Skip to content

Venafi Enhanced Issuer Helm values

Venafi Enhanced Issuer is an [external issuer for cert-manager][external-issuer] which uses Venafi TLS Protect Datacenter or Venafi TLS Protect Cloud to sign certificate requests. It provides advanced authentication and error handling features which are not available in cert-manager's open-source Venafi Issuer.

The following Venafi Enhanced Issuer Helm values are supported by the Venafi {{ K8s }} Manifest tool.

CRDs

The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep". This prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to remove the remaining CRDs manually.

crds.forceRemoveValidationAnnotations

Property crds.forceRemoveValidationAnnotations
Type bool
Default
false

The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 or earlier. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.

Global

global.imagePullSecrets

Property global.imagePullSecrets
Type array
Default
[]

For Private docker registries, authentication is needed.
Registry secrets are applied to the deployment.

Venafi Connection

venafiConnection.include

Property venafiConnection.include
Type bool
Default
true

When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately.

Venafi Enhanced Issuer

venafiEnhancedIssuer.replicas

Property venafiEnhancedIssuer.replicas
Type number
Default
1

The number of replicas of venafi-enhanced-issuer to run. The default is 1, but in production, set this to 2 or 3 to provide high availability.

If replicas > 1, consider setting podDisruptionBudget.enabled=true.

Note

Venafi Enhanced Issuer uses leader election to ensure that there can only be a single instance active at a time.

venafiEnhancedIssuer.podDisruptionBudget.enabled

Property venafiEnhancedIssuer.podDisruptionBudget.enabled
Type bool
Default
false

Enable or disable the PodDisruptionBudget resource.

This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget blocks kubectl drain if it is used on the Node where the only remaining Venafi Enhanced Issuer Pod is currently running.

venafiEnhancedIssuer.podDisruptionBudget.minAvailable

Property venafiEnhancedIssuer.podDisruptionBudget.minAvailable
Type number
Default

Configures the minimum available pods for disruptions.
This property cannot be used if maxUnavailable is set.

venafiEnhancedIssuer.podDisruptionBudget.maxUnavailable

Property venafiEnhancedIssuer.podDisruptionBudget.maxUnavailable
Type number
Default

Configures the maximum unavailable pods for disruptions.
This property cannot be used if minAvailable is set.

venafiEnhancedIssuer.http_proxy

Property venafiEnhancedIssuer.http_proxy
Type string
Default

Configures the HTTP_PROXY environment variable where a HTTP proxy is required.

venafiEnhancedIssuer.https_proxy

Property venafiEnhancedIssuer.https_proxy
Type string
Default

Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.

venafiEnhancedIssuer.no_proxy

Property venafiEnhancedIssuer.no_proxy
Type string
Default

Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.

venafiEnhancedIssuer.topologySpreadConstraints

Property venafiEnhancedIssuer.topologySpreadConstraints
Type array
Default
[]

Topology Spread Constraints allow you to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. This can help to achieve high availability as well as efficient resource utilization. For more information, see Pod Topology Spread Constraints.

In most cases this parameter should not be required, because the Built-in default constraints will ensure that replica Pods are scheduled to different nodes in different availability zones.

Expects a list of objects matching the following structure: TopologySpreadConstraint v1 core.

venafiEnhancedIssuer.affinity

Property venafiEnhancedIssuer.affinity
Type object
Default
{}

The node affinity on Pods.
Tells Kubernetes to schedule those Pods on the dedicated nodes. For more information, see Affinity v1 core.

For example:

affinity:
  nodeAffinity:
   requiredDuringSchedulingIgnoredDuringExecution:
     nodeSelectorTerms:
     - matchExpressions:
       - key: node-restriction.kubernetes.io/reserved-for
         operator: In
         values:
         - platform

venafiEnhancedIssuer.nodeSelector

Property venafiEnhancedIssuer.nodeSelector
Type object
Default
kubernetes.io/os: linux

The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.

This default ensures that Pods are only scheduled to Linux nodes. This prevents Pods being scheduled to Windows nodes in a mixed OS cluster.

This is because the Venafi Enhanced Issuer Docker multi-arch image only supports Linux OS.

venafiEnhancedIssuer.tolerations

Property venafiEnhancedIssuer.tolerations
Type array
Default
[]

The tolerations on Pods tell Kubernetes to allow these Pods to run on a tainted Node.

For more information, see Taint and Tolerations and Toleration v1 core.

For example:

venafiEnhancedIssuer:
  tolerations:
  - key: node-restriction.kubernetes.io/reserved-for
    operator: Equal
    value: platform

venafiEnhancedIssuer.manager.image.registry

Property venafiEnhancedIssuer.manager.image.registry
Type string
Default

The container registry to pull the manager image from.

venafiEnhancedIssuer.manager.image.repository

Property venafiEnhancedIssuer.manager.image.repository
Type string
Default

The container image for the Venafi Enhanced Issuer manager.

venafiEnhancedIssuer.manager.image.tag

Property venafiEnhancedIssuer.manager.image.tag
Type string
Default

Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.

venafiEnhancedIssuer.manager.image.digest

Property venafiEnhancedIssuer.manager.image.digest
Type string
Default

Setting a digest will override any tag.

venafiEnhancedIssuer.manager.image.pullPolicy

Property venafiEnhancedIssuer.manager.image.pullPolicy
Type string
Default
IfNotPresent

Kubernetes imagePullPolicy on Deployment.

venafiEnhancedIssuer.manager.resources.limits

Property venafiEnhancedIssuer.manager.resources.limits
Type object
Default
memory: 128Mi

Container resource limits.

venafiEnhancedIssuer.manager.resources.requests

Property venafiEnhancedIssuer.manager.resources.requests
Type object
Default
cpu: 10m
memory: 64Mi

Container resource requests.

venafiEnhancedIssuer.manager.setCAOnCertificateRequest

Property venafiEnhancedIssuer.manager.setCAOnCertificateRequest
Type bool
Default
false

setCAOnCertificateRequest: If true, the CA status field is set on the CertificateRequest resource. This can be used for backwards compatibility with the OSS Venafi Issuer. Generally the use of ca.crt is discouraged, see the cert-manager documentation.

venafiEnhancedIssuer.manager.trustedCaBundles

Property venafiEnhancedIssuer.manager.trustedCaBundles
Type array
Default
[]

The trustedCaBundles allows you to specify additional CA certificate bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA certificates are present in the image by default at
/etc/ssl/certs/ca-certificates.crt, and cannot be disabled.

Metrics

metrics.enabled

Property metrics.enabled
Type bool
Default
true

Tells Venafi Enhanced Issuer to expose its /metrics endpoint on port 8080. No Service object is created when this is enabled.

metrics.podmonitor.enabled

Property metrics.podmonitor.enabled
Type bool
Default
false

Determines whether a PodMonitor object should be deployed.

metrics.podmonitor.labels

Property metrics.podmonitor.labels
Type object
Default
prometheus: default

The labels that the PodMonitor are created with. These labels must match the podMonitorSelector and podMonitorNamespaceSelector labels in one of the MetricsInstance objects in your cluster.

metrics.podmonitor.interval

Property metrics.podmonitor.interval
Type string
Default
60s

The interval at which the Prometheus agent will scrape metrics from the
/metrics endpoint.

metrics.podmonitor.scrapeTimeout

Property metrics.podmonitor.scrapeTimeout
Type string
Default
30s

Timeout for scraping metrics from the Prometheus exporter. This value must be lower than interval.

metrics.podmonitor.annotations

Property metrics.podmonitor.annotations
Type object
Default

Annotations to add to the PodMonitor object.

metrics.podmonitor.endpointAdditionalProperties

Property metrics.podmonitor.endpointAdditionalProperties
Type object
Default

The endpointAdditionalProperties allows you to set additional properties on the endpoint such as relabelings, metricRelabelings etc.

For example:

endpointAdditionalProperties:
 relabelings:
 - action: replace
   sourceLabels:
   - __meta_kubernetes_pod_node_name
   targetLabel: instance

metrics.podmonitor.honorLabels

Property metrics.podmonitor.honorLabels
Type bool
Default
false

Keep labels from scraped data, overriding server-side labels.