Trust Manager Helm values¶

Trust Manager is an tool that manages trust bundles in Kubernetes and OpenShift clusters. Trust Manager is a small Kubernetes operator that helps reduce the overhead of managing TLS trust bundles in your clusters.

The following Trust Manager Helm values are supported by the Manifest tool for CyberArk Certificate Manager.

Global¶

global.rbac.create¶

true

Create required ClusterRoles, Roles, ClusterRoleBindings and RoleBindings for Trust Manager.

CRDs¶

crds.enabled¶

true

This option decides if the CRDs should be installed as part of the Helm installation.

crds.keep¶

true

This option makes it so that the "helm.sh/resource-policy": keep annotation is added to the CRD. This will prevent Helm from uninstalling the CRD when the Helm release is uninstalled. WARNING: when the CRDs are removed, all cert-manager custom resources
(Certificates, Issuers, ...) will be removed too by the garbage collector.

Trust Manager¶

replicaCount¶

1

The number of replicas of Trust Manager to run.

For example:
Use integer to set a fixed number of replicas

replicaCount: 2

Use null, if you want to omit the replicas field and use the Kubernetes default value.

replicaCount: null

Use a string if you want to insert a variable for post-processing of the rendered template.

replicaCount: ${REPLICAS_OVERRIDE:=3}

revisionHistoryLimit¶

10

The number of old ReplicaSets to retain to allow rollback. This is used to control the number of old ReplicaSets that are retained to allow rollback.
If set to 0, no old ReplicaSets are retained.

nameOverride¶

""

namespace¶

""

The namespace to install Trust Manager into.
If not set, the namespace of the release is used.
This is helpful when installing Trust Manager as a chart dependency (sub chart).

imagePullSecrets¶

For Private docker registries, authentication is needed. Registry secrets are applied to the service account.

image.registry¶

Target image registry. This value is prepended to the target image repository, if set.
For example:

yaml true1

image.repository¶

Target image repository.

image.tag¶

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

image.digest¶

Target image digest. Override any tag, if set.
For example:

yaml true3

image.pullPolicy¶

Kubernetes imagePullPolicy on Deployment.

defaultPackage.enabled¶

Whether to load the default trust package during pod initialization, and include it in main container args. This container enables the 'useDefaultCAs' source on Bundles.

defaultPackage.resources¶

Kubernetes pod resource limits for default package init container.

For example:

yaml true7

defaultPackageImage.registry¶

Target image registry. This value is prepended to the target image repository, if set.
For example:

yaml true8

defaultPackageImage.repository¶

The repository for the default package image. This image enables the 'useDefaultCAs' source on Bundles.

defaultPackageImage.tag¶

Override the image tag of the default package image. Is set at chart build time to the version specified in ./make/00_debian_bookworm_version.mk.

defaultPackageImage.digest¶

Target image digest. Override any tag, if set.
For example:

yaml true0

defaultPackageImage.pullPolicy¶

imagePullPolicy for the default package image.

automountServiceAccountToken¶

Automounting API credentials for the Trust Manager pod.

serviceAccount.create¶

Specifies whether a service account should be created.

serviceAccount.name¶

The name of the service account to use.
If not set and create is true, a name is generated using the fullname template.

serviceAccount.automountServiceAccountToken¶

Automount API credentials for a Service Account.

volumes¶

Additional volumes to add to the Trust Manager pod.

volumeMounts¶

Additional volume mounts to add to the Trust Manager container.

secretTargets.enabled¶

If set to true, enable writing trust bundles to Kubernetes Secrets as a target. Trust Manager can only write to secrets which are explicitly allowed via either authorizedSecrets or authorizedSecretsAll. Note that enabling secret targets will grant Trust Manager read access to all secrets in the cluster.

secretTargets.authorizedSecretsAll¶

If set to true, grant read/write permission to all secrets across the cluster. Use with caution!
If set, ignores the authorizedSecrets list.

secretTargets.authorizedSecrets¶

A list of secret names which Trust Manager will be permitted to read and write across all namespaces. These are the only allowable Secrets that can be used as targets. If the list is empty (and authorizedSecretsAll is false), Trust Manager can't write to secrets and can only read secrets in the trust namespace for use as sources.

resources¶

Kubernetes pod resource limits for trust.

For example:

yaml 11

priorityClassName¶

Configure the priority class of the pod. For more information, see PriorityClass.

nodeSelector¶

Configure the nodeSelector; defaults to any Linux node (Trust Manager doesn't support Windows nodes)

affinity¶

Kubernetes Affinity. For more information, see Affinity v1 core.
For example:

yaml 15

tolerations¶

List of Kubernetes Tolerations, if required. For more information, see Toleration v1 core.
For example:

yaml 17

topologySpreadConstraints¶

List of Kubernetes TopologySpreadConstraints. For more information, see TopologySpreadConstraint v1 core.
For example:

yaml 19

filterExpiredCertificates.enabled¶

Whether to filter expired certificates from the trust bundle.

filterNonCACerts.enabled¶

Filter non-CA certificates, only CAs are used in the resulting Bundle.

app.minTLSVersion¶

Minimum TLS version supported. If omitted, the default Go minimum version will be used.

app.cipherSuites¶

Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.

app.logFormat¶

The format of Trust Manager logging. Accepted values are text or json.

app.logLevel¶

The verbosity of Trust Manager logging. This takes a value from 1-5, with the higher value being more verbose.

app.leaderElection.enabled¶

Whether to enable leader election for Trust Manager.

app.leaderElection.leaseDuration¶

The duration that non-leader candidates will wait to force acquire leadership. The default should be sufficient in a healthy cluster but can be slightly increased to prevent Trust Manager from restart-looping when the API server is overloaded.

app.leaderElection.renewDeadline¶

The interval between attempts by the acting leader to renew a leadership slot before it stops leading. This MUST be less than or equal to the lease duration. The default should be sufficient in a healthy cluster but can be slightly increased to prevent Trust Manager from restart-looping when the API server is overloaded.

app.readinessProbe.port¶

The container port on which to expose the Trust Manager HTTP readiness probe using the default network interface.

app.readinessProbe.path¶

The path on which to expose the Trust Manager HTTP readiness probe using the default network interface.

app.trust.namespace¶

The namespace used as the trust source. Note that the namespace must exist before installing Trust Manager.

app.targetNamespaces¶

List of target namespaces that Trust Manager can write to. By default, Trust Manager can write targets in any namespace.

app.securityContext.seccompProfileEnabled¶

If false, disables the default seccomp profile, which might be required to run on certain platforms.

app.podLabels¶

Pod labels to add to Trust Manager pods.

app.podAnnotations¶

Pod annotations to add to Trust Manager pods.

Webhook¶

app.webhook.host¶

Host that the webhook listens on.

app.webhook.port¶

Port that the webhook listens on.

app.webhook.timeoutSeconds¶

Timeout of webhook HTTP request.

app.webhook.service.type¶

The type of Kubernetes Service used by the Webhook.

app.webhook.service.ipFamilyPolicy¶

Set the ip family policy to configure dual-stack see Configure dual-stack

app.webhook.service.ipFamilies¶

Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.

app.webhook.service.nodePort¶

The nodePort set on the Service used by the webhook.

app.webhook.tls.helmCert.enabled¶

Whether to issue a webhook cert using Helm, which removes the need to install cert-manager. Helm-issued certificates can be challenging to rotate and maintain, and the issued cert will have a duration of 10 years and be modified when Trust Manager is updated. It's safer and easier to rely on cert-manager for issuing the webhook cert - avoid using Helm-generated certs in production.

app.webhook.tls.approverPolicy.enabled¶

Whether to create an Approver Policy CertificateRequestPolicy allowing auto-approval of the Trust Manager webhook certificate. If you have Approver Policy installed, you almost certainly want to enable this.

app.webhook.tls.approverPolicy.certManagerNamespace¶

The namespace in which cert-manager was installed. Only used if app.webhook.tls.approverPolicy.enabled is true.

app.webhook.tls.approverPolicy.certManagerServiceAccount¶

The name of cert-manager's Service Account. Only used if app.webhook.tls.approverPolicy.enabled is true.

app.webhook.tls.certificate.secretTemplate¶

app.webhook.hostNetwork¶

This value specifies if the app should be started in hostNetwork mode. It is required for use in some managed Kubernetes clusters (such as AWS EKS) with custom CNI.

Metrics¶

app.metrics.port¶

The port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.

app.metrics.service.enabled¶

Create a Service resource to expose the metrics endpoint.

app.metrics.service.type¶

The Service type to expose metrics.

app.metrics.service.ipFamilyPolicy¶

Set the ip family policy to configure dual-stack see Configure dual-stack

app.metrics.service.ipFamilies¶

Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.

app.metrics.service.servicemonitor.enabled¶

Create a Prometheus ServiceMonitor for Trust Manager.

app.metrics.service.servicemonitor.prometheusInstance¶

Sets the value of the "prometheus" label on the ServiceMonitor. This is used so that separate Prometheus instances can select different ServiceMonitors using labels.

app.metrics.service.servicemonitor.interval¶

The interval to scrape the metrics.

app.metrics.service.servicemonitor.scrapeTimeout¶

The timeout for a metrics scrape.

app.metrics.service.servicemonitor.labels¶

Additional labels to add to the ServiceMonitor.

app.metrics.service.servicemonitor.endpointAdditionalProperties¶

EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

yaml 108

podDisruptionBudget.enabled¶

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block kubectl drain if it is used on the Node where the only remaining Trust Manager
Pod is currently running.

podDisruptionBudget.minAvailable¶

This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).
It cannot be used if maxUnavailable is set.

podDisruptionBudget.maxUnavailable¶

This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if minAvailable is set.

commonLabels¶

Labels to apply to all resources

commonAnnotations¶

Annotations to apply to all resources
NOTE: These annotations won't be added to the CRDs.

extraObjects¶

Extra manifests to be deployed. This is useful for deploying additional resources that are not part of the chart.
For example:

yaml ""3