Istio CSR Helm values¶

nameOverride¶

nameOverride replaces the name of the chart in the Chart.yaml file, when this is used to construct Kubernetes object names.

replicaCount¶

1

Number of replicas of Istio CSR to run.

image.registry¶

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository: jetstack/cert-manager-istio-csr

image.repository¶

quay.io/jetstack/cert-manager-istio-csr

Target image repository.

image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest¶

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

imagePullSecrets¶

[]

Optional secrets used for pulling the Istio CSR container image.

service.type¶

ClusterIP

Service type to expose Istio CSR gRPC service.

service.port¶

443

Service port to expose Istio CSR gRPC service.

service.nodePort¶

Service nodePort to expose Istio CSR gRPC service.

app.logLevel¶

1

Verbosity of Istio CSR logging.

app.logFormat¶

text

Output format of Istio CSR logging.

app.metrics.port¶

9402

Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

app.metrics.service.enabled¶

true

Create a Service resource to expose metrics endpoint.

app.metrics.service.type¶

ClusterIP

Service type to expose metrics.

app.metrics.service.servicemonitor.enabled¶

false

Create Prometheus ServiceMonitor resource for approver-policy.

app.metrics.service.servicemonitor.prometheusInstance¶

default

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting difference ServiceMonitors using label selectors.

app.metrics.service.servicemonitor.interval¶

10s

The interval that the Prometheus will scrape for metrics.

app.metrics.service.servicemonitor.scrapeTimeout¶

5s

The timeout on each metric probe request.

app.metrics.service.servicemonitor.labels¶

{}

Additional labels to give the ServiceMonitor resource.

app.runtimeConfiguration.create¶

false

Create the runtime-configuration ConfigMap.

app.runtimeConfiguration.name¶

""

The name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.

If create is set to true then this name is used to create the ConfigMap, otherwise the ConfigMap must exist and the "issuer-name", "issuer-kind" and "issuer-group" keys must be present in it.

app.runtimeConfiguration.issuer.name¶

istio-ca

Issuer name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.runtimeConfiguration.issuer.kind¶

Issuer

The issuer kind set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.runtimeConfiguration.issuer.group¶

cert-manager.io

The issuer group name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.readinessProbe.port¶

6060

Container port to expose Istio CSR HTTP readiness probe on default network interface.

app.readinessProbe.path¶

/readyz

The path to expose the Istio CSR HTTP readiness probe on the default network interface.

app.certmanager.namespace¶

istio-system

The namespace to create CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.preserveCertificateRequests¶

false

Don't delete created CertificateRequests once they have been signed.

app.certmanager.additionalAnnotations¶

[]

Additional annotations to include on certificate requests.
Takes key/value pairs in the format:

additionalAnnotations:
  - name: custom.cert-manager.io/policy-name
    value: istio-csr

app.certmanager.issuer.enabled¶

true

Enable the default issuer, this is the issuer used when no runtime configuration is provided.

When enabled, the Istio CSR Pod will not be "Ready" until the issuer has been used to issue the Istio CSR GRPC certificate.

For Istio CSR to function, either this or runtime configuration must be enabled.

app.certmanager.issuer.name¶

istio-ca

The issuer name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.issuer.kind¶

Issuer

The issuer kind set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.issuer.group¶

cert-manager.io

The issuer group name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.tls.trustDomain¶

cluster.local

The Istio cluster's trust domain.

app.tls.rootCAFile¶

null

An optional file location to a PEM encoded root CA that the root CA. ConfigMap in all namespaces will be populated with. If empty, the CA returned from cert-manager for the serving certificate will be used.

app.tls.certificateDNSNames[0]¶

cert-manager-istio-csr.cert-manager.svc

app.tls.certificateDuration¶

1h

Requested duration of gRPC serving certificate. Will be automatically renewed.
Based on NIST 800-204A recommendations (SM-DR13). For more information, see here.

app.tls.istiodCertificateEnable¶

true

If true, create the istiod certificate using a cert-manager certificate as part of the install. If set to "dynamic", will create the cert dynamically when Istio CSR pods start up. If false, no cert is created.

app.tls.istiodCertificateDuration¶

1h

Requested duration of istio's Certificate. It will be automatically renewed. The default is based on NIST 800-204A recommendations (SM-DR13). For more information, see here.

app.tls.istiodCertificateRenewBefore¶

30m

Amount of time to wait before trying to renew the istiod certificate. This value must be smaller than the certificate's duration.

app.tls.istiodPrivateKeyAlgorithm¶

""

Private key algorithm to use. For backwards compatibility, this defaults to the same value as app.server.serving.signatureAlgorithm.

app.tls.istiodPrivateKeySize¶

2048

The parameter for the istiod certificate key. For RSA, this must be a number of bits >= 2048. For ECDSA, it can only be 256 or 384, corresponding to P-256 and P-384 respectively.

app.tls.istiodAdditionalDNSNames¶

[]

Provide additional DNS names to request on the istiod certificate. This is useful if istiod is accessible via multiple DNS names and/or outside of the cluster.

app.server.authenticators.enableClientCert¶

false

Enable the client certificate authenticator. This will allow workloads to use preexisting certificates to authenticate with Istio CSR when rotating their certificate.

app.server.clusterID¶

Kubernetes

The istio cluster ID to verify incoming CSRs.

app.server.maxCertificateDuration¶

1h

Maximum validity duration that can be requested for a certificate. Istio CSR will request a duration of the smaller of this value, and that of the incoming gRPC CSR.
Based on NIST 800-204A recommendations (SM-DR13). For more information, see here.

app.server.serving.address¶

0.0.0.0

Container address to serve Istio CSR gRPC service.

app.server.serving.port¶

6443

Container port to serve Istio CSR gRPC service.

app.server.serving.certificateKeySize¶

2048

The parameter for serving certificate key. For RSA, this must be a number of bits >= 2048. For ECDSA, it can only be 256 or 384, corresponding to P-256 and P-384 respectively.

app.server.serving.signatureAlgorithm¶

RSA

The type of private key to generate for the serving certificate. Only RSA (default) and ECDSA are supported. NB: This variable is named incorrectly; it controls private key algorithm, not signature algorithm.

app.server.caTrustedNodeAccounts¶

""

A comma-separated list of service accounts that are allowed to use node authentication for CSRs, eg. "istio-system/ztunnel"

app.istio.revisions[0]¶

default

app.istio.namespace¶

istio-system

The namespace where the istio control-plane is running.

app.controller.leaderElectionNamespace¶

istio-system

app.controller.configmapNamespaceSelector¶

If set, limit where Istio CSR creates configmaps with root ca certificates. If unset, configmap created in ALL namespaces.
Example: maistra.io/member-of=istio-system

app.controller.disableKubernetesClientRateLimiter¶

false

This parameter allows you to disable the default Kubernetes client rate limiter if Istio CSR exceeds the default QPS (5) and Burst (10) limits. For example, in large clusters with many Istio workloads, restarting the Pods may cause Istio CSR to send bursts Kubernetes API requests that exceed the limits of the default Kubernetes client rate limiter and Istio CSR will become slow to issue certificates for your workloads. Only disable client rate limiting if the Kubernetes API server supports API Priority and Fairness, to avoid overloading the server.

deploymentLabels¶

{}

Optional extra labels for deployment.

deploymentAnnotations¶

{}

Optional extra annotations for deployment.

podLabels¶

{}

Optional extra labels for pod.

podAnnotations¶

{}

Optional extra annotations for pod.

volumes¶

[]

Optional extra volumes. Useful for mounting custom root CAs.

For example:

volumes:
- name: root-ca
  secret:
    secretName: root-cert

volumeMounts¶

[]

Optional extra volume mounts. Useful for mounting custom root CAs.

For example:

volumeMounts:
- name: root-ca
  mountPath: /etc/tls

resources¶

{}

Kubernetes pod resources. For more information, see Resource Management for Pods and Containers.

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

securityContext.allowPrivilegeEscalation¶

false

securityContext.readOnlyRootFilesystem¶

true

securityContext.runAsNonRoot¶

true

securityContext.capabilities.drop[0]¶

ALL

affinity¶

{}

Expects input structure as per specification.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

tolerations¶

[]

Expects input structure as per specification.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints¶

[]

List of Kubernetes TopologySpreadConstraints. For more information, see TopologySpreadConstraint v1 core.

For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/name: cert-manager-istio-csr
      app.kubernetes.io/instance: istio-csr

nodeSelector¶

kubernetes.io/os: linux

Kubernetes node selector: node labels for pod assignment.

commonLabels¶

{}

Labels to apply to all resources

extraObjects¶

[]

Create resources alongside installing Istio CSR, via Helm values. Can accept an array of YAML-formatted resources. Each array entry can include multiple YAML documents, separated by '---'

For example:

extraObjects:
  - |
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: '{{ template "cert-manager-istio-csr.fullname" . }}-extra-configmap'