAnnotations
Type object
Default

Optional additional annotations to add to the controller Deployment.

podAnnotations

Property podAnnotations
Type object
Default

Optional additional annotations to add to the controller Pods.

podLabels

Property podLabels
Type object
Default
{}

Optional additional labels to add to the controller Pods.

serviceAnnotations

Property serviceAnnotations
Type object
Default

Optional annotations to add to the controller Service.

serviceLabels

Property serviceLabels
Type object
Default

Optional additional labels to add to the controller Service.

serviceIPFamilyPolicy

Property serviceIPFamilyPolicy
Type string
Default

Optionally set the IP family policy for the controller Service to configure dual-stack; see Configure dual-stack.

serviceIPFamilies

Property serviceIPFamilies
Type array
Default

Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.

podDnsPolicy

Property podDnsPolicy
Type string
Default

Pod DNS policy.
For more information, see Pod's DNS Policy.

podDnsConfig

Property podDnsConfig
Type object
Default

Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified. For more information, see Pod's DNS Config.

hostAliases

Property hostAliases
Type array
Default
[]

Optional hostAliases for cert-manager-controller pods. May be useful when performing ACME DNS-01 self checks.

nodeSelector

Property nodeSelector
Type object
Default
kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

ingressShim.defaultIssuerName

Property ingressShim.defaultIssuerName
Type string
Default

Optional default issuer to use for ingress resources.

ingressShim.defaultIssuerKind

Property ingressShim.defaultIssuerKind
Type string
Default

Optional default issuer kind to use for ingress resources.

ingressShim.defaultIssuerGroup

Property ingressShim.defaultIssuerGroup
Type string
Default

Optional default issuer group to use for ingress resources.

http_proxy

Property http_proxy
Type string
Default

Configures the HTTP_PROXY environment variable where a HTTP proxy is required.

https_proxy

Property https_proxy
Type string
Default

Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.

no_proxy

Property no_proxy
Type string
Default

Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.

affinity

Property affinity
Type object
Default
{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

tolerations

Property tolerations
Type array
Default
[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints

Property topologySpreadConstraints
Type array
Default
[]

A list of Kubernetes TopologySpreadConstraints, if required. For more information, see [Topology spread constraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller

livenessProbe

Property livenessProbe
Type object
Default
enabled: true
failureThreshold: 8
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 15

LivenessProbe settings for the controller container of the controller Pod.

This is enabled by default, in order to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. For more information see the following on the
Kubernetes GitHub repository

Property enableServiceLinks
Type bool
Default
false

enableServiceLinks indicates whether information about services should be injected into the pod's environment variables, matching the syntax of Docker links.

Prometheus

prometheus.enabled

Property prometheus.enabled
Type bool
Default
true

Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a
ServiceMonitor resource.
Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.

prometheus.servicemonitor.enabled

Property prometheus.servicemonitor.enabled
Type bool
Default
false

Create a ServiceMonitor to add cert-manager to Prometheus.

prometheus.servicemonitor.namespace

Property prometheus.servicemonitor.namespace
Type string
Default

The namespace that the service monitor should live in, defaults to the cert-manager namespace.

prometheus.servicemonitor.prometheusInstance

Property prometheus.servicemonitor.prometheusInstance
Type string
Default
default

Specifies the prometheus label on the created ServiceMonitor. This is used when different Prometheus instances have label selectors matching different ServiceMonitors.

prometheus.servicemonitor.targetPort

Property prometheus.servicemonitor.targetPort
Type number
Default
9402

The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics.

prometheus.servicemonitor.path

Property prometheus.servicemonitor.path
Type string
Default
/metrics

The path to scrape for metrics.

prometheus.servicemonitor.interval

Property prometheus.servicemonitor.interval
Type string
Default
60s

The interval to scrape metrics.

prometheus.servicemonitor.scrapeTimeout

Property prometheus.servicemonitor.scrapeTimeout
Type string
Default
30s

The timeout before a metrics scrape fails.

prometheus.servicemonitor.labels

Property prometheus.servicemonitor.labels
Type object
Default
{}

Additional labels to add to the ServiceMonitor.

prometheus.servicemonitor.annotations

Property prometheus.servicemonitor.annotations
Type object
Default
{}

Additional annotations to add to the ServiceMonitor.

prometheus.servicemonitor.honorLabels

Property prometheus.servicemonitor.honorLabels
Type bool
Default
false

Keep labels from scraped data, overriding server-side labels.

prometheus.servicemonitor.endpointAdditionalProperties

Property prometheus.servicemonitor.endpointAdditionalProperties
Type object
Default
{}

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance

prometheus.podmonitor.enabled

Property prometheus.podmonitor.enabled
Type bool
Default
false

Create a PodMonitor to add cert-manager to Prometheus.

prometheus.podmonitor.namespace

Property prometheus.podmonitor.namespace
Type string
Default

The namespace that the pod monitor should live in, defaults to the cert-manager namespace.

prometheus.podmonitor.prometheusInstance

Property prometheus.podmonitor.prometheusInstance
Type string
Default
default

Specifies the prometheus label on the created PodMonitor. This is used when different Prometheus instances have label selectors matching different PodMonitors.

prometheus.podmonitor.path

Property prometheus.podmonitor.path
Type string
Default
/metrics

The path to scrape for metrics.

prometheus.podmonitor.interval

Property prometheus.podmonitor.interval
Type string
Default
60s

The interval to scrape metrics.

prometheus.podmonitor.scrapeTimeout

Property prometheus.podmonitor.scrapeTimeout
Type string
Default
30s

The timeout before a metrics scrape fails.

prometheus.podmonitor.labels

Property prometheus.podmonitor.labels
Type object
Default
{}

Additional labels to add to the PodMonitor.

prometheus.podmonitor.annotations

Property prometheus.podmonitor.annotations
Type object
Default
{}

Additional annotations to add to the PodMonitor.

prometheus.podmonitor.honorLabels

Property prometheus.podmonitor.honorLabels
Type bool
Default
false

Keep labels from scraped data, overriding server-side labels.

prometheus.podmonitor.endpointAdditionalProperties

Property prometheus.podmonitor.endpointAdditionalProperties
Type object
Default
{}

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance
 # Configure the PodMonitor for TLS connections
 # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
 scheme: https
 tlsConfig:
   serverName: cert-manager-metrics
   ca:
     secret:
       name: cert-manager-metrics-ca
       key: "tls.crt"

Webhook

webhook.replicaCount

Property webhook.replicaCount
Type number
Default
1

Number of replicas of the cert-manager webhook to run.

The default is 1, but in production set this to 2 or 3 to provide high availability.

If replicas > 1, consider setting webhook.podDisruptionBudget.enabled=true.

webhook.timeoutSeconds

Property webhook.timeoutSeconds
Type number
Default
30

The number of seconds the API server should wait for the webhook to respond before treating the call as a failure. The value must be between 1 and 30 seconds. For more information, see
Validating webhook configuration v1.

The default is set to the maximum value of 30 seconds as users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If this timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. By setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.

webhook.config

Property webhook.config
Type object
Default
{}

This is used to configure options for the webhook pod. This allows setting options that would usually be provided using flags.

If apiVersion and kind are unspecified they default to the current latest version (currently webhook.config.cert-manager.io/v1alpha1). You can pin the version by specifying the apiVersion yourself.

For example:

apiVersion: webhook.config.cert-manager.io/v1alpha1
kind: WebhookConfiguration
# The port that the webhook listens on for requests.
# In GKE private clusters, by default Kubernetes apiservers are allowed to
# talk to the cluster nodes only on 443 and 10250. Configuring
# securePort: 10250 therefore will work out-of-the-box without needing to add firewall
# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
# This should be uncommented and set as a default by the chart once
# the apiVersion of WebhookConfiguration graduates beyond v1alpha1.
securePort: 10250
# Configure the metrics server for TLS
# See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
metricsTLSConfig:
  dynamic:
    secretNamespace: "cert-manager"
    secretName: "cert-manager-metrics-ca"
    dnsNames:
    - cert-manager-metrics

webhook.strategy

Property webhook.strategy
Type object
Default
{}

The update strategy for the cert-manager webhook deployment. For more information, see the Kubernetes documentation

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

webhook.securityContext

Property webhook.securityContext
Type object
Default
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context to be set on the webhook component Pod. For more information, see Configure a Security Context for a Pod or Container.

webhook.containerSecurityContext

Property webhook.containerSecurityContext
Type object
Default
allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the webhook component container. For more information, see Configure a Security Context for a Pod or Container.

webhook.podDisruptionBudget.enabled

Property webhook.podDisruptionBudget.enabled
Type bool
Default
false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining cert-manager
Pod is currently running.

webhook.podDisruptionBudget.minAvailable

Property webhook.podDisruptionBudget.minAvailable
Type unknown
Default

This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if maxUnavailable is set.

webhook.podDisruptionBudget.maxUnavailable

Property webhook.podDisruptionBudget.maxUnavailable
Type unknown
Default

This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if minAvailable is set.

webhook.deploymentAnnotations

Property webhook.deploymentAnnotations
Type object
Default

Optional additional annotations to add to the webhook Deployment.

webhook.podAnnotations

Property webhook.podAnnotations
Type object
Default

Optional additional annotations to add to the webhook Pods.

webhook.serviceAnnotations

Property webhook.serviceAnnotations
Type object
Default

Optional additional annotations to add to the webhook Service.

webhook.mutatingWebhookConfigurationAnnotations

Property webhook.mutatingWebhookConfigurationAnnotations
Type object
Default

Optional additional annotations to add to the webhook MutatingWebhookConfiguration.

webhook.validatingWebhookConfigurationAnnotations

Property webhook.validatingWebhookConfigurationAnnotations
Type object
Default

Optional additional annotations to add to the webhook ValidatingWebhookConfiguration.

webhook.validatingWebhookConfiguration.namespaceSelector

Property webhook.validatingWebhookConfiguration.namespaceSelector
Type object
Default
matchExpressions:
  - key: cert-manager.io/disable-validation
    operator: NotIn
    values:
      - "true"

Configure spec.namespaceSelector for validating webhooks.

webhook.mutatingWebhookConfiguration.namespaceSelector

Property webhook.mutatingWebhookConfiguration.namespaceSelector
Type object
Default
{}

Configure spec.namespaceSelector for mutating webhooks.

webhook.extraArgs

Property webhook.extraArgs
Type array
Default
[]

Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help.

webhook.extraEnv

Property webhook.extraEnv
Type array
Default
[]

Additional environment variables to pass to cert-manager webhook binary.
For example:

extraEnv:
- name: SOME_VAR
  value: 'some value'

webhook.featureGates

Property webhook.featureGates
Type string
Default
""

Comma separated list of feature gates that should be enabled on the webhook pod.

webhook.resources

Property webhook.resources
Type object
Default
{}

Resources to provide to the cert-manager webhook pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

webhook.livenessProbe

Property webhook.livenessProbe
Type object
Default
failureThreshold: 3
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1

Liveness probe values.
For more information, see Container probes.

webhook.readinessProbe

Property webhook.readinessProbe
Type object
Default
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1

Readiness probe values.
For more information, see Container probes.

webhook.nodeSelector

Property webhook.nodeSelector
Type object
Default
kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

webhook.affinity

Property webhook.affinity
Type object
Default
{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

webhook.tolerations

Property webhook.tolerations
Type array
Default
[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

webhook.topologySpreadConstraints

Property webhook.topologySpreadConstraints
Type array
Default
[]

A list of Kubernetes TopologySpreadConstraints, if required. For more information, see Topology spread constraint v1 core.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller

webhook.podLabels

Property webhook.podLabels
Type object
Default
{}

Optional additional labels to add to the Webhook Pods.

webhook.serviceLabels

Property webhook.serviceLabels
Type object
Default
{}

Optional additional labels to add to the Webhook Service.

webhook.serviceIPFamilyPolicy

Property webhook.serviceIPFamilyPolicy
Type string
Default
""

Optionally set the IP family policy for the controller Service to configure dual-stack; see Configure dual-stack.

webhook.serviceIPFamilies

Property webhook.serviceIPFamilies
Type array
Default
[]

Optionally set the IP families for the controller Service that should be supported, in the order in which they should be applied to ClusterIP. Can be IPv4 and/or IPv6.

webhook.image.registry

Property webhook.image.registry
Type string
Default

The container registry to pull the webhook image from.

webhook.image.repository

Property webhook.image.repository
Type string
Default
quay.io/jetstack/cert-manager-webhook

The container image for the cert-manager webhook

webhook.image.tag

Property webhook.image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.

webhook.image.digest

Property webhook.image.digest
Type string
Default

Setting a digest will override any tag

webhook.image.pullPolicy

Property webhook.image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on Deployment.

webhook.serviceAccount.create

Property webhook.serviceAccount.create
Type bool
Default
true

Specifies whether a service account should be created.

webhook.serviceAccount.name

Property webhook.serviceAccount.name
Type string
Default

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

webhook.serviceAccount.annotations

Property webhook.serviceAccount.annotations
Type object
Default

Optional additional annotations to add to the webhook's Service Account.

webhook.serviceAccount.labels

Property webhook.serviceAccount.labels
Type object
Default

Optional additional labels to add to the webhook's Service Account.

webhook.serviceAccount.automountServiceAccountToken

Property webhook.serviceAccount.automountServiceAccountToken
Type bool
Default
true

Automount API credentials for a Service Account.

webhook.automountServiceAccountToken

Property webhook.automountServiceAccountToken
Type bool
Default

Automounting API credentials for a particular pod.

webhook.securePort

Property webhook.securePort
Type number
Default
10250

The port that the webhook listens on for requests. In GKE private clusters, by default Kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. Configuring securePort: 10250, therefore will work out-of-the-box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.

webhook.hostNetwork

Property webhook.hostNetwork
Type bool
Default
false

Specifies if the webhook should be started in hostNetwork mode.

Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working

Since the default port for the webhook conflicts with kubelet on the host network, webhook.securePort should be changed to an available port if running in hostNetwork mode.

webhook.serviceType

Property webhook.serviceType
Type string
Default
ClusterIP

Specifies how the service should be handled. Useful if you want to expose the webhook outside of the cluster. In some cases, the control plane cannot reach internal services.

webhook.loadBalancerIP

Property webhook.loadBalancerIP
Type string
Default

Specify the load balancer IP for the created service.

webhook.url

Property webhook.url
Type object
Default
{}

Overrides the mutating webhook and validating webhook so they reach the webhook service using the url field instead of a service.

webhook.networkPolicy.enabled

Property webhook.networkPolicy.enabled
Type bool
Default
false

Create network policies for the webhooks.

webhook.networkPolicy.ingress

Property webhook.networkPolicy.ingress
Type array
Default
- from:
    - ipBlock:
        cidr: 0.0.0.0/0

Ingress rule for the webhook network policy. By default, it allows all inbound traffic.

webhook.networkPolicy.egress

Property webhook.networkPolicy.egress
Type array
Default
- ports:
    - port: 80
      protocol: TCP
    - port: 443
      protocol: TCP
    - port: 53
      protocol: TCP
    - port: 53
      protocol: UDP
    - port: 6443
      protocol: TCP
  to:
    - ipBlock:
        cidr: 0.0.0.0/0

Egress rule for the webhook network policy. By default, it allows all outbound traffic to ports 80 and 443, as well as DNS ports.

webhook.volumes

Property webhook.volumes
Type array
Default
[]

Additional volumes to add to the cert-manager controller pod.

webhook.volumeMounts

Property webhook.volumeMounts
Type array
Default
[]

Additional volume mounts to add to the cert-manager controller container.

Property webhook.enableServiceLinks
Type bool
Default
false

enableServiceLinks indicates whether information about services should be injected into the pod's environment variables, matching the syntax of Docker links.

CA Injector

cainjector.enabled

Property cainjector.enabled
Type bool
Default
true

Create the CA Injector deployment

cainjector.replicaCount

Property cainjector.replicaCount
Type number
Default
1

The number of replicas of the cert-manager cainjector to run.

The default is 1, but in production set this to 2 or 3 to provide high availability.

If replicas > 1, consider setting cainjector.podDisruptionBudget.enabled=true.

Note that cert-manager uses leader election to ensure that there can only be a single instance active at a time.

cainjector.config

Property cainjector.config
Type object
Default
{}

This is used to configure options for the cainjector pod. It allows setting options that are usually provided via flags.

If apiVersion and kind are unspecified they default to the current latest version (currently cainjector.config.cert-manager.io/v1alpha1). You can pin the version by specifying the apiVersion yourself.

For example:

apiVersion: cainjector.config.cert-manager.io/v1alpha1
kind: CAInjectorConfiguration
logging:
 verbosity: 2
 format: text
leaderElectionConfig:
 namespace: kube-system
# Configure the metrics server for TLS
# See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls
metricsTLSConfig:
  dynamic:
    secretNamespace: "cert-manager"
    secretName: "cert-manager-metrics-ca"
    dnsNames:
    - cert-manager-metrics

cainjector.strategy

Property cainjector.strategy
Type object
Default
{}

Deployment update strategy for the cert-manager cainjector deployment. For more information, see the Kubernetes documentation.

For example:

strategy:
  type: RollingUpdate
  rollingUpdate:
    maxSurge: 0
    maxUnavailable: 1

cainjector.securityContext

Property cainjector.securityContext
Type object
Default
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context to be set on the cainjector component Pod. For more information, see Configure a Security Context for a Pod or Container.

cainjector.containerSecurityContext

Property cainjector.containerSecurityContext
Type object
Default
allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the cainjector component container. For more information, see Configure a Security Context for a Pod or Container.

cainjector.podDisruptionBudget.enabled

Property cainjector.podDisruptionBudget.enabled
Type bool
Default
false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining cert-manager
Pod is currently running.

cainjector.podDisruptionBudget.minAvailable

Property cainjector.podDisruptionBudget.minAvailable
Type unknown
Default

minAvailable configures the minimum available pods for disruptions. It can either be set to
an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if maxUnavailable is set.

cainjector.podDisruptionBudget.maxUnavailable

Property cainjector.podDisruptionBudget.maxUnavailable
Type unknown
Default

maxUnavailable configures the maximum unavailable pods for disruptions. It can either be set to
an integer (e.g. 1) or a percentage value (e.g. 25%).
Cannot be used if minAvailable is set.

cainjector.deploymentAnnotations

Property cainjector.deploymentAnnotations
Type object
Default

Optional additional annotations to add to the cainjector Deployment.

cainjector.podAnnotations

Property cainjector.podAnnotations
Type object
Default

Optional additional annotations to add to the cainjector Pods.

cainjector.serviceAnnotations

Property cainjector.serviceAnnotations
Type object
Default

Optional additional annotations to add to the cainjector metrics Service.

cainjector.extraArgs

Property cainjector.extraArgs
Type array
Default
[]

Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help.

cainjector.extraEnv

Property cainjector.extraEnv
Type array
Default
[]

Additional environment variables to pass to cert-manager cainjector binary.
For example:

extraEnv:
- name: SOME_VAR
  value: 'some value'

cainjector.featureGates

Property cainjector.featureGates
Type string
Default
""

Comma separated list of feature gates that should be enabled on the cainjector pod.

cainjector.resources

Property cainjector.resources
Type object
Default
{}

Resources to provide to the cert-manager cainjector pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

cainjector.nodeSelector

Property cainjector.nodeSelector
Type object
Default
kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

cainjector.affinity

Property cainjector.affinity
Type object
Default
{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

cainjector.tolerations

Property cainjector.tolerations
Type array
Default
[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

cainjector.topologySpreadConstraints

Property cainjector.topologySpreadConstraints
Type array
Default
[]

A list of Kubernetes TopologySpreadConstraints, if required. For more information, see Topology spread constraint v1 core.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller

cainjector.podLabels

Property cainjector.podLabels
Type object
Default
{}

Optional additional labels to add to the CA Injector Pods.

cainjector.serviceLabels

Property cainjector.serviceLabels
Type object
Default
{}

Optional additional labels to add to the CA Injector metrics Service.

cainjector.image.registry

Property cainjector.image.registry
Type string
Default

The container registry to pull the cainjector image from.

cainjector.image.repository

Property cainjector.image.repository
Type string
Default
quay.io/jetstack/cert-manager-cainjector

The container image for the cert-manager cainjector

cainjector.image.tag

Property cainjector.image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.

cainjector.image.digest

Property cainjector.image.digest
Type string
Default

Setting a digest will override any tag.

cainjector.image.pullPolicy

Property cainjector.image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on Deployment.

cainjector.serviceAccount.create

Property cainjector.serviceAccount.create
Type bool
Default
true

Specifies whether a service account should be created.

cainjector.serviceAccount.name

Property cainjector.serviceAccount.name
Type string
Default

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template

cainjector.serviceAccount.annotations

Property cainjector.serviceAccount.annotations
Type object
Default

Optional additional annotations to add to the cainjector's Service Account.

cainjector.serviceAccount.labels

Property cainjector.serviceAccount.labels
Type object
Default

Optional additional labels to add to the cainjector's Service Account.

cainjector.serviceAccount.automountServiceAccountToken

Property cainjector.serviceAccount.automountServiceAccountToken
Type bool
Default
true

Automount API credentials for a Service Account.

cainjector.automountServiceAccountToken

Property cainjector.automountServiceAccountToken
Type bool
Default

Automounting API credentials for a particular pod.

cainjector.volumes

Property cainjector.volumes
Type array
Default
[]

Additional volumes to add to the cert-manager controller pod.

cainjector.volumeMounts

Property cainjector.volumeMounts
Type array
Default
[]

Additional volume mounts to add to the cert-manager controller container.

Property cainjector.enableServiceLinks
Type bool
Default
false

enableServiceLinks indicates whether information about services should be injected into the pod's environment variables, matching the syntax of Docker links.

ACME Solver

acmesolver.image.registry

Property acmesolver.image.registry
Type string
Default

The container registry to pull the acmesolver image from.

acmesolver.image.repository

Property acmesolver.image.repository
Type string
Default
quay.io/jetstack/cert-manager-acmesolver

The container image for the cert-manager acmesolver.

acmesolver.image.tag

Property acmesolver.image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

acmesolver.image.digest

Property acmesolver.image.digest
Type string
Default

Setting a digest will override any tag.

acmesolver.image.pullPolicy

Property acmesolver.image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on Deployment.

Startup API Check

This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, ensure that they are not injected into this Job's pod. Otherwise, the installation may time out owing to the Job never being completed because the sidecar proxy does not exit. For more information, see this note.

startupapicheck.enabled

Property startupapicheck.enabled
Type bool
Default
true

Enables the startup api check.

startupapicheck.securityContext

Property startupapicheck.securityContext
Type object
Default
runAsNonRoot: true
seccompProfile:
  type: RuntimeDefault

Pod Security Context to be set on the startupapicheck component Pod. For more information, see Configure a Security Context for a Pod or Container.

startupapicheck.containerSecurityContext

Property startupapicheck.containerSecurityContext
Type object
Default
allowPrivilegeEscalation: false
capabilities:
  drop:
    - ALL
readOnlyRootFilesystem: true

Container Security Context to be set on the controller component container. For more information, see Configure a Security Context for a Pod or Container.

startupapicheck.timeout

Property startupapicheck.timeout
Type string
Default
1m

Timeout for 'kubectl check api' command.

startupapicheck.backoffLimit

Property startupapicheck.backoffLimit
Type number
Default
4

Job backoffLimit

startupapicheck.jobAnnotations

Property startupapicheck.jobAnnotations
Type object
Default
helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "1"

Optional additional annotations to add to the startupapicheck Job.

startupapicheck.podAnnotations

Property startupapicheck.podAnnotations
Type object
Default

Optional additional annotations to add to the startupapicheck Pods.

startupapicheck.extraArgs

Property startupapicheck.extraArgs
Type array
Default
- -v

Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-startupapicheck:<version> --help.

Verbose logging is enabled by default so that if startupapicheck fails, you can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example.

startupapicheck.extraEnv

Property startupapicheck.extraEnv
Type array
Default
[]

Additional environment variables to pass to cert-manager startupapicheck binary.
For example:

extraEnv:
- name: SOME_VAR
  value: 'some value'

startupapicheck.resources

Property startupapicheck.resources
Type object
Default
{}

Resources to provide to the cert-manager controller pod.

For example:

requests:
  cpu: 10m
  memory: 32Mi

For more information, see Resource Management for Pods and Containers.

startupapicheck.nodeSelector

Property startupapicheck.nodeSelector
Type object
Default
kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

startupapicheck.affinity

Property startupapicheck.affinity
Type object
Default
{}

A Kubernetes Affinity, if required. For more information, see Affinity v1 core.
For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

startupapicheck.tolerations

Property startupapicheck.tolerations
Type array
Default
[]

A list of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

startupapicheck.podLabels

Property startupapicheck.podLabels
Type object
Default
{}

Optional additional labels to add to the startupapicheck Pods.

startupapicheck.image.registry

Property startupapicheck.image.registry
Type string
Default

The container registry to pull the startupapicheck image from.

startupapicheck.image.repository

Property startupapicheck.image.repository
Type string
Default
quay.io/jetstack/cert-manager-startupapicheck

The container image for the cert-manager startupapicheck.

startupapicheck.image.tag

Property startupapicheck.image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

startupapicheck.image.digest

Property startupapicheck.image.digest
Type string
Default

Setting a digest will override any tag.

startupapicheck.image.pullPolicy

Property startupapicheck.image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on Deployment.

startupapicheck.rbac.annotations

Property startupapicheck.rbac.annotations
Type object
Default
helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"

annotations for the startup API Check job RBAC and PSP resources.

startupapicheck.automountServiceAccountToken

Property startupapicheck.automountServiceAccountToken
Type bool
Default

Automounting API credentials for a particular pod.

startupapicheck.serviceAccount.create

Property startupapicheck.serviceAccount.create
Type bool
Default
true

Specifies whether a service account should be created.

startupapicheck.serviceAccount.name

Property startupapicheck.serviceAccount.name
Type string
Default

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

startupapicheck.serviceAccount.annotations

Property startupapicheck.serviceAccount.annotations
Type object
Default
helm.sh/hook: post-install
helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
helm.sh/hook-weight: "-5"

Optional additional annotations to add to the Job's Service Account.

startupapicheck.serviceAccount.automountServiceAccountToken

Property startupapicheck.serviceAccount.automountServiceAccountToken
Type bool
Default
true

Automount API credentials for a Service Account.

startupapicheck.serviceAccount.labels

Property startupapicheck.serviceAccount.labels
Type object
Default

Optional additional labels to add to the startupapicheck's Service Account.

startupapicheck.volumes

Property startupapicheck.volumes
Type array
Default
[]

Additional volumes to add to the cert-manager controller pod.

startupapicheck.volumeMounts

Property startupapicheck.volumeMounts
Type array
Default
[]

Additional volume mounts to add to the cert-manager controller container.

Property startupapicheck.enableServiceLinks
Type bool
Default
false

enableServiceLinks indicates whether information about services should be injected into the pod's environment variables, matching the syntax of Docker links.

extraObjects

Property extraObjects
Type array
Default
[]

Create dynamic manifests via values.

For example:

extraObjects:
  - |
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: '{{ template "cert-manager.fullname" . }}-extra-configmap'