Istio CSR Helm values¶

nameOverride¶

nameOverride replaces the name of the chart in the Chart.yaml file when this is used to construct Kubernetes object names.

replicaCount¶

1

The number of replicas of Istio CSR to run.

image.registry¶

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository: jetstack/cert-manager-istio-csr

image.repository¶

quay.io/jetstack/cert-manager-istio-csr

Target image repository.

image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest¶

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

imagePullSecrets¶

[]

Optional secrets used for pulling the Istio CSR container image.

service.type¶

ClusterIP

Service type to expose the Istio CSR gRPC service.

service.port¶

443

Service port to expose the Istio CSR gRPC service.

service.nodePort¶

Service nodePort to expose the Istio CSR gRPC service.

app.logLevel¶

1

Verbosity of Istio CSR logging.

app.logFormat¶

text

Output format of Istio CSR logging.

app.metrics.port¶

9402

Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

app.metrics.service.enabled¶

true

Create a Service resource to expose the metrics endpoint.

app.metrics.service.type¶

ClusterIP

Service type to expose metrics.

app.metrics.service.servicemonitor.enabled¶

false

Create a Prometheus ServiceMonitor resource.

app.metrics.service.servicemonitor.prometheusInstance¶

default

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting different ServiceMonitors using label selectors.

app.metrics.service.servicemonitor.interval¶

10s

The interval at which Prometheus will scrape for metrics.

app.metrics.service.servicemonitor.scrapeTimeout¶

5s

The timeout on each metric probe request.

app.metrics.service.servicemonitor.labels¶

{}

Additional labels to give the ServiceMonitor resource.

app.runtimeConfiguration.create¶

false

Create the runtime-configuration ConfigMap.

app.runtimeConfiguration.name¶

""

Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.

If create is set to true, then this name is used to create the ConfigMap, otherwise the ConfigMap must exist, and the "issuer-name", "issuer-kind" and "issuer-group" keys must be present in it.

app.runtimeConfiguration.issuer.name¶

istio-ca

Issuer name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.runtimeConfiguration.issuer.kind¶

Issuer

Issuer kind set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.runtimeConfiguration.issuer.group¶

cert-manager.io

Issuer group name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.readinessProbe.port¶

6060

Container port to expose the Istio CSR HTTP readiness probe on the default network interface.

app.readinessProbe.path¶

/readyz

Path to expose the Istio CSR HTTP readiness probe on the default network interface.

app.certmanager.namespace¶

istio-system

Namespace to create CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.preserveCertificateRequests¶

false

Don't delete created CertificateRequests once they have been signed. WARNING: Do not enable this option in production, or environments with any non-trivial number of workloads for an extended period of time. Doing so will balloon the resource consumption of both ETCD and the API server, leading to errors and slow down. This option is intended for debugging purposes only, for limited periods of time.

app.certmanager.additionalAnnotations¶

[]

Additional annotations to include on certificate requests.
Takes key/value pairs in the format:

additionalAnnotations:
  - name: custom.cert-manager.io/policy-name
    value: istio-csr

app.certmanager.issuer.enabled¶

true

Enable the default issuer, this is the issuer used when no runtime configuration is provided.

When enabled, the Istio CSR Pod will not be "Ready" until the issuer has been used to issue the Istio CSR GRPC certificate.

For Istio CSR to function, either this or runtime configuration must be enabled.

app.certmanager.issuer.name¶

istio-ca

Issuer name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.issuer.kind¶

Issuer

Issuer kind set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.issuer.group¶

cert-manager.io

Issuer group name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.tls.trustDomain¶

cluster.local

The Istio cluster's trust domain.

app.tls.rootCAFile¶

null

An optional file location to a PEM encoded root CA that the root CA. ConfigMap in all namespaces will be populated with. If empty, the CA returned from cert-manager for the serving certificate will be used.

app.tls.certificateDNSNames[0]¶

cert-manager-istio-csr.cert-manager.svc

app.tls.certificateDuration¶

1h

Requested duration of the gRPC serving certificate. Will be automatically renewed. Based on NIST 800-204A recommendations (SM-DR13).

app.tls.istiodCertificateEnable¶

true

If true, create the istiod certificate using a cert-manager certificate as part of the install. If set to "dynamic", will create the cert dynamically when Istio CSR pods start up. If false, no cert is created.

app.tls.istiodCertificateDuration¶

1h

Requested duration of istio's Certificate. Will be automatically renewed. Default is based on NIST 800-204A recommendations (SM-DR13). Warning: cert-manager does not allow a duration on Certificates less than 1 hour.

app.tls.istiodCertificateRenewBefore¶

30m

Amount of time to wait before trying to renew the istiod certificate.
Must be smaller than the certificate's duration.

app.tls.istiodPrivateKeyAlgorithm¶

""

Private key algorithm to use. For backwards compatibility, defaults to the same value as app.server.serving.signatureAlgorithm

app.tls.istiodPrivateKeySize¶

2048

Parameter for the istiod certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.

app.tls.istiodAdditionalDNSNames¶

[]

Provide additional DNS names to request on the istiod certificate. Useful if istiod should be accessible via multiple DNS names and/or outside of the cluster.

app.server.authenticators.enableClientCert¶

false

Enable the client certificate authenticator. This will allow workloads to use preexisting certificates to authenticate with Istio CSR when rotating their certificate.

app.server.clusterID¶

Kubernetes

The istio cluster ID to verify incoming CSRs.

app.server.maxCertificateDuration¶

1h

Maximum validity duration that can be requested for a certificate. Istio CSR will request a duration of the smaller of this value, and that of the incoming gRPC CSR. Based on NIST 800-204A recommendations (SM-DR13).

app.server.serving.address¶

0.0.0.0

Container address to serve the Istio CSR gRPC service.

app.server.serving.port¶

6443

Container port to serve the Istio CSR gRPC service.

app.server.serving.certificateKeySize¶

2048

Parameter for the serving certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.

app.server.serving.signatureAlgorithm¶

RSA

The type of private key to generate for the serving certificate. Only RSA (default) and ECDSA are supported. NB: This variable is named incorrectly; it controls private key algorithm, not signature algorithm.

app.server.caTrustedNodeAccounts¶

""

A comma-separated list of service accounts that are allowed to use node authentication for CSRs, e.g. "istio-system/ztunnel".

app.istio.revisions[0]¶

default

app.istio.namespace¶

istio-system

The namespace where the istio control-plane is running.

app.controller.leaderElectionNamespace¶

istio-system

app.controller.configmapNamespaceSelector¶

If set, limit where Istio CSR creates configmaps with root CA certificates. If unset, configmap created in ALL namespaces.
Example: maistra.io/member-of=istio-system.

app.controller.disableKubernetesClientRateLimiter¶

false

Allows you to disable the default Kubernetes client rate limiter if Istio CSR is exceeding the default QPS (5) and Burst (10) limits. For example, in large clusters with many Istio workloads, restarting the Pods may cause Istio CSR to send bursts of Kubernetes API requests that exceed the limits of the default Kubernetes client rate limiter, and Istio CSR will become slow to issue certificates for your workloads. Only disable client rate limiting if the Kubernetes API server supports
API Priority and Fairness,
to avoid overloading the server.

deploymentLabels¶

{}

Optional extra labels for deployment.

deploymentAnnotations¶

{}

Optional extra annotations for deployment.

podLabels¶

{}

Optional extra labels for pod.

podAnnotations¶

{}

Optional extra annotations for pod.

volumes¶

[]

Optional extra volumes. Useful for mounting custom root CAs.

For example:

volumes:
- name: root-ca
  secret:
    secretName: root-cert

volumeMounts¶

[]

Optional extra volume mounts. Useful for mounting custom root CAs.

For example:

volumeMounts:
- name: root-ca
  mountPath: /etc/tls

resources¶

{}

Kubernetes pod resources.

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

securityContext.allowPrivilegeEscalation¶

false

securityContext.readOnlyRootFilesystem¶

true

securityContext.runAsNonRoot¶

true

securityContext.capabilities.drop[0]¶

ALL

affinity¶

{}

Expects input structure as per specification.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

tolerations¶

[]

Expects input structure as per specification.

For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints¶

[]

List of Kubernetes TopologySpreadConstraints. For more information, see TopologySpreadConstraint v1 core.
For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/name: cert-manager-istio-csr
      app.kubernetes.io/instance: istio-csr

nodeSelector¶

kubernetes.io/os: linux

Kubernetes node selector: node labels for pod assignment.

commonLabels¶

{}

Labels to apply to all resources.

extraObjects¶

[]

Create resources alongside installing Istio CSR, via Helm values. Can accept an array of YAML-formatted resources. Each array entry can include multiple YAML documents, separated by '---'.

For example:

extraObjects:
  - |
    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: '{{ template "cert-manager-istio-csr.fullname" . }}-extra-configmap'