Skip to content

CSI driver for SPIFFE Helm values

image.registry

Property image.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository:
  driver: jetstack/cert-manager-csi-driver-spiffe
  approver: jetstack/cert-manager-csi-driver-spiffe-approver

image.repository.driver

Property image.repository.driver
Type string
Default 
quay.io/jetstack/cert-manager-csi-driver-spiffe

Target image repository for the CSI driver driver DaemonSet.

image.repository.approver

Property image.repository.approver
Type string
Default 
quay.io/jetstack/cert-manager-csi-driver-spiffe-approver

Target image repository for the CSI driver approver Deployment.

image.tag

Property image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest

Property image.digest
Type object
Default 
{}

image.digest.driver

Property image.digest.driver
Type string
Default

Target CSI driver driver digest. Override any tag, if set.
For example:

driver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.digest.approver

Property image.digest.approver
Type string
Default

Target CSI driver approver digest. Override any tag, if set.
For example:

approver: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.pullPolicy

Property image.pullPolicy
Type string
Default 
IfNotPresent

Kubernetes imagePullPolicy on DaemonSet.

imagePullSecrets

Property imagePullSecrets
Type array
Default 
[]

Optional secrets used for pulling the CSI driver for SPIFFE and CSI driver for SPIFFE approver container images.

For example:

imagePullSecrets:
- name: secret-name

app.logLevel

Property app.logLevel
Type number
Default 
1

Verbosity of cert-manager CSI driver logging.

app.certificateRequestDuration

Property app.certificateRequestDuration
Type string
Default 
1h

Duration requested for requested certificates.

app.runtimeIssuanceConfigMap

Property app.runtimeIssuanceConfigMap
Type string
Default 
""

Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.

The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in the ConfigMap for it to be used.

app.extraCertificateRequestAnnotations

Property app.extraCertificateRequestAnnotations
Type unknown
Default 
null

List of annotations to add to certificate requests

For example:

extraCertificateRequestAnnotations: app=csi-driver-spiffe,foo=bar

app.trustDomain

Property app.trustDomain
Type string
Default 
cluster.local

The Trust Domain for this driver.

app.name

Property app.name
Type string
Default 
spiffe.csi.cert-manager.io

The name for the CSI driver installation.

app.issuer.name

Property app.issuer.name
Type string
Default 
spiffe-ca

Issuer name which is used to serve this Trust Domain.

app.issuer.kind

Property app.issuer.kind
Type string
Default 
ClusterIssuer

Issuer kind which is used to serve this Trust Domain.

app.issuer.group

Property app.issuer.group
Type string
Default 
cert-manager.io

Issuer group which is used to serve this Trust Domain.

app.driver.sourceCABundle

Property app.driver.sourceCABundle
Type unknown
Default 
null

Optional file containing a CA bundle that will be propagated to managed volumes.

app.driver.volumeFileName.ca

Property app.driver.volumeFileName.ca
Type string
Default 
tls.crt

File name which signed certificates are written to in volumes.

app.driver.volumeFileName.ca

Property app.driver.volumeFileName.ca
Type string
Default 
tls.key

File name which private keys are written to in volumes.

app.driver.volumeFileName.ca

Property app.driver.volumeFileName.ca
Type string
Default 
ca.crt

File name where the CA bundles are written to, if enabled.

app.driver.volumes

Property app.driver.volumes
Type array
Default 
[]

Optional extra volumes. Useful for mounting root CAs

For example:

volumes:
- name: root-cas
  secret:
    secretName: root-ca-bundle

app.driver.volumeMounts

Property app.driver.volumeMounts
Type array
Default 
[]

Optional extra volume mounts. Useful for mounting root CAs

For example:

volumeMounts:
- name: root-cas
  mountPath: /var/run/secrets/cert-manager-csi-driver-spiffe

app.driver.csiDataDir

Property app.driver.csiDataDir
Type string
Default 
/tmp/cert-manager-csi-driver

Configures the hostPath directory that the driver will write and mount volumes from.

app.driver.resources

Property app.driver.resources
Type object
Default 
{}

Kubernetes pod resource limits for cert-manager CSI driver for SPIFFE

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

app.driver.nodeDriverRegistrarImage.registry

Property app.driver.nodeDriverRegistrarImage.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: registry.k8s.io
repository: sig-storage/csi-node-driver-registrar

app.driver.nodeDriverRegistrarImage.pullPolicy

Property app.driver.nodeDriverRegistrarImage.pullPolicy
Type string
Default 
registry.k8s.io/sig-storage/csi-node-driver-registrar

Target image repository.

app.driver.nodeDriverRegistrarImage.pullPolicy

Property app.driver.nodeDriverRegistrarImage.pullPolicy
Type string
Default 
v2.11.1

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

app.driver.nodeDriverRegistrarImage.digest

Property app.driver.nodeDriverRegistrarImage.digest
Type string
Default

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

app.driver.nodeDriverRegistrarImage.pullPolicy

Property app.driver.nodeDriverRegistrarImage.pullPolicy
Type string
Default 
IfNotPresent

Kubernetes imagePullPolicy on node-driver.

app.driver.livenessProbeImage.registry

Property app.driver.livenessProbeImage.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: registry.k8s.io
repository: sig-storage/livenessprobe

app.driver.livenessProbeImage.pullPolicy

Property app.driver.livenessProbeImage.pullPolicy
Type string
Default 
registry.k8s.io/sig-storage/livenessprobe

Target image repository.

app.driver.livenessProbeImage.pullPolicy

Property app.driver.livenessProbeImage.pullPolicy
Type string
Default 
v2.12.0

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

app.driver.livenessProbeImage.digest

Property app.driver.livenessProbeImage.digest
Type string
Default

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

app.driver.livenessProbeImage.pullPolicy

Property app.driver.livenessProbeImage.pullPolicy
Type string
Default 
IfNotPresent

Kubernetes imagePullPolicy on liveness probe.

app.driver.livenessProbe.port

Property app.driver.livenessProbe.port
Type number
Default 
9809

The port that will expose the liveness of the CSI driver

app.approver.replicaCount

Property app.approver.replicaCount
Type number
Default 
1

Number of replicas of the approver to run.

app.approver.signerName

Property app.approver.signerName
Type string
Default 
""

A signer name that the CSI driver for SPIFFE approver will be given permission to approve and deny. CertificateRequests referencing this signer name can be processed by the SPIFFE approver. See CertificateRequest approval. Defaults to empty, which allows approval for all signers

app.approver.readinessProbe.port

Property app.approver.readinessProbe.port
Type number
Default 
6060

Container port to expose CSI driver for SPIFFE approver HTTP readiness probe on default network interface.

app.approver.metrics.service

Property app.approver.metrics.service
Type number
Default 
9402

Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

app.approver.metrics.service.enabled

Property app.approver.metrics.service.enabled
Type bool
Default 
true

Create a Service resource to expose metrics endpoint.

app.approver.metrics.service.type

Property app.approver.metrics.service.type
Type string
Default 
ClusterIP

Service type to expose metrics.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type bool
Default 
false

Create Prometheus ServiceMonitor resource for cert-manager CSI driver for SPIFFE approver.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type string
Default 
default

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type string
Default 
10s

The interval that the Prometheus will scrape for metrics.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type string
Default 
5s

The timeout on each metric probe request.

app.approver.metrics.service.servicemonitor.labels

Property app.approver.metrics.service.servicemonitor.labels
Type object
Default 
{}

Additional labels to give the ServiceMonitor resource.

app.approver.resources

Property app.approver.resources
Type object
Default 
{}

Kubernetes pod resource limits for cert-manager CSI driver for SPIFFE approver.

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

priorityClassName

Property priorityClassName
Type string
Default 
""

Optional priority class to be used for the CSI driver pods.

commonLabels

Property commonLabels
Type object
Default 
{}

Labels to apply to all resources

nodeSelector

Property nodeSelector
Type object
Default 
kubernetes.io/os: linux

Kubernetes node selector: node labels for pod assignment.

affinity

Property affinity
Type object
Default 
{}

Kubernetes affinity: constraints for pod assignment.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

tolerations

Property tolerations
Type array
Default 
[]

Kubernetes pod tolerations for cert-manager CSI driver for SPIFFE.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints

Property topologySpreadConstraints
Type array
Default 
[]

List of Kubernetes TopologySpreadConstraints.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/instance: cert-manager
      app.kubernetes.io/component: controller

openshift.securityContextConstraint.enabled

Property openshift.securityContextConstraint.enabled
Type boolean,string,null
Default 
detect

Include RBAC to allow the DaemonSet to "use" the specified
SecurityContextConstraints.

This value can either be a boolean true or false, or the string "detect". If set to "detect" then the securityContextConstraint is automatically enabled for openshift installs.

openshift.securityContextConstraint.name

Property openshift.securityContextConstraint.name
Type string
Default 
privileged

Name of the SecurityContextConstraints to create RBAC for.