CSI Driver for SPIFFE Helm values¶
image.registry¶
| Property | image.registry |
|---|---|
| Type | string |
| Default |
Target image registry. This value is prepended to the target image repository, if set.
For example:
registry: quay.io
repository:
driver: jetstack/cert-manager-csi-driver-spiffe
approver: jetstack/cert-manager-csi-driver-spiffe-approver
image.repository.driver¶
| Property | image.repository.driver |
|---|---|
| Type | string |
| Default | |
Target image repository for the CSI Driver for SPIFFE driver DaemonSet.
image.repository.approver¶
| Property | image.repository.approver |
|---|---|
| Type | string |
| Default | |
Target image repository for the CSI Driver for SPIFFE approver Deployment.
image.tag¶
| Property | image.tag |
|---|---|
| Type | string |
| Default |
Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
image.digest¶
| Property | image.digest |
|---|---|
| Type | object |
| Default | |
image.digest.driver¶
| Property | image.digest.driver |
|---|---|
| Type | string |
| Default |
Target CSI Driver driver digest. Override any tag, if set.
For example:
driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
image.digest.approver¶
| Property | image.digest.approver |
|---|---|
| Type | string |
| Default |
Target CSI Driver approver digest. Override any tag, if set.
For example:
approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
image.pullPolicy¶
| Property | image.pullPolicy |
|---|---|
| Type | string |
| Default | |
Kubernetes imagePullPolicy on DaemonSet.
imagePullSecrets¶
| Property | imagePullSecrets |
|---|---|
| Type | array |
| Default | |
Optional secrets used for pulling the CSI Driver for SPIFFE and CSI Driver for SPIFFE-approver container images
For example:
imagePullSecrets:
- name: secret-name
app.logLevel¶
| Property | app.logLevel |
|---|---|
| Type | number |
| Default | |
Verbosity of CSI Driver logging.
app.certificateRequestDuration¶
| Property | app.certificateRequestDuration |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```0 |
Duration requested for requested certificates.
app.runtimeIssuanceConfigMap¶
| Property | app.runtimeIssuanceConfigMap |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```1 |
Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.
The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in the ConfigMap for it to be used.
app.extraCertificateRequestAnnotations¶
| Property | app.extraCertificateRequestAnnotations |
|---|---|
| Type | unknown |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```2 |
List of annotations to add to certificate requests
For example:
yaml quay.io/jetstack/cert-manager-csi-driver-spiffe3
app.trustDomain¶
| Property | app.trustDomain |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```4 |
The Trust Domain for this driver.
app.name¶
| Property | app.name |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```5 |
The name for the CSI Driver installation.
app.issuer.name¶
| Property | app.issuer.name |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```6 |
Issuer name which is used to serve this Trust Domain.
app.issuer.kind¶
| Property | app.issuer.kind |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```7 |
Issuer kind which is used to serve this Trust Domain.
app.issuer.group¶
| Property | app.issuer.group |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```8 |
Issuer group which is used to serve this Trust Domain.
app.driver.sourceCABundle¶
| Property | app.driver.sourceCABundle |
|---|---|
| Type | unknown |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe ```9 |
Optional file containing a CA bundle that will be propagated to managed volumes.
app.driver.volumeFileName.cert¶
| Property | app.driver.volumeFileName.cert |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver ```0 |
File name which signed certificates are written to in volumes.
app.driver.volumeFileName.key¶
| Property | app.driver.volumeFileName.key |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver ```1 |
File name which private keys are written to in volumes.
app.driver.volumeFileName.ca¶
| Property | app.driver.volumeFileName.ca |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver ```2 |
File name where the CA bundles are written to, if enabled.
app.driver.volumes¶
| Property | app.driver.volumes |
|---|---|
| Type | array |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver ```3 |
Optional extra volumes. Useful for mounting root CAs
For example:
yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver4
app.driver.volumeMounts¶
| Property | app.driver.volumeMounts |
|---|---|
| Type | array |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver ```5 |
Optional extra volume mounts. Useful for mounting root CAs
For example:
yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver6
app.driver.csiDataDir¶
| Property | app.driver.csiDataDir |
|---|---|
| Type | string |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver ```7 |
Configures the hostPath directory that the driver will write and mount volumes from.
app.driver.resources¶
| Property | app.driver.resources |
|---|---|
| Type | object |
| Default | ```yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver ```8 |
Kubernetes pod resource limits for cert-manager CSI Driver for SPIFFE.
For example:
yaml quay.io/jetstack/cert-manager-csi-driver-spiffe-approver9
app.driver.nodeDriverRegistrarImage.registry¶
| Property | app.driver.nodeDriverRegistrarImage.registry |
|---|---|
| Type | string |
| Default |
Target image registry. This value is prepended to the target image repository, if set.
For example:
yaml {}0
app.driver.nodeDriverRegistrarImage.repository¶
| Property | app.driver.nodeDriverRegistrarImage.repository |
|---|---|
| Type | string |
| Default | ```yaml {} ```1 |
Target image repository.
app.driver.nodeDriverRegistrarImage.tag¶
| Property | app.driver.nodeDriverRegistrarImage.tag |
|---|---|
| Type | string |
| Default | ```yaml {} ```2 |
Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
app.driver.nodeDriverRegistrarImage.digest¶
| Property | app.driver.nodeDriverRegistrarImage.digest |
|---|---|
| Type | string |
| Default | ```yaml {} ```3 |
Target image digest. Override any tag, if set.
For example:
yaml {}4
app.driver.nodeDriverRegistrarImage.pullPolicy¶
| Property | app.driver.nodeDriverRegistrarImage.pullPolicy |
|---|---|
| Type | string |
| Default | ```yaml {} ```5 |
Kubernetes imagePullPolicy on node-driver.
app.driver.livenessProbeImage.registry¶
| Property | app.driver.livenessProbeImage.registry |
|---|---|
| Type | string |
| Default |
Target image registry. This value is prepended to the target image repository, if set.
For example:
yaml {}6
app.driver.livenessProbeImage.repository¶
| Property | app.driver.livenessProbeImage.repository |
|---|---|
| Type | string |
| Default | ```yaml {} ```7 |
Target image repository.
app.driver.livenessProbeImage.tag¶
| Property | app.driver.livenessProbeImage.tag |
|---|---|
| Type | string |
| Default | ```yaml {} ```8 |
Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
app.driver.livenessProbeImage.digest¶
| Property | app.driver.livenessProbeImage.digest |
|---|---|
| Type | string |
| Default |
Target image digest. Override any tag, if set.
For example:
yaml {}9
app.driver.livenessProbeImage.pullPolicy¶
| Property | app.driver.livenessProbeImage.pullPolicy |
|---|---|
| Type | string |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```0 |
Kubernetes imagePullPolicy on liveness probe.
app.driver.livenessProbe.port¶
| Property | app.driver.livenessProbe.port |
|---|---|
| Type | number |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```1 |
The port that will expose the liveness of the CSI Driver.
app.approver.replicaCount¶
| Property | app.approver.replicaCount |
|---|---|
| Type | number |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```2 |
Number of replicas of the approver to run.
app.approver.signerName¶
| Property | app.approver.signerName |
|---|---|
| Type | string |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```3 |
A signer name that the CSI Driver for SPIFFE approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See: CertificateRequest approvals. Defaults to empty which allows approval for all signers
app.approver.readinessProbe.port¶
| Property | app.approver.readinessProbe.port |
|---|---|
| Type | number |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```4 |
Container port to expose CSI Driver for SPIFFE approver HTTP readiness probe on default network interface.
app.approver.metrics.port¶
| Property | app.approver.metrics.port |
|---|---|
| Type | number |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```5 |
Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
app.approver.metrics.service.enabled¶
| Property | app.approver.metrics.service.enabled |
|---|---|
| Type | bool |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```6 |
Create a Service resource to expose metrics endpoint.
app.approver.metrics.service.type¶
| Property | app.approver.metrics.service.type |
|---|---|
| Type | string |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```7 |
Service type to expose metrics.
app.approver.metrics.service.servicemonitor.enabled¶
| Property | app.approver.metrics.service.servicemonitor.enabled |
|---|---|
| Type | bool |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```8 |
Create Prometheus ServiceMonitor resource for cert-manager CSI Driver for SPIFFE approver.
app.approver.metrics.service.servicemonitor.prometheusInstance¶
| Property | app.approver.metrics.service.servicemonitor.prometheusInstance |
|---|---|
| Type | string |
| Default | ```yaml driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```9 |
The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.
app.approver.metrics.service.servicemonitor.interval¶
| Property | app.approver.metrics.service.servicemonitor.interval |
|---|---|
| Type | string |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```0 |
The interval that the Prometheus will scrape for metrics.
app.approver.metrics.service.servicemonitor.scrapeTimeout¶
| Property | app.approver.metrics.service.servicemonitor.scrapeTimeout |
|---|---|
| Type | string |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```1 |
The timeout on each metric probe request.
app.approver.metrics.service.servicemonitor.labels¶
| Property | app.approver.metrics.service.servicemonitor.labels |
|---|---|
| Type | object |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```2 |
Additional labels to give the ServiceMonitor resource.
app.approver.resources¶
| Property | app.approver.resources |
|---|---|
| Type | object |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```3 |
Kubernetes pod resource limits for cert-manager CSI Driver for SPIFFE approver
For example:
yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb204
priorityClassName¶
| Property | priorityClassName |
|---|---|
| Type | string |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```5 |
Optional priority class to be used for the CSI Driver pods.
commonLabels¶
| Property | commonLabels |
|---|---|
| Type | object |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```6 |
Labels to apply to all resources
nodeSelector¶
| Property | nodeSelector |
|---|---|
| Type | object |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```7 |
Kubernetes node selector: node labels for pod assignment.
affinity¶
| Property | affinity |
|---|---|
| Type | object |
| Default | ```yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20 ```8 |
Kubernetes affinity: constraints for pod assignment.
For example:
yaml approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb209
tolerations¶
| Property | tolerations |
|---|---|
| Type | array |
| Default | ```yaml IfNotPresent ```0 |
Kubernetes pod tolerations for cert-manager CSI Driver for SPIFFE.
For example:
yaml IfNotPresent1
topologySpreadConstraints¶
| Property | topologySpreadConstraints |
|---|---|
| Type | array |
| Default | ```yaml IfNotPresent ```2 |
List of Kubernetes TopologySpreadConstraints.
For example:
yaml IfNotPresent3
openshift.securityContextConstraint.enabled¶
| Property | openshift.securityContextConstraint.enabled |
|---|---|
| Type | boolean,string,null |
| Default | ```yaml IfNotPresent ```4 |
Include RBAC to allow the DaemonSet to "use" the specified
SecurityContextConstraints.
This value can either be a boolean true or false, or the string "detect". If set to "detect" then the securityContextConstraint is automatically enabled for OpenShift installs.
openshift.securityContextConstraint.name¶
| Property | openshift.securityContextConstraint.name |
|---|---|
| Type | string |
| Default | ```yaml IfNotPresent ```5 |
Name of the SecurityContextConstraints to create RBAC for.