CSI driver for SPIFFE Helm values¶
image.registry¶
Property | image.registry |
---|---|
Type | string |
Default |
Target image registry. This value is prepended to the target image repository, if set.
For example:
registry: quay.io
repository:
driver: jetstack/cert-manager-csi-driver-spiffe
approver: jetstack/cert-manager-csi-driver-spiffe-approver
image.repository.driver¶
Property | image.repository.driver |
---|---|
Type | string |
Default |
|
Target image repository for the CSI driver driver DaemonSet.
image.repository.approver¶
Property | image.repository.approver |
---|---|
Type | string |
Default |
|
Target image repository for the CSI driver approver Deployment.
image.tag¶
Property | image.tag |
---|---|
Type | string |
Default |
Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
image.digest¶
Property | image.digest |
---|---|
Type | object |
Default |
|
image.digest.driver¶
Property | image.digest.driver |
---|---|
Type | string |
Default |
Target CSI driver driver digest. Override any tag, if set.
For example:
driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
image.digest.approver¶
Property | image.digest.approver |
---|---|
Type | string |
Default |
Target CSI driver approver digest. Override any tag, if set.
For example:
approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
image.pullPolicy¶
Property | image.pullPolicy |
---|---|
Type | string |
Default |
|
Kubernetes imagePullPolicy on DaemonSet.
imagePullSecrets¶
Property | imagePullSecrets |
---|---|
Type | array |
Default |
|
Optional secrets used for pulling the CSI driver for SPIFFE and CSI driver for SPIFFE approver container images.
For example:
imagePullSecrets:
- name: secret-name
app.logLevel¶
Property | app.logLevel |
---|---|
Type | number |
Default |
|
Verbosity of cert-manager CSI driver logging.
app.certificateRequestDuration¶
Property | app.certificateRequestDuration |
---|---|
Type | string |
Default |
|
Duration requested for requested certificates.
app.runtimeIssuanceConfigMap¶
Property | app.runtimeIssuanceConfigMap |
---|---|
Type | string |
Default |
|
Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.
The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in the ConfigMap for it to be used.
app.extraCertificateRequestAnnotations¶
Property | app.extraCertificateRequestAnnotations |
---|---|
Type | unknown |
Default |
|
List of annotations to add to certificate requests
For example:
extraCertificateRequestAnnotations: app=csi-driver-spiffe,foo=bar
app.trustDomain¶
Property | app.trustDomain |
---|---|
Type | string |
Default |
|
The Trust Domain for this driver.
app.name¶
Property | app.name |
---|---|
Type | string |
Default |
|
The name for the CSI driver installation.
app.issuer.name¶
Property | app.issuer.name |
---|---|
Type | string |
Default |
|
Issuer name which is used to serve this Trust Domain.
app.issuer.kind¶
Property | app.issuer.kind |
---|---|
Type | string |
Default |
|
Issuer kind which is used to serve this Trust Domain.
app.issuer.group¶
Property | app.issuer.group |
---|---|
Type | string |
Default |
|
Issuer group which is used to serve this Trust Domain.
app.driver.sourceCABundle¶
Property | app.driver.sourceCABundle |
---|---|
Type | unknown |
Default |
|
Optional file containing a CA bundle that will be propagated to managed volumes.
app.driver.volumeFileName.ca¶
Property | app.driver.volumeFileName.ca |
---|---|
Type | string |
Default |
|
File name which signed certificates are written to in volumes.
app.driver.volumeFileName.ca¶
Property | app.driver.volumeFileName.ca |
---|---|
Type | string |
Default |
|
File name which private keys are written to in volumes.
app.driver.volumeFileName.ca¶
Property | app.driver.volumeFileName.ca |
---|---|
Type | string |
Default |
|
File name where the CA bundles are written to, if enabled.
app.driver.volumes¶
Property | app.driver.volumes |
---|---|
Type | array |
Default |
|
Optional extra volumes. Useful for mounting root CAs
For example:
volumes:
- name: root-cas
secret:
secretName: root-ca-bundle
app.driver.volumeMounts¶
Property | app.driver.volumeMounts |
---|---|
Type | array |
Default |
|
Optional extra volume mounts. Useful for mounting root CAs
For example:
volumeMounts:
- name: root-cas
mountPath: /var/run/secrets/cert-manager-csi-driver-spiffe
app.driver.csiDataDir¶
Property | app.driver.csiDataDir |
---|---|
Type | string |
Default |
|
Configures the hostPath directory that the driver will write and mount volumes from.
app.driver.resources¶
Property | app.driver.resources |
---|---|
Type | object |
Default |
|
Kubernetes pod resource limits for cert-manager CSI driver for SPIFFE
For example:
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
app.driver.nodeDriverRegistrarImage.registry¶
Property | app.driver.nodeDriverRegistrarImage.registry |
---|---|
Type | string |
Default |
Target image registry. This value is prepended to the target image repository, if set.
For example:
registry: registry.k8s.io
repository: sig-storage/csi-node-driver-registrar
app.driver.nodeDriverRegistrarImage.pullPolicy¶
Property | app.driver.nodeDriverRegistrarImage.pullPolicy |
---|---|
Type | string |
Default |
|
Target image repository.
app.driver.nodeDriverRegistrarImage.pullPolicy¶
Property | app.driver.nodeDriverRegistrarImage.pullPolicy |
---|---|
Type | string |
Default |
|
Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
app.driver.nodeDriverRegistrarImage.digest¶
Property | app.driver.nodeDriverRegistrarImage.digest |
---|---|
Type | string |
Default |
Target image digest. Override any tag, if set.
For example:
digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
app.driver.nodeDriverRegistrarImage.pullPolicy¶
Property | app.driver.nodeDriverRegistrarImage.pullPolicy |
---|---|
Type | string |
Default |
|
Kubernetes imagePullPolicy on node-driver.
app.driver.livenessProbeImage.registry¶
Property | app.driver.livenessProbeImage.registry |
---|---|
Type | string |
Default |
Target image registry. This value is prepended to the target image repository, if set.
For example:
registry: registry.k8s.io
repository: sig-storage/livenessprobe
app.driver.livenessProbeImage.pullPolicy¶
Property | app.driver.livenessProbeImage.pullPolicy |
---|---|
Type | string |
Default |
|
Target image repository.
app.driver.livenessProbeImage.pullPolicy¶
Property | app.driver.livenessProbeImage.pullPolicy |
---|---|
Type | string |
Default |
|
Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
app.driver.livenessProbeImage.digest¶
Property | app.driver.livenessProbeImage.digest |
---|---|
Type | string |
Default |
Target image digest. Override any tag, if set.
For example:
digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
app.driver.livenessProbeImage.pullPolicy¶
Property | app.driver.livenessProbeImage.pullPolicy |
---|---|
Type | string |
Default |
|
Kubernetes imagePullPolicy on liveness probe.
app.driver.livenessProbe.port¶
Property | app.driver.livenessProbe.port |
---|---|
Type | number |
Default |
|
The port that will expose the liveness of the CSI driver
app.approver.replicaCount¶
Property | app.approver.replicaCount |
---|---|
Type | number |
Default |
|
Number of replicas of the approver to run.
app.approver.signerName¶
Property | app.approver.signerName |
---|---|
Type | string |
Default |
|
A signer name that the CSI driver for SPIFFE approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See CertificateRequest approval. Defaults to empty, which allows approval for all signers
app.approver.readinessProbe.port¶
Property | app.approver.readinessProbe.port |
---|---|
Type | number |
Default |
|
Container port to expose CSI driver for SPIFFE approver HTTP readiness probe on default network interface.
app.approver.metrics.service¶
Property | app.approver.metrics.service |
---|---|
Type | number |
Default |
|
Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
app.approver.metrics.service.enabled¶
Property | app.approver.metrics.service.enabled |
---|---|
Type | bool |
Default |
|
Create a Service resource to expose metrics endpoint.
app.approver.metrics.service.type¶
Property | app.approver.metrics.service.type |
---|---|
Type | string |
Default |
|
Service type to expose metrics.
app.approver.metrics.service.servicemonitor.labels¶
Property | app.approver.metrics.service.servicemonitor.labels |
---|---|
Type | bool |
Default |
|
Create Prometheus ServiceMonitor resource for cert-manager CSI driver for SPIFFE approver.
app.approver.metrics.service.servicemonitor.labels¶
Property | app.approver.metrics.service.servicemonitor.labels |
---|---|
Type | string |
Default |
|
The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.
app.approver.metrics.service.servicemonitor.labels¶
Property | app.approver.metrics.service.servicemonitor.labels |
---|---|
Type | string |
Default |
|
The interval that the Prometheus will scrape for metrics.
app.approver.metrics.service.servicemonitor.labels¶
Property | app.approver.metrics.service.servicemonitor.labels |
---|---|
Type | string |
Default |
|
The timeout on each metric probe request.
app.approver.metrics.service.servicemonitor.labels¶
Property | app.approver.metrics.service.servicemonitor.labels |
---|---|
Type | object |
Default |
|
Additional labels to give the ServiceMonitor resource.
app.approver.resources¶
Property | app.approver.resources |
---|---|
Type | object |
Default |
|
Kubernetes pod resource limits for cert-manager CSI driver for SPIFFE approver.
For example:
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
priorityClassName¶
Property | priorityClassName |
---|---|
Type | string |
Default |
|
Optional priority class to be used for the CSI driver pods.
commonLabels¶
Property | commonLabels |
---|---|
Type | object |
Default |
|
Labels to apply to all resources
nodeSelector¶
Property | nodeSelector |
---|---|
Type | object |
Default |
|
Kubernetes node selector: node labels for pod assignment.
affinity¶
Property | affinity |
---|---|
Type | object |
Default |
|
Kubernetes affinity: constraints for pod assignment.
For example:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: foo.bar.com/role
operator: In
values:
- master
tolerations¶
Property | tolerations |
---|---|
Type | array |
Default |
|
Kubernetes pod tolerations for cert-manager CSI driver for SPIFFE.
For example:
tolerations:
- key: foo.bar.com/role
operator: Equal
value: master
effect: NoSchedule
topologySpreadConstraints¶
Property | topologySpreadConstraints |
---|---|
Type | array |
Default |
|
List of Kubernetes TopologySpreadConstraints.
For example:
topologySpreadConstraints:
- maxSkew: 2
topologyKey: topology.kubernetes.io/zone
whenUnsatisfiable: ScheduleAnyway
labelSelector:
matchLabels:
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/component: controller
openshift.securityContextConstraint.enabled¶
Property | openshift.securityContextConstraint.enabled |
---|---|
Type | boolean,string,null |
Default |
|
Include RBAC to allow the DaemonSet to "use" the specified
SecurityContextConstraints.
This value can either be a boolean true or false, or the string "detect". If set to "detect" then the securityContextConstraint is automatically enabled for openshift installs.
openshift.securityContextConstraint.name¶
Property | openshift.securityContextConstraint.name |
---|---|
Type | string |
Default |
|
Name of the SecurityContextConstraints to create RBAC for.