Skip to content

Trust Manager Helm values

Trust Manager is an tool that manages trust bundles in Kubernetes and OpenShift clusters. Trust Manager is a small Kubernetes operator that helps reduce the overhead of managing TLS trust bundles in your clusters.

The following Trust Manager Helm values are supported by the Venafi Kubernetes Manifest tool.

CRDs

crds.enabled

Property crds.enabled
Type bool
Default
true

This option decides if the CRDs should be installed as part of the Helm installation.

crds.keep

Property crds.keep
Type bool
Default
true

This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled.

Warning

When the CRDs are removed, all cert-manager custom resources (Certificates, Issuers, ...) will be removed too by the garbage collector.

Trust Manager

replicaCount

Property replicaCount
Type number,string,null
Default
1

The number of replicas of Trust Manager to run.

For example:
Use integer to set a fixed number of replicas

replicaCount: 2

Use null, if you want to omit the replicas field and use the Kubernetes default value.

replicaCount: null

Use a string if you want to insert a variable for post-processing of the rendered template.

replicaCount: ${REPLICAS_OVERRIDE:=3}

nameOverride

Property nameOverride
Type string
Default
""

namespace

Property namespace
Type string
Default
""

The namespace to install Trust Manager into. If not set, the namespace of the release is used.
This is helpful when installing Trust Manager as a chart dependency (sub chart).

imagePullSecrets

Property imagePullSecrets
Type array
Default
[]

For Private docker registries, authentication is needed. Registry secrets are applied to the service account.

image.registry

Property image.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository: jetstack/trust-manager

image.repository

Property image.repository
Type string
Default
quay.io/jetstack/trust-manager

Target image repository.

image.tag

Property image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest

Property image.digest
Type string
Default

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

image.pullPolicy

Property image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on Deployment.

defaultPackage.enabled

Property defaultPackage.enabled
Type bool
Default
true

Whether to load the default trust package during pod initialization, and include it in main container args. This container enables the 'useDefaultCAs' source on Bundles.

defaultPackage.resources

Property defaultPackage.resources
Type object
Default
{}

Kubernetes pod resource limits for default package init container.

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

defaultPackageImage.registry

Property defaultPackageImage.registry
Type string
Default

Target image registry. This value is prepended to the target image repository, if set.
For example:

registry: quay.io
repository: jetstack/cert-manager-package-debian

defaultPackageImage.repository

Property defaultPackageImage.repository
Type string
Default
quay.io/jetstack/cert-manager-package-debian

The repository for the default package image. This image enables the 'useDefaultCAs' source on Bundles.

defaultPackageImage.tag

Property defaultPackageImage.tag
Type string
Default
"20210119.0"

Override the image tag of the default package image. If no value is set, the chart's appVersion is used.

defaultPackageImage.digest

Property defaultPackageImage.digest
Type string
Default

Target image digest. Override any tag, if set.
For example:

digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20

defaultPackageImage.pullPolicy

Property defaultPackageImage.pullPolicy
Type string
Default
IfNotPresent

imagePullPolicy for the default package image.

secretTargets.enabled

Property secretTargets.enabled
Type bool
Default
false

If set to true, enable writing trust bundles to Kubernetes Secrets as a target. Trust Manager can only write to secrets that explicitly allowed via either authorizedSecrets or authorizedSecretsAll. Note that enabling secret targets will grant Trust Manager read access to all secrets in the cluster.

secretTargets.authorizedSecretsAll

Property secretTargets.authorizedSecretsAll
Type bool
Default
false

If set to true, grant read/write permission to all secrets across the cluster. Use with caution!
If set, ignores the authorizedSecrets list.

secretTargets.authorizedSecrets

Property secretTargets.authorizedSecrets
Type array
Default
[]

A list of secret names which Trust Manager will be permitted to read and write across all namespaces. These are the only allowable Secrets that can be used as targets. If the list is empty (and authorizedSecretsAll is false), Trust Manager can't write to secrets and can only read secrets in the trust namespace for use as sources.

resources

Property resources
Type object
Default
{}

Kubernetes pod resource limits for trust.

For example:

resources:
  limits:
    cpu: 100m
    memory: 128Mi
  requests:
    cpu: 100m
    memory: 128Mi

priorityClassName

Property priorityClassName
Type string
Default
""

Configure the priority class of the pod. For more information, see PriorityClass.

nodeSelector

Property nodeSelector
Type object
Default
kubernetes.io/os: linux

Configure the nodeSelector; defaults to any Linux node (Trust Manager doesn't support Windows nodes)

affinity

Property affinity
Type object
Default
{}

Kubernetes Affinity. For more information, see Affinity v1 core.
For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: foo.bar.com/role
         operator: In
         values:
         - master

tolerations

Property tolerations
Type array
Default
[]

List of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.
For example:

tolerations:
- key: foo.bar.com/role
  operator: Equal
  value: master
  effect: NoSchedule

topologySpreadConstraints

Property topologySpreadConstraints
Type array
Default
[]

List of Kubernetes TopologySpreadConstraints. For more information, see TopologySpreadConstraint v1 core.
For example:

topologySpreadConstraints:
- maxSkew: 2
  topologyKey: topology.kubernetes.io/zone
  whenUnsatisfiable: ScheduleAnyway
  labelSelector:
    matchLabels:
      app.kubernetes.io/name: trust-manager

filterExpiredCertificates.enabled

Property filterExpiredCertificates.enabled
Type bool
Default
false

Whether to filter expired certificates from the trust bundle.

app.logFormat

Property app.logFormat
Type string
Default
text

The format of Trust Manager logging. Accepted values are text or JSON.

app.logLevel

Property app.logLevel
Type number
Default
1

The verbosity of Trust Manager logging. This takes a value from 1-5, with the higher value being more verbose.

app.leaderElection.leaseDuration

Property app.leaderElection.leaseDuration
Type string
Default
15s

The duration that non-leader candidates will wait to force acquire leadership. The default should be sufficient in a healthy cluster but can be slightly increased to prevent Trust Manager from restart-looping when the API server is overloaded.

app.leaderElection.renewDeadline

Property app.leaderElection.renewDeadline
Type string
Default
10s

The interval between attempts by the acting leader to renew a leadership slot before it stops leading. This MUST be less than or equal to the lease duration. The default should be sufficient in a healthy cluster but can be slightly increased to prevent Trust Manager from restart-looping when the API server is overloaded.

app.readinessProbe.port

Property app.readinessProbe.port
Type number
Default
6060

The container port on which to expose the Trust Manager HTTP readiness probe using the default network interface.

app.readinessProbe.path

Property app.readinessProbe.path
Type string
Default
/readyz

The path on which to expose the Trust Manager HTTP readiness probe using the default network interface.

app.trust.namespace

Property app.trust.namespace
Type string
Default
cert-manager

The namespace is used as the trust source. Note that the namespace must exist before installing Trust Manager.

app.securityContext.seccompProfileEnabled

Property app.securityContext.seccompProfileEnabled
Type bool
Default
true

If false, disables the default seccomp profile, which might be required to run on certain platforms.

app.podLabels

Property app.podLabels
Type object
Default
{}

Pod labels to add to Trust Manager pods.

app.podAnnotations

Property app.podAnnotations
Type object
Default
{}

Pod annotations to add to Trust Manager pods.

Webhook

app.webhook.host

Property app.webhook.host
Type string
Default
0.0.0.0

Host that the webhook listens on.

app.webhook.port

Property app.webhook.port
Type number
Default
6443

Port that the webhook listens on.

app.webhook.timeoutSeconds

Property app.webhook.timeoutSeconds
Type number
Default
5

Timeout of webhook HTTP request.

app.webhook.service.type

Property app.webhook.service.type
Type string
Default
ClusterIP

The type of Kubernetes Service used by the Webhook.

app.webhook.service.ipFamilyPolicy

Property app.webhook.service.ipFamilyPolicy
Type string
Default
""

Set the IP family policy to configure dual-stack. For more information, see Configure dual-stack.

app.webhook.service.ipFamilies

Property app.webhook.service.ipFamilies
Type array
Default
[]

Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. This can be IPv4 and/or IPv6.

app.webhook.service.nodePort

Property app.webhook.service.nodePort
Type number
Default

The nodePort set on the Service used by the webhook.

app.webhook.tls.helmCert.enabled

Property app.webhook.tls.helmCert.enabled
Type bool
Default
false

Whether to issue a webhook cert using Helm, which removes the need to install cert-manager. Helm-issued certificates can be challenging to rotate and maintain, and the issued cert will have a duration of 10 years and be modified when the Trust Manager is updated. It's safer and easier to rely on the cert-manager for issuing the webhook cert - avoid using Helm-generated certs in production.

app.webhook.tls.approverPolicy.enabled

Property app.webhook.tls.approverPolicy.enabled
Type bool
Default
false

Whether to create an approver-policy CertificateRequestPolicy allowing auto-approval of the Trust Manager webhook certificate. If you have an approver-policy installed, you almost certainly want to enable this.

app.webhook.tls.approverPolicy.certManagerNamespace

Property app.webhook.tls.approverPolicy.certManagerNamespace
Type string
Default
cert-manager

The namespace in which cert-manager was installed. Only used if app.webhook.tls.approverPolicy.enabled is true.

app.webhook.tls.approverPolicy.certManagerServiceAccount

Property app.webhook.tls.approverPolicy.certManagerServiceAccount
Type string
Default
cert-manager

The name of cert-manager's Service Account. Only used if app.webhook.tls.approverPolicy.enabled is true.

app.webhook.tls.certificate.secretTemplate

Property app.webhook.tls.certificate.secretTemplate
Type object
Default
{}

app.webhook.hostNetwork

Property app.webhook.hostNetwork
Type bool
Default
false

This value specifies if the app should be started in hostNetwork mode. It is required for use in some managed Kubernetes clusters (such as AWS EKS) with custom CNI.

Metrics

app.metrics.port

Property app.metrics.port
Type number
Default
9402

The port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

app.metrics.service.enabled

Property app.metrics.service.enabled
Type bool
Default
true

Create a Service resource to expose the metrics endpoint.

app.metrics.service.type

Property app.metrics.service.type
Type string
Default
ClusterIP

The Service type to expose metrics.

app.metrics.service.ipFamilyPolicy

Property app.metrics.service.ipFamilyPolicy
Type string
Default
""

Set the IP family policy to configure dual-stack see Configure dual-stack

app.metrics.service.ipFamilies

Property app.metrics.service.ipFamilies
Type array
Default
[]

Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. This can be IPv4 and/or IPv6.

app.metrics.service.servicemonitor.enabled

Property app.metrics.service.servicemonitor.enabled
Type bool
Default
false

Create a Prometheus ServiceMonitor for Trust Manager.

app.metrics.service.servicemonitor.prometheusInstance

Property app.metrics.service.servicemonitor.prometheusInstance
Type string
Default
default

Sets the value of the "prometheus" label on the ServiceMonitor. This is used so that separate Prometheus instances can select different ServiceMonitors using labels.

app.metrics.service.servicemonitor.interval

Property app.metrics.service.servicemonitor.interval
Type string
Default
10s

The interval to scrape the metrics.

app.metrics.service.servicemonitor.scrapeTimeout

Property app.metrics.service.servicemonitor.scrapeTimeout
Type string
Default
5s

The timeout for a metrics scrape.

app.metrics.service.servicemonitor.labels

Property app.metrics.service.servicemonitor.labels
Type object
Default
{}

Additional labels to add to the ServiceMonitor.

podDisruptionBudget.enabled

Property podDisruptionBudget.enabled
Type bool
Default
false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions, such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining Trust Manager.
Pod is currently running.

podDisruptionBudget.minAvailable

Property podDisruptionBudget.minAvailable
Type unknown
Default

This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if maxUnavailable is set.

podDisruptionBudget.maxUnavailable

Property podDisruptionBudget.maxUnavailable
Type unknown
Default

This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if minAvailable is set.

commonLabels

Property commonLabels
Type object
Default
{}

Labels to apply to all resources