Venafi Enhanced Issuer Helm values¶
Venafi Enhanced Issuer is an [external issuer for cert-manager][external-issuer] which uses Venafi TLS Protect Datacenter or Venafi TLS Protect to sign certificate requests. It provides advanced authentication and error handling features which are not available in cert-manager's open-source Venafi Issuer.
The following Venafi Enhanced Issuer Helm values are supported by the Venafi {{ K8s }} Manifest tool.
CRDs¶
The CRDs installed by this chart are annotated with "helm.sh/resource-policy: keep". This prevents them from being accidentally removed by Helm when this chart is deleted. After deleting the installed chart, the user still has to remove the remaining CRDs manually.
crds.forceRemoveValidationAnnotations¶
| Property | crds.forceRemoveValidationAnnotations |
|---|---|
| Type | bool |
| Default | |
The 'x-kubernetes-validations' annotation is not supported in Kubernetes 1.22 or earlier. This annotation is used by CEL, which is a feature introduced in Kubernetes 1.25 that improves how validation is performed. This option allows to force the 'x-kubernetes-validations' annotation to be excluded, even on Kubernetes 1.25+ clusters.
Global¶
global.imagePullSecrets¶
| Property | global.imagePullSecrets |
|---|---|
| Type | array |
| Default | |
For Private docker registries, authentication is needed.
Registry secrets are applied to the deployment.
Venafi Connection¶
venafiConnection.include¶
| Property | venafiConnection.include |
|---|---|
| Type | bool |
| Default | |
When set to false, the rendered output does not contain the. VenafiConnection CRDs and RBAC. This is useful for when the. Venafi Connection resources are already installed separately.
Venafi Enhanced Issuer¶
venafiEnhancedIssuer.replicas¶
| Property | venafiEnhancedIssuer.replicas |
|---|---|
| Type | number |
| Default | |
The number of replicas of venafi-enhanced-issuer to run. The default is 1, but in production, set this to 2 or 3 to provide high availability.
If replicas > 1, consider setting podDisruptionBudget.enabled=true.
Note
Venafi Enhanced Issuer uses leader election to ensure that there can only be a single instance active at a time.
venafiEnhancedIssuer.podDisruptionBudget.enabled¶
| Property | venafiEnhancedIssuer.podDisruptionBudget.enabled |
|---|---|
| Type | bool |
| Default | |
Enable or disable the PodDisruptionBudget resource.
This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget blocks kubectl drain if it is used on the Node where the only remaining Venafi Enhanced Issuer Pod is currently running.
venafiEnhancedIssuer.podDisruptionBudget.minAvailable¶
| Property | venafiEnhancedIssuer.podDisruptionBudget.minAvailable |
|---|---|
| Type | number |
| Default |
Configures the minimum available pods for disruptions.
This property cannot be used if maxUnavailable is set.
venafiEnhancedIssuer.podDisruptionBudget.maxUnavailable¶
| Property | venafiEnhancedIssuer.podDisruptionBudget.maxUnavailable |
|---|---|
| Type | number |
| Default |
Configures the maximum unavailable pods for disruptions.
This property cannot be used if minAvailable is set.
venafiEnhancedIssuer.http_proxy¶
| Property | venafiEnhancedIssuer.http_proxy |
|---|---|
| Type | string |
| Default |
Configures the HTTP_PROXY environment variable where a HTTP proxy is required.
venafiEnhancedIssuer.https_proxy¶
| Property | venafiEnhancedIssuer.https_proxy |
|---|---|
| Type | string |
| Default |
Configures the HTTPS_PROXY environment variable where a HTTP proxy is required.
venafiEnhancedIssuer.no_proxy¶
| Property | venafiEnhancedIssuer.no_proxy |
|---|---|
| Type | string |
| Default |
Configures the NO_PROXY environment variable where a HTTP proxy is required, but certain domains should be excluded.
venafiEnhancedIssuer.topologySpreadConstraints¶
| Property | venafiEnhancedIssuer.topologySpreadConstraints |
|---|---|
| Type | array |
| Default | |
Topology Spread Constraints allow you to control how Pods are spread across your cluster among failure-domains such as regions, zones, nodes, and other user-defined topology domains. This can help to achieve high availability as well as efficient resource utilization. For more information, see Pod Topology Spread Constraints.
In most cases this parameter should not be required, because the Built-in default constraints will ensure that replica Pods are scheduled to different nodes in different availability zones.
Expects a list of objects matching the following structure: TopologySpreadConstraint v1 core.
venafiEnhancedIssuer.affinity¶
| Property | venafiEnhancedIssuer.affinity |
|---|---|
| Type | object |
| Default | |
The node affinity on Pods.
Tells Kubernetes to schedule those Pods on the dedicated nodes. For more information, see Affinity v1 core.
For example:
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: node-restriction.kubernetes.io/reserved-for
operator: In
values:
- platform
venafiEnhancedIssuer.nodeSelector¶
| Property | venafiEnhancedIssuer.nodeSelector |
|---|---|
| Type | object |
| Default | |
The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. For more information, see Assigning Pods to Nodes.
This default ensures that Pods are only scheduled to Linux nodes. This prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
This is because the Venafi Enhanced Issuer Docker multi-arch image only supports Linux OS.
venafiEnhancedIssuer.tolerations¶
| Property | venafiEnhancedIssuer.tolerations |
|---|---|
| Type | array |
| Default | |
The tolerations on Pods tell Kubernetes to allow these Pods to run on a tainted Node.
For more information, see Taint and Tolerations and Toleration v1 core.
For example:
venafiEnhancedIssuer:
tolerations:
- key: node-restriction.kubernetes.io/reserved-for
operator: Equal
value: platform
venafiEnhancedIssuer.manager.image.registry¶
| Property | venafiEnhancedIssuer.manager.image.registry |
|---|---|
| Type | string |
| Default |
The container registry to pull the manager image from.
venafiEnhancedIssuer.manager.image.repository¶
| Property | venafiEnhancedIssuer.manager.image.repository |
|---|---|
| Type | string |
| Default |
The container image for the Venafi Enhanced Issuer manager.
venafiEnhancedIssuer.manager.image.tag¶
| Property | venafiEnhancedIssuer.manager.image.tag |
|---|---|
| Type | string |
| Default |
Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion is used.
venafiEnhancedIssuer.manager.image.digest¶
| Property | venafiEnhancedIssuer.manager.image.digest |
|---|---|
| Type | string |
| Default |
Setting a digest will override any tag.
venafiEnhancedIssuer.manager.image.pullPolicy¶
| Property | venafiEnhancedIssuer.manager.image.pullPolicy |
|---|---|
| Type | string |
| Default | |
Kubernetes imagePullPolicy on Deployment.
venafiEnhancedIssuer.manager.resources.requests¶
| Property | venafiEnhancedIssuer.manager.resources.requests |
|---|---|
| Type | object |
| Default | |
Container resource limits
venafiEnhancedIssuer.manager.resources.requests¶
| Property | venafiEnhancedIssuer.manager.resources.requests |
|---|---|
| Type | object |
| Default | |
Container resource requests
venafiEnhancedIssuer.manager.setCAOnCertificateRequest¶
| Property | venafiEnhancedIssuer.manager.setCAOnCertificateRequest |
|---|---|
| Type | bool |
| Default | |
setCAOnCertificateRequest: If true, the CA status field is set on the CertificateRequest resource. This can be used for backwards compatibility with the OSS Venafi Issuer. Generally the use of ca.crt is discouraged, see the cert-manager documentation.
venafiEnhancedIssuer.manager.trustedCaBundles¶
| Property | venafiEnhancedIssuer.manager.trustedCaBundles |
|---|---|
| Type | array |
| Default | |
The trustedCaBundles allows you to specify additional CA certificate bundles that will be mounted to /etc/ssl/certs/. Note that Mozilla's CA certificates are present in the image by default at
/etc/ssl/certs/ca-certificates.crt, and cannot be disabled.
Metrics¶
metrics.enabled¶
| Property | metrics.enabled |
|---|---|
| Type | bool |
| Default | |
Tells Venafi Enhanced Issuer to expose its /metrics endpoint on port 8080. No Service object is created when this is enabled.
metrics.podmonitor.enabled¶
| Property | metrics.podmonitor.enabled |
|---|---|
| Type | bool |
| Default | |
Determines whether a PodMonitor object should be deployed.
metrics.podmonitor.labels¶
| Property | metrics.podmonitor.labels |
|---|---|
| Type | object |
| Default | |
The labels that the PodMonitor are created with. These labels must match the podMonitorSelector and podMonitorNamespaceSelector labels in one of the MetricsInstance objects in your cluster.
metrics.podmonitor.interval¶
| Property | metrics.podmonitor.interval |
|---|---|
| Type | string |
| Default | |
The interval at which the Prometheus agent will scrape metrics from the
/metrics endpoint.
metrics.podmonitor.scrapeTimeout¶
| Property | metrics.podmonitor.scrapeTimeout |
|---|---|
| Type | string |
| Default | |
Timeout for scraping metrics from the Prometheus exporter. This value must be lower than interval.
metrics.podmonitor.annotations¶
| Property | metrics.podmonitor.annotations |
|---|---|
| Type | object |
| Default |
Annotations to add to the PodMonitor object.
metrics.podmonitor.endpointAdditionalProperties¶
| Property | metrics.podmonitor.endpointAdditionalProperties |
|---|---|
| Type | object |
| Default |
The endpointAdditionalProperties allows you to set additional properties on the endpoint such as relabelings, metricRelabelings etc.
For example:
endpointAdditionalProperties:
relabelings:
- action: replace
sourceLabels:
- __meta_kubernetes_pod_node_name
targetLabel: instance
metrics.podmonitor.honorLabels¶
| Property | metrics.podmonitor.honorLabels |
|---|---|
| Type | bool |
| Default | |
Keep labels from scraped data, overriding server-side labels.