Istio CSR Helm values¶

nameOverride¶

nameOverride replaces the name of the chart in the Chart.yaml file when this is used to construct Kubernetes object names.

replicaCount¶

1

The number of replicas of Istio CSR to run.

image.registry¶

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository: jetstack/cert-manager-istio-csr

image.repository¶

quay.io/jetstack/cert-manager-istio-csr

Target image repository.

image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest¶

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.pullPolicy¶

IfNotPresent

Kubernetes imagePullPolicy on Deployment.

imagePullSecrets¶

[]

Optional secrets used for pulling the Istio CSR container image.

service.type¶

ClusterIP

Service type to expose the Istio CSR gRPC service.

service.port¶

443

Service port to expose the Istio CSR gRPC service.

service.nodePort¶

Service nodePort to expose the Istio CSR gRPC service.

app.logLevel¶

1

Verbosity of Istio CSR logging.

app.logFormat¶

text

Output format of Istio CSR logging.

app.metrics.port¶

Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

app.metrics.service.enabled¶

Create a Service resource to expose the metrics endpoint.

app.metrics.service.type¶

Service type to expose metrics.

app.metrics.service.servicemonitor.enabled¶

Create a Prometheus ServiceMonitor resource.

app.metrics.service.servicemonitor.prometheusInstance¶

The value for the "prometheus" label on the ServiceMonitor. This allows for multiple Prometheus instances selecting different ServiceMonitors using label selectors.

app.metrics.service.servicemonitor.interval¶

The interval at which Prometheus will scrape for metrics.

app.metrics.service.servicemonitor.scrapeTimeout¶

The timeout on each metric probe request.

app.metrics.service.servicemonitor.labels¶

Additional labels to give the ServiceMonitor resource.

app.runtimeConfiguration.create¶

Create the runtime-configuration ConfigMap.

app.runtimeConfiguration.name¶

Name of a ConfigMap in the installation namespace to watch, providing runtime configuration of an issuer to use.

If create is set to true, then this name is used to create the ConfigMap, otherwise the ConfigMap must exist, and the "issuer-name", "issuer-kind" and "issuer-group" keys must be present in it.

app.runtimeConfiguration.issuer.name¶

Issuer name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.runtimeConfiguration.issuer.kind¶

Issuer kind set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.runtimeConfiguration.issuer.group¶

Issuer group name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.readinessProbe.port¶

Container port to expose the Istio CSR HTTP readiness probe on the default network interface.

app.readinessProbe.path¶

Path to expose the Istio CSR HTTP readiness probe on the default network interface.

app.certmanager.namespace¶

Namespace to create CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.preserveCertificateRequests¶

Don't delete created CertificateRequests once they have been signed. WARNING: Do not enable this option in production, or environments with any non-trivial number of workloads for an extended period of time. Doing so will balloon the resource consumption of both ETCD and the API server, leading to errors and slow down. This option is intended for debugging purposes only, for limited periods of time.

app.certmanager.additionalAnnotations¶

Additional annotations to include on certificate requests.
Takes key/value pairs in the format:

yaml quay.io/jetstack/cert-manager-istio-csr8

app.certmanager.issuer.enabled¶

Enable the default issuer, this is the issuer used when no runtime configuration is provided.

When enabled, the Istio CSR Pod will not be "Ready" until the issuer has been used to issue the Istio CSR GRPC certificate.

For Istio CSR to function, either this or runtime configuration must be enabled.

app.certmanager.issuer.name¶

Issuer name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.issuer.kind¶

Issuer kind set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.certmanager.issuer.group¶

Issuer group name set on created CertificateRequests for both Istio CSR's serving certificate and incoming gRPC CSRs.

app.tls.trustDomain¶

The Istio cluster's trust domain.

app.tls.rootCAFile¶

An optional file location to a PEM encoded root CA that the root CA. ConfigMap in all namespaces will be populated with. If empty, the CA returned from cert-manager for the serving certificate will be used.

app.tls.certificateDNSNames[0]¶

app.tls.certificateDuration¶

Requested duration of the gRPC serving certificate. Will be automatically renewed. Based on NIST 800-204A recommendations (SM-DR13).

app.tls.istiodCertificateEnable¶

If true, create the istiod certificate using a cert-manager certificate as part of the install. If set to "dynamic", will create the cert dynamically when Istio CSR pods start up. If false, no cert is created.

app.tls.istiodCertificateDuration¶

Requested duration of istio's Certificate. Will be automatically renewed. Default is based on NIST 800-204A recommendations (SM-DR13). Warning: cert-manager does not allow a duration on Certificates less than 1 hour.

app.tls.istiodCertificateRenewBefore¶

Amount of time to wait before trying to renew the istiod certificate.
Must be smaller than the certificate's duration.

app.tls.istiodPrivateKeyAlgorithm¶

Private key algorithm to use. For backwards compatibility, defaults to the same value as app.server.serving.signatureAlgorithm

app.tls.istiodPrivateKeySize¶

Parameter for the istiod certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.

app.tls.istiodAdditionalDNSNames¶

Provide additional DNS names to request on the istiod certificate. Useful if istiod should be accessible via multiple DNS names and/or outside of the cluster.

app.server.authenticators.enableClientCert¶

Enable the client certificate authenticator. This will allow workloads to use preexisting certificates to authenticate with Istio CSR when rotating their certificate.

app.server.clusterID¶

The istio cluster ID to verify incoming CSRs.

app.server.maxCertificateDuration¶

Maximum validity duration that can be requested for a certificate. Istio CSR will request a duration of the smaller of this value, and that of the incoming gRPC CSR. Based on NIST 800-204A recommendations (SM-DR13).

app.server.serving.address¶

Container address to serve the Istio CSR gRPC service.

app.server.serving.port¶

Container port to serve the Istio CSR gRPC service.

app.server.serving.certificateKeySize¶

Parameter for the serving certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.

app.server.serving.signatureAlgorithm¶

The type of private key to generate for the serving certificate. Only RSA (default) and ECDSA are supported. NB: This variable is named incorrectly; it controls private key algorithm, not signature algorithm.

app.server.caTrustedNodeAccounts¶

A comma-separated list of service accounts that are allowed to use node authentication for CSRs, e.g. "istio-system/ztunnel".

app.istio.revisions[0]¶

app.istio.namespace¶

The namespace where the istio control-plane is running.

app.controller.leaderElectionNamespace¶

app.controller.configmapNamespaceSelector¶

If set, limit where Istio CSR creates configmaps with root CA certificates. If unset, configmap created in ALL namespaces.
Example: maistra.io/member-of=istio-system.

app.controller.disableKubernetesClientRateLimiter¶

Allows you to disable the default Kubernetes client rate limiter if Istio CSR is exceeding the default QPS (5) and Burst (10) limits. For example, in large clusters with many Istio workloads, restarting the Pods may cause Istio CSR to send bursts of Kubernetes API requests that exceed the limits of the default Kubernetes client rate limiter, and Istio CSR will become slow to issue certificates for your workloads. Only disable client rate limiting if the Kubernetes API server supports
API Priority and Fairness,
to avoid overloading the server.

deploymentLabels¶

Optional extra labels for deployment.

deploymentAnnotations¶

Optional extra annotations for deployment.

podLabels¶

Optional extra labels for pod.

podAnnotations¶

Optional extra annotations for pod.

volumes¶

Optional extra volumes. Useful for mounting custom root CAs.

For example:

yaml ClusterIP0

volumeMounts¶

Optional extra volume mounts. Useful for mounting custom root CAs.

For example:

yaml ClusterIP2

resources¶

Kubernetes pod resources.

For example:

yaml ClusterIP4

securityContext.allowPrivilegeEscalation¶

securityContext.readOnlyRootFilesystem¶

securityContext.runAsNonRoot¶

securityContext.capabilities.drop[0]¶

affinity¶

Expects input structure as per specification.

For example:

yaml 4430

tolerations¶

Expects input structure as per specification.

For example:

yaml 4432

topologySpreadConstraints¶

List of Kubernetes TopologySpreadConstraints. For more information, see TopologySpreadConstraint v1 core.
For example:

yaml 4434

nodeSelector¶

Kubernetes node selector: node labels for pod assignment.

commonLabels¶

Labels to apply to all resources.

extraObjects¶

Create resources alongside installing Istio CSR, via Helm values. Can accept an array of YAML-formatted resources. Each array entry can include multiple YAML documents, separated by '---'.

For example:

yaml 4438