Skip to content

CSI driver for SPIFFE Helm values

image.registry

Property image.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository:
  driver: jetstack/cert-manager-csi-driver-spiffe
  approver: jetstack/cert-manager-csi-driver-spiffe-approver

image.repository.driver

Property image.repository.driver
Type string
Default
quay.io/jetstack/cert-manager-csi-driver-spiffe

Target image repository for the csi-driver driver DaemonSet.

image.repository.approver

Property image.repository.approver
Type string
Default
quay.io/jetstack/cert-manager-csi-driver-spiffe-approver

Target image repository for the CSI driver approver Deployment.

image.tag

Property image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest

Property image.digest
Type object
Default
{}

image.digest.driver

Property image.digest.driver
Type string
Default

Target CSI river driver digest. Override any tag, if set.
For example:

driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.digest.approver

Property image.digest.approver
Type string
Default

Target CSI driver approver digest. Override any tag, if set.
For example:

approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.pullPolicy

Property image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on DaemonSet.

imagePullSecrets

Property imagePullSecrets
Type array
Default
[]

Optional secrets used for pulling the csi-driver-spiffe and csi-driver-spiffe-approver container images

For example:

imagePullSecrets:
- name: secret-name

app.logLevel

Property app.logLevel
Type number
Default
1

Verbosity of cert-manager-csi-driver logging.

app.certificateRequestDuration

Property app.certificateRequestDuration
Type string
Default
1h

Duration requested for requested certificates.

app.runtimeIssuanceConfigMap

Property app.runtimeIssuanceConfigMap
Type string
Default
""

Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.

The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in the ConfigMap for it to be used.

app.extraCertificateRequestAnnotations

Property app.extraCertificateRequestAnnotations
Type unknown
Default
null

List of annotations to add to certificate requests

For example:

extraCertificateRequestAnnotations: app=csi-driver-spiffe,foo=bar

app.trustDomain

Property app.trustDomain
Type string
Default
cluster.local

The Trust Domain for this driver.

app.name

Property app.name
Type string
Default
spiffe.csi.cert-manager.io

The name for the CSI driver installation.

app.issuer.name

Property app.issuer.name
Type string
Default
spiffe-ca

Issuer name which is used to serve this Trust Domain.

app.issuer.kind

Property app.issuer.kind
Type string
Default
ClusterIssuer

Issuer kind which is used to serve this Trust Domain.

app.issuer.group

Property app.issuer.group
Type string
Default
cert-manager.io

Issuer group which is used to serve this Trust Domain.

app.driver.sourceCABundle

Property app.driver.sourceCABundle
Type unknown
Default
null

Optional file containing a CA bundle that will be propagated to managed volumes.

app.driver.volumeFileName.ca

Property app.driver.volumeFileName.ca
Type string
Default
tls.crt

File name which signed certificates are written to in volumes.

app.driver.volumeFileName.ca

Property app.driver.volumeFileName.ca
Type string
Default
tls.key

File name which private keys are written to in volumes.

app.driver.volumeFileName.ca

Property app.driver.volumeFileName.ca
Type string
Default
ca.crt

File name where the CA bundles are written to, if enabled.

app.driver.volumes

Property app.driver.volumes
Type array
Default
[]

Optional extra volumes. Useful for mounting root CAs

For example:

volumes:
- name: root-cas
  secret:
    secretName: root-ca-bundle

app.driver.volumeMounts

Property app.driver.volumeMounts
Type array
Default
[]

Optional extra volume mounts. Useful for mounting root CAs

For example:

volumeMounts:
- name: root-cas
  mountPath: /var/run/secrets/cert-manager-csi-driver-spiffe

app.driver.csiDataDir

Property app.driver.csiDataDir
Type string
Default
/tmp/cert-manager-csi-driver

Configures the hostPath directory that the driver will write and mount volumes from.

app.driver.resources

Property app.driver.resources
Type object
Default
{}

Kubernetes pod resource limits for cert-manager-csi-driver-spiffe

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

app.driver.nodeDriverRegistrarImage.registry

Property app.driver.nodeDriverRegistrarImage.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: registry.k8s.io
repository: sig-storage/csi-node-driver-registrar

app.driver.nodeDriverRegistrarImage.pullPolicy

Property app.driver.nodeDriverRegistrarImage.pullPolicy
Type string
Default
registry.k8s.io/sig-storage/csi-node-driver-registrar

Target image repository.

app.driver.nodeDriverRegistrarImage.pullPolicy

Property app.driver.nodeDriverRegistrarImage.pullPolicy
Type string
Default
v2.10.0

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

app.driver.nodeDriverRegistrarImage.digest

Property app.driver.nodeDriverRegistrarImage.digest
Type string
Default

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

app.driver.nodeDriverRegistrarImage.pullPolicy

Property app.driver.nodeDriverRegistrarImage.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on node-driver.

app.driver.livenessProbeImage.registry

Property app.driver.livenessProbeImage.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: registry.k8s.io
repository: sig-storage/livenessprobe

app.driver.livenessProbeImage.pullPolicy

Property app.driver.livenessProbeImage.pullPolicy
Type string
Default
registry.k8s.io/sig-storage/livenessprobe

Target image repository.

app.driver.livenessProbeImage.pullPolicy

Property app.driver.livenessProbeImage.pullPolicy
Type string
Default
v2.12.0

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

app.driver.livenessProbeImage.digest

Property app.driver.livenessProbeImage.digest
Type string
Default

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

app.driver.livenessProbeImage.pullPolicy

Property app.driver.livenessProbeImage.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on liveness probe.

app.driver.livenessProbe.port

Property app.driver.livenessProbe.port
Type number
Default
9809

The port that will expose the liveness of the CSI driver

app.approver.replicaCount

Property app.approver.replicaCount
Type number
Default
1

Number of replicas of the approver to run.

app.approver.signerName

Property app.approver.signerName
Type string
Default
""

A signer name that the csi-driver-spiffe approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. Defaults to empty which allows approval for all signers. For more information, see CertificateRequest resource approval.

app.approver.readinessProbe.port

Property app.approver.readinessProbe.port
Type number
Default
6060

Container port to expose csi-driver-spiffe-approver HTTP readiness probe on default network interface.

app.approver.metrics.service

Property app.approver.metrics.service
Type number
Default
9402

Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

app.approver.metrics.service.enabled

Property app.approver.metrics.service.enabled
Type bool
Default
true

Create a Service resource to expose metrics endpoint.

app.approver.metrics.service.type

Property app.approver.metrics.service.type
Type string
Default
ClusterIP

Service type to expose metrics.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type bool
Default
false

Create Prometheus ServiceMonitor resource for cert-manager-csi-driver-spiffe approver.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type string
Default
default

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type string
Default
10s

The interval that the Prometheus will scrape for metrics.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type string
Default
5s

The timeout on each metric probe request.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type object
Default
{}

Additional labels to give the ServiceMonitor resource.

app.approver.resources

Property app.approver.resources
Type object
Default
{}

Kubernetes pod resource limits for cert-manager-csi-driver-spiffe approver

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

priorityClassName

Property priorityClassName
Type string
Default
""

Optional priority class to be used for the CSI driver pods.

commonLabels

Property commonLabels
Type object
Default
{}

Labels to apply to all resources

nodeSelector

Property nodeSelector
Type object
Default
kubernetes.io/os: linux

Kubernetes node selector: node labels for pod assignment.

affinity

Property affinity
Type object
Default
{}

Kubernetes affinity: constraints for pod assignment.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

tolerations

Property tolerations
Type array
Default
[]

Kubernetes pod tolerations for cert-manager-csi-driver-spiffe.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints

Property topologySpreadConstraints
Type array
Default
[]

List of Kubernetes TopologySpreadConstraints.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller