Bitnami/charts
2
0
Fork 0
mirror of https://github.com/bitnami/charts.git synced 2026-02-25 07:38:03 +08:00
Code Issues Packages Projects Releases Wiki Activity

[bitnami/cert-manager] feat: 🔒 Add resource preset support (#23435)

Browse Source 
* [bitnami/cert-manager] feat:  🔒 Add resource preset support

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

* fix: 🐛 Set value in correct spot

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>

---------

Signed-off-by: Javier Salmeron Garcia <jsalmeron@vmware.com>
This commit is contained in:
Javier J. Salmerón-García
2024-02-16 10:38:29 +01:00
committed by GitHub
parent 0a82ef66b9
commit 4fa6707877
8 changed files with 321 additions and 295 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
bitnami/cert-manager/Chart.lock
View File

@@ -1,6 +1,6 @@
dependencies:
- name: common
repository: oci://registry-1.docker.io/bitnamicharts
version: 2.14.1
digest: sha256:5ccbe5f1fe4459864a8c9d7329c400b678666b6cfb1450818a830bda81995bc3
generated: "2024-01-10T03:54:09.383090019Z"
version: 2.15.3
digest: sha256:d80293db4b59902571fcfcbeabb6b81aebb1c05e8a6d25510053e7c329d73002
generated: "2024-02-14T14:39:08.242204883+01:00"

2
bitnami/cert-manager/Chart.yaml
View File

@@ -35,4 +35,4 @@ maintainers:
name: cert-manager
sources:
- https://github.com/bitnami/charts/tree/main/bitnami/cert-manager
version: 0.19.0
version: 0.20.0

528
bitnami/cert-manager/README.md
View File

@@ -79,273 +79,273 @@ The command removes all the Kubernetes components associated with the chart and
### Controller deployment parameters
| Name | Description | Value |
| -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `controller.replicaCount` | Number of Controller replicas | `1` |
| `controller.image.registry` | Controller image registry | `REGISTRY_NAME` |
| `controller.image.repository` | Controller image repository | `REPOSITORY_NAME/cert-manager` |
| `controller.image.digest` | Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `controller.image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `controller.image.pullSecrets` | Controller image pull secrets | `[]` |
| `controller.image.debug` | Controller image debug mode | `false` |
| `controller.acmesolver.image.registry` | Controller image registry | `REGISTRY_NAME` |
| `controller.acmesolver.image.repository` | Controller image repository | `REPOSITORY_NAME/acmesolver` |
| `controller.acmesolver.image.digest` | Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `controller.acmesolver.image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `controller.acmesolver.image.pullSecrets` | Controller image pull secrets | `[]` |
| `controller.acmesolver.image.debug` | Controller image debug mode | `false` |
| `controller.resources.limits` | The resources limits for the Controller container | `{}` |
| `controller.resources.requests` | The requested resources for the Controller container | `{}` |
| `controller.podSecurityContext.enabled` | Enabled Controller pods' Security Context | `true` |
| `controller.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `controller.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `controller.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `controller.podSecurityContext.fsGroup` | Set Controller pod's Security Context fsGroup | `1001` |
| `controller.containerSecurityContext.enabled` | Enabled controller containers' Security Context | `true` |
| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `controller.containerSecurityContext.runAsUser` | Set controller containers' Security Context runAsUser | `1001` |
| `controller.containerSecurityContext.runAsNonRoot` | Set controller containers' Security Context runAsNonRoot | `true` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `controller.containerSecurityContext.privileged` | Set controller container's Security Context privileged | `false` |
| `controller.containerSecurityContext.allowPrivilegeEscalation` | Set controller container's Security Context allowPrivilegeEscalation | `false` |
| `controller.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `controller.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `controller.podAffinityPreset` | Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `controller.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `controller.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `controller.nodeAffinityPreset.key` | Node label key to match. Ignored if `controller.affinity` is set | `""` |
| `controller.nodeAffinityPreset.values` | Node label values to match. Ignored if `controller.affinity` is set | `[]` |
| `controller.affinity` | Affinity for cert-manager Controller | `{}` |
| `controller.nodeSelector` | Node labels for pod assignment | `{}` |
| `controller.containerPort` | Controller container port | `9402` |
| `controller.command` | Override Controller default command | `[]` |
| `controller.args` | Override Controller default args | `[]` |
| `controller.priorityClassName` | Controller pod priority class name | `""` |
| `controller.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` |
| `controller.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `controller.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `controller.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `controller.hostAliases` | Custom host aliases for Controller pods | `[]` |
| `controller.tolerations` | Tolerations for pod assignment | `[]` |
| `controller.podLabels` | Extra labels for Controller pods | `{}` |
| `controller.podAnnotations` | Annotations for Controller pods | `{}` |
| `controller.dnsPolicy` | Controller pod DNS policy | `""` |
| `controller.dnsConfig` | Controller pod DNS config. Required if `controller.dnsPolicy` is set to `None` | `{}` |
| `controller.lifecycleHooks` | Add lifecycle hooks to the Controller deployment | `{}` |
| `controller.updateStrategy.type` | Controller deployment update strategy | `RollingUpdate` |
| `controller.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `{}` |
| `controller.extraArgs` | Extra arguments to pass to the Controller container | `[]` |
| `controller.extraEnvVars` | Add extra environment variables to the Controller container | `[]` |
| `controller.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
| `controller.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
| `controller.extraVolumes` | Optionally specify extra list of additional volumes for Controller pods | `[]` |
| `controller.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Controller container(s) | `[]` |
| `controller.initContainers` | Add additional init containers to the Controller pods | `[]` |
| `controller.sidecars` | Add additional sidecar containers to the Controller pod | `[]` |
| `controller.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `controller.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `controller.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `controller.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `controller.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `controller.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `controller.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `controller.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `controller.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `controller.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `controller.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `controller.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `controller.startupProbe.enabled` | Enable startupProbe | `false` |
| `controller.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `controller.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` |
| `controller.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `controller.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `controller.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `controller.customStartupProbe` | Override default startup probe | `{}` |
| `controller.customLivenessProbe` | Override default liveness probe | `{}` |
| `controller.customReadinessProbe` | Override default readiness probe | `{}` |
| `controller.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `controller.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `controller.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `controller.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `controller.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `controller.networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `controller.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `controller.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
| `controller.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `controller.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `controller.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `controller.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| Name | Description | Value |
| -------------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------ |
| `controller.replicaCount` | Number of Controller replicas | `1` |
| `controller.image.registry` | Controller image registry | `REGISTRY_NAME` |
| `controller.image.repository` | Controller image repository | `REPOSITORY_NAME/cert-manager` |
| `controller.image.digest` | Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `controller.image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `controller.image.pullSecrets` | Controller image pull secrets | `[]` |
| `controller.image.debug` | Controller image debug mode | `false` |
| `controller.acmesolver.image.registry` | Controller image registry | `REGISTRY_NAME` |
| `controller.acmesolver.image.repository` | Controller image repository | `REPOSITORY_NAME/acmesolver` |
| `controller.acmesolver.image.digest` | Controller image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `controller.acmesolver.image.pullPolicy` | Controller image pull policy | `IfNotPresent` |
| `controller.acmesolver.image.pullSecrets` | Controller image pull secrets | `[]` |
| `controller.acmesolver.image.debug` | Controller image debug mode | `false` |
| `controller.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none` |
| `controller.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `controller.podSecurityContext.enabled` | Enabled Controller pods' Security Context | `true` |
| `controller.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `controller.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `controller.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `controller.podSecurityContext.fsGroup` | Set Controller pod's Security Context fsGroup | `1001` |
| `controller.containerSecurityContext.enabled` | Enabled controller containers' Security Context | `true` |
| `controller.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `controller.containerSecurityContext.runAsUser` | Set controller containers' Security Context runAsUser | `1001` |
| `controller.containerSecurityContext.runAsNonRoot` | Set controller containers' Security Context runAsNonRoot | `true` |
| `controller.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `controller.containerSecurityContext.privileged` | Set controller container's Security Context privileged | `false` |
| `controller.containerSecurityContext.allowPrivilegeEscalation` | Set controller container's Security Context allowPrivilegeEscalation | `false` |
| `controller.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `controller.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `controller.podAffinityPreset` | Pod affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `controller.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `controller.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `controller.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `controller.nodeAffinityPreset.key` | Node label key to match. Ignored if `controller.affinity` is set | `""` |
| `controller.nodeAffinityPreset.values` | Node label values to match. Ignored if `controller.affinity` is set | `[]` |
| `controller.affinity` | Affinity for cert-manager Controller | `{}` |
| `controller.nodeSelector` | Node labels for pod assignment | `{}` |
| `controller.containerPort` | Controller container port | `9402` |
| `controller.command` | Override Controller default command | `[]` |
| `controller.args` | Override Controller default args | `[]` |
| `controller.priorityClassName` | Controller pod priority class name | `""` |
| `controller.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` |
| `controller.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `controller.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `controller.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `controller.hostAliases` | Custom host aliases for Controller pods | `[]` |
| `controller.tolerations` | Tolerations for pod assignment | `[]` |
| `controller.podLabels` | Extra labels for Controller pods | `{}` |
| `controller.podAnnotations` | Annotations for Controller pods | `{}` |
| `controller.dnsPolicy` | Controller pod DNS policy | `""` |
| `controller.dnsConfig` | Controller pod DNS config. Required if `controller.dnsPolicy` is set to `None` | `{}` |
| `controller.lifecycleHooks` | Add lifecycle hooks to the Controller deployment | `{}` |
| `controller.updateStrategy.type` | Controller deployment update strategy | `RollingUpdate` |
| `controller.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `{}` |
| `controller.extraArgs` | Extra arguments to pass to the Controller container | `[]` |
| `controller.extraEnvVars` | Add extra environment variables to the Controller container | `[]` |
| `controller.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
| `controller.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
| `controller.extraVolumes` | Optionally specify extra list of additional volumes for Controller pods | `[]` |
| `controller.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Controller container(s) | `[]` |
| `controller.initContainers` | Add additional init containers to the Controller pods | `[]` |
| `controller.sidecars` | Add additional sidecar containers to the Controller pod | `[]` |
| `controller.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `controller.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `controller.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `controller.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `controller.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `controller.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `controller.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `controller.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `controller.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `controller.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `controller.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `controller.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `controller.startupProbe.enabled` | Enable startupProbe | `false` |
| `controller.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `controller.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` |
| `controller.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `controller.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `controller.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `controller.customStartupProbe` | Override default startup probe | `{}` |
| `controller.customLivenessProbe` | Override default liveness probe | `{}` |
| `controller.customReadinessProbe` | Override default readiness probe | `{}` |
| `controller.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `controller.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `controller.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `controller.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `controller.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `controller.networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `controller.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `controller.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
| `controller.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `controller.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `controller.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `controller.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
### Webhook deployment parameters
| Name | Description | Value |
| ----------------------------------------------------------- | ------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `webhook.replicaCount` | Number of Webhook replicas | `1` |
| `webhook.image.registry` | Webhook image registry | `REGISTRY_NAME` |
| `webhook.image.repository` | Webhook image repository | `REPOSITORY_NAME/cert-manager-webhook` |
| `webhook.image.digest` | Webhook image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.image.pullSecrets` | Webhook image pull secrets | `[]` |
| `webhook.image.debug` | Webhook image debug mode | `false` |
| `webhook.resources.limits` | The resources limits for the Webhook container | `{}` |
| `webhook.resources.requests` | The requested resources for the Webhook container | `{}` |
| `webhook.podSecurityContext.enabled` | Enabled Webhook pods' Security Context | `true` |
| `webhook.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `webhook.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `webhook.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `webhook.podSecurityContext.fsGroup` | Set Webhook pod's Security Context fsGroup | `1001` |
| `webhook.containerSecurityContext.enabled` | Enabled webhook containers' Security Context | `true` |
| `webhook.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `webhook.containerSecurityContext.runAsUser` | Set webhook containers' Security Context runAsUser | `1001` |
| `webhook.containerSecurityContext.runAsNonRoot` | Set webhook containers' Security Context runAsNonRoot | `true` |
| `webhook.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `webhook.containerSecurityContext.privileged` | Set webhook container's Security Context privileged | `false` |
| `webhook.containerSecurityContext.allowPrivilegeEscalation` | Set webhook container's Security Context allowPrivilegeEscalation | `false` |
| `webhook.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `webhook.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `webhook.podAffinityPreset` | Pod affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `webhook.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `webhook.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `webhook.nodeAffinityPreset.key` | Node label key to match. Ignored if `webhook.affinity` is set | `""` |
| `webhook.nodeAffinityPreset.values` | Node label values to match. Ignored if `webhook.affinity` is set | `[]` |
| `webhook.affinity` | Affinity for cert-manager Webhook | `{}` |
| `webhook.nodeSelector` | Node labels for pod assignment | `{}` |
| `webhook.containerPort` | Webhook container port | `10250` |
| `webhook.httpsPort` | Webhook container port | `443` |
| `webhook.command` | Override Webhook default command | `[]` |
| `webhook.args` | Override Webhook default args | `[]` |
| `webhook.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `webhook.livenessProbe.path` | Path for livenessProbe | `/livez` |
| `webhook.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `webhook.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `webhook.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `webhook.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `webhook.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `webhook.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `webhook.readinessProbe.path` | Path for readinessProbe | `/healthz` |
| `webhook.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `webhook.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `webhook.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `webhook.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `webhook.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `webhook.customStartupProbe` | Override default startup probe | `{}` |
| `webhook.customLivenessProbe` | Override default liveness probe | `{}` |
| `webhook.customReadinessProbe` | Override default readiness probe | `{}` |
| `webhook.priorityClassName` | Webhook pod priority class name | `""` |
| `webhook.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` |
| `webhook.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `webhook.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `webhook.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `webhook.hostAliases` | Custom host aliases for Webhook pods | `[]` |
| `webhook.tolerations` | Tolerations for pod assignment | `[]` |
| `webhook.podLabels` | Extra labels for Webhook pods | `{}` |
| `webhook.podAnnotations` | Annotations for Webhook pods | `{}` |
| `webhook.lifecycleHooks` | Add lifecycle hooks to the Webhook deployment | `{}` |
| `webhook.updateStrategy.type` | Webhook deployment update strategy | `RollingUpdate` |
| `webhook.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `{}` |
| `webhook.extraArgs` | Extra arguments to pass to the Webhook container | `[]` |
| `webhook.extraEnvVars` | Add extra environment variables to the Webhook container | `[]` |
| `webhook.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
| `webhook.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
| `webhook.extraVolumes` | Optionally specify extra list of additional volumes for Webhook pods | `[]` |
| `webhook.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Webhook container | `[]` |
| `webhook.initContainers` | Add additional init containers to the Webhook pods | `[]` |
| `webhook.sidecars` | Add additional sidecar containers to the Webhook pod | `[]` |
| `webhook.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `webhook.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `webhook.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `webhook.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `webhook.hostNetwork` | Specifies hostNetwork value | `false` |
| `webhook.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `webhook.networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `webhook.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `webhook.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
| `webhook.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `webhook.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `webhook.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `webhook.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
| Name | Description | Value |
| ----------------------------------------------------------- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | -------------------------------------- |
| `webhook.replicaCount` | Number of Webhook replicas | `1` |
| `webhook.image.registry` | Webhook image registry | `REGISTRY_NAME` |
| `webhook.image.repository` | Webhook image repository | `REPOSITORY_NAME/cert-manager-webhook` |
| `webhook.image.digest` | Webhook image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
| `webhook.image.pullSecrets` | Webhook image pull secrets | `[]` |
| `webhook.image.debug` | Webhook image debug mode | `false` |
| `webhook.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production). | `none` |
| `webhook.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `webhook.podSecurityContext.enabled` | Enabled Webhook pods' Security Context | `true` |
| `webhook.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `webhook.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `webhook.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `webhook.podSecurityContext.fsGroup` | Set Webhook pod's Security Context fsGroup | `1001` |
| `webhook.containerSecurityContext.enabled` | Enabled webhook containers' Security Context | `true` |
| `webhook.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `webhook.containerSecurityContext.runAsUser` | Set webhook containers' Security Context runAsUser | `1001` |
| `webhook.containerSecurityContext.runAsNonRoot` | Set webhook containers' Security Context runAsNonRoot | `true` |
| `webhook.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `webhook.containerSecurityContext.privileged` | Set webhook container's Security Context privileged | `false` |
| `webhook.containerSecurityContext.allowPrivilegeEscalation` | Set webhook container's Security Context allowPrivilegeEscalation | `false` |
| `webhook.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `webhook.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `webhook.podAffinityPreset` | Pod affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `webhook.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `webhook.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `webhook.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `webhook.nodeAffinityPreset.key` | Node label key to match. Ignored if `webhook.affinity` is set | `""` |
| `webhook.nodeAffinityPreset.values` | Node label values to match. Ignored if `webhook.affinity` is set | `[]` |
| `webhook.affinity` | Affinity for cert-manager Webhook | `{}` |
| `webhook.nodeSelector` | Node labels for pod assignment | `{}` |
| `webhook.containerPort` | Webhook container port | `10250` |
| `webhook.httpsPort` | Webhook container port | `443` |
| `webhook.command` | Override Webhook default command | `[]` |
| `webhook.args` | Override Webhook default args | `[]` |
| `webhook.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `webhook.livenessProbe.path` | Path for livenessProbe | `/livez` |
| `webhook.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `webhook.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `webhook.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `webhook.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `webhook.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `webhook.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `webhook.readinessProbe.path` | Path for readinessProbe | `/healthz` |
| `webhook.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `webhook.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `webhook.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `webhook.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `webhook.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `webhook.customStartupProbe` | Override default startup probe | `{}` |
| `webhook.customLivenessProbe` | Override default liveness probe | `{}` |
| `webhook.customReadinessProbe` | Override default readiness probe | `{}` |
| `webhook.priorityClassName` | Webhook pod priority class name | `""` |
| `webhook.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` |
| `webhook.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `webhook.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `webhook.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `webhook.hostAliases` | Custom host aliases for Webhook pods | `[]` |
| `webhook.tolerations` | Tolerations for pod assignment | `[]` |
| `webhook.podLabels` | Extra labels for Webhook pods | `{}` |
| `webhook.podAnnotations` | Annotations for Webhook pods | `{}` |
| `webhook.lifecycleHooks` | Add lifecycle hooks to the Webhook deployment | `{}` |
| `webhook.updateStrategy.type` | Webhook deployment update strategy | `RollingUpdate` |
| `webhook.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `{}` |
| `webhook.extraArgs` | Extra arguments to pass to the Webhook container | `[]` |
| `webhook.extraEnvVars` | Add extra environment variables to the Webhook container | `[]` |
| `webhook.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
| `webhook.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
| `webhook.extraVolumes` | Optionally specify extra list of additional volumes for Webhook pods | `[]` |
| `webhook.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for Webhook container | `[]` |
| `webhook.initContainers` | Add additional init containers to the Webhook pods | `[]` |
| `webhook.sidecars` | Add additional sidecar containers to the Webhook pod | `[]` |
| `webhook.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `webhook.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `webhook.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `webhook.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| `webhook.hostNetwork` | Specifies hostNetwork value | `false` |
| `webhook.networkPolicy.enabled` | Specifies whether a NetworkPolicy should be created | `true` |
| `webhook.networkPolicy.allowExternal` | Don't require client label for connections | `true` |
| `webhook.networkPolicy.allowExternalEgress` | Allow the pod to access any range of port and all destinations. | `true` |
| `webhook.networkPolicy.kubeAPIServerPorts` | List of possible endpoints to kube-apiserver (limit to your cluster settings to increase security) | `[]` |
| `webhook.networkPolicy.extraIngress` | Add extra ingress rules to the NetworkPolice | `[]` |
| `webhook.networkPolicy.extraEgress` | Add extra ingress rules to the NetworkPolicy | `[]` |
| `webhook.networkPolicy.ingressNSMatchLabels` | Labels to match to allow traffic from other namespaces | `{}` |
| `webhook.networkPolicy.ingressNSPodMatchLabels` | Pod labels to match to allow traffic from other namespaces | `{}` |
### CAInjector deployment parameters
| Name | Description | Value |
| -------------------------------------------------------------- | ---------------------------------------------------------------------------------------------------------- | ---------------------------- |
| `cainjector.replicaCount` | Number of CAInjector replicas | `1` |
| `cainjector.image.registry` | CAInjector image registry | `REGISTRY_NAME` |
| `cainjector.image.repository` | CAInjector image repository | `REPOSITORY_NAME/cainjector` |
| `cainjector.image.digest` | CAInjector image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `cainjector.image.pullPolicy` | CAInjector image pull policy | `IfNotPresent` |
| `cainjector.image.pullSecrets` | CAInjector image pull secrets | `[]` |
| `cainjector.image.debug` | CAInjector image debug mode | `false` |
| `cainjector.resources.limits` | The resources limits for the CAInjector container | `{}` |
| `cainjector.resources.requests` | The requested resources for the CAInjector container | `{}` |
| `cainjector.podSecurityContext.enabled` | Enabled CAInjector pods' Security Context | `true` |
| `cainjector.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `cainjector.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `cainjector.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `cainjector.podSecurityContext.fsGroup` | Set CAInjector pod's Security Context fsGroup | `1001` |
| `cainjector.containerSecurityContext.enabled` | Enabled cainjector containers' Security Context | `true` |
| `cainjector.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `cainjector.containerSecurityContext.runAsUser` | Set cainjector containers' Security Context runAsUser | `1001` |
| `cainjector.containerSecurityContext.runAsNonRoot` | Set cainjector containers' Security Context runAsNonRoot | `true` |
| `cainjector.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `cainjector.containerSecurityContext.privileged` | Set cainjector container's Security Context privileged | `false` |
| `cainjector.containerSecurityContext.allowPrivilegeEscalation` | Set cainjector container's Security Context allowPrivilegeEscalation | `false` |
| `cainjector.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `cainjector.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `cainjector.podAffinityPreset` | Pod affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `cainjector.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `cainjector.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `cainjector.nodeAffinityPreset.key` | Node label key to match. Ignored if `cainjector.affinity` is set | `""` |
| `cainjector.nodeAffinityPreset.values` | Node label values to match. Ignored if `cainjector.affinity` is set | `[]` |
| `cainjector.affinity` | Affinity for cert-manager CAInjector | `{}` |
| `cainjector.nodeSelector` | Node labels for pod assignment | `{}` |
| `cainjector.command` | Override CAInjector default command | `[]` |
| `cainjector.args` | Override CAInjector default args | `[]` |
| `cainjector.priorityClassName` | CAInjector pod priority class name | `""` |
| `cainjector.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` |
| `cainjector.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `cainjector.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `cainjector.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `cainjector.hostAliases` | Custom host aliases for CAInjector pods | `[]` |
| `cainjector.tolerations` | Tolerations for pod assignment | `[]` |
| `cainjector.podLabels` | Extra labels for CAInjector pods | `{}` |
| `cainjector.podAnnotations` | Annotations for CAInjector pods | `{}` |
| `cainjector.lifecycleHooks` | Add lifecycle hooks to the CAInjector deployment | `{}` |
| `cainjector.updateStrategy.type` | Controller deployment update strategy | `RollingUpdate` |
| `cainjector.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `{}` |
| `cainjector.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `cainjector.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `cainjector.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `cainjector.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `cainjector.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `cainjector.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `cainjector.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `cainjector.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `cainjector.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `cainjector.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `cainjector.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `cainjector.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `cainjector.startupProbe.enabled` | Enable startupProbe | `false` |
| `cainjector.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `cainjector.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` |
| `cainjector.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `cainjector.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `cainjector.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `cainjector.customStartupProbe` | Override default startup probe | `{}` |
| `cainjector.customLivenessProbe` | Override default liveness probe | `{}` |
| `cainjector.customReadinessProbe` | Override default readiness probe | `{}` |
| `cainjector.extraArgs` | Extra arguments to pass to the CAInjector container | `[]` |
| `cainjector.extraEnvVars` | Add extra environment variables to the CAInjector container | `[]` |
| `cainjector.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
| `cainjector.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
| `cainjector.extraVolumes` | Optionally specify extra list of additional volumes for CAInjector pods | `[]` |
| `cainjector.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for CAInjector container(s) | `[]` |
| `cainjector.initContainers` | Add additional init containers to the CAInjector pods | `[]` |
| `cainjector.sidecars` | Add additional sidecar containers to the CAInjector pod | `[]` |
| `cainjector.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `cainjector.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `cainjector.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `cainjector.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
| Name | Description | Value |
| -------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------- |
| `cainjector.replicaCount` | Number of CAInjector replicas | `1` |
| `cainjector.image.registry` | CAInjector image registry | `REGISTRY_NAME` |
| `cainjector.image.repository` | CAInjector image repository | `REPOSITORY_NAME/cainjector` |
| `cainjector.image.digest` | CAInjector image digest in the way sha256:aa.... Please note this parameter, if set, will override the tag | `""` |
| `cainjector.image.pullPolicy` | CAInjector image pull policy | `IfNotPresent` |
| `cainjector.image.pullSecrets` | CAInjector image pull secrets | `[]` |
| `cainjector.image.debug` | CAInjector image debug mode | `false` |
| `cainjector.resourcesPreset` | Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production). | `none` |
| `cainjector.resources` | Set container requests and limits for different resources like CPU or memory (essential for production workloads) | `{}` |
| `cainjector.podSecurityContext.enabled` | Enabled CAInjector pods' Security Context | `true` |
| `cainjector.podSecurityContext.fsGroupChangePolicy` | Set filesystem group change policy | `Always` |
| `cainjector.podSecurityContext.sysctls` | Set kernel settings using the sysctl interface | `[]` |
| `cainjector.podSecurityContext.supplementalGroups` | Set filesystem extra groups | `[]` |
| `cainjector.podSecurityContext.fsGroup` | Set CAInjector pod's Security Context fsGroup | `1001` |
| `cainjector.containerSecurityContext.enabled` | Enabled cainjector containers' Security Context | `true` |
| `cainjector.containerSecurityContext.seLinuxOptions` | Set SELinux options in container | `nil` |
| `cainjector.containerSecurityContext.runAsUser` | Set cainjector containers' Security Context runAsUser | `1001` |
| `cainjector.containerSecurityContext.runAsNonRoot` | Set cainjector containers' Security Context runAsNonRoot | `true` |
| `cainjector.containerSecurityContext.readOnlyRootFilesystem` | Set read only root file system pod's Security Conte | `false` |
| `cainjector.containerSecurityContext.privileged` | Set cainjector container's Security Context privileged | `false` |
| `cainjector.containerSecurityContext.allowPrivilegeEscalation` | Set cainjector container's Security Context allowPrivilegeEscalation | `false` |
| `cainjector.containerSecurityContext.capabilities.drop` | List of capabilities to be dropped | `["ALL"]` |
| `cainjector.containerSecurityContext.seccompProfile.type` | Set container's Security Context seccomp profile | `RuntimeDefault` |
| `cainjector.podAffinityPreset` | Pod affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `cainjector.podAntiAffinityPreset` | Pod anti-affinity preset. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `soft` |
| `cainjector.nodeAffinityPreset.type` | Node affinity preset type. Ignored if `cainjector.affinity` is set. Allowed values: `soft` or `hard` | `""` |
| `cainjector.nodeAffinityPreset.key` | Node label key to match. Ignored if `cainjector.affinity` is set | `""` |
| `cainjector.nodeAffinityPreset.values` | Node label values to match. Ignored if `cainjector.affinity` is set | `[]` |
| `cainjector.affinity` | Affinity for cert-manager CAInjector | `{}` |
| `cainjector.nodeSelector` | Node labels for pod assignment | `{}` |
| `cainjector.command` | Override CAInjector default command | `[]` |
| `cainjector.args` | Override CAInjector default args | `[]` |
| `cainjector.priorityClassName` | CAInjector pod priority class name | `""` |
| `cainjector.runtimeClassName` | Name of the runtime class to be used by pod(s) | `""` |
| `cainjector.schedulerName` | Name of the k8s scheduler (other than default) | `""` |
| `cainjector.topologySpreadConstraints` | Topology Spread Constraints for pod assignment | `[]` |
| `cainjector.automountServiceAccountToken` | Mount Service Account token in pod | `true` |
| `cainjector.hostAliases` | Custom host aliases for CAInjector pods | `[]` |
| `cainjector.tolerations` | Tolerations for pod assignment | `[]` |
| `cainjector.podLabels` | Extra labels for CAInjector pods | `{}` |
| `cainjector.podAnnotations` | Annotations for CAInjector pods | `{}` |
| `cainjector.lifecycleHooks` | Add lifecycle hooks to the CAInjector deployment | `{}` |
| `cainjector.updateStrategy.type` | Controller deployment update strategy | `RollingUpdate` |
| `cainjector.updateStrategy.rollingUpdate` | Controller deployment rolling update configuration parameters | `{}` |
| `cainjector.livenessProbe.enabled` | Enable livenessProbe | `true` |
| `cainjector.livenessProbe.initialDelaySeconds` | Initial delay seconds for livenessProbe | `60` |
| `cainjector.livenessProbe.periodSeconds` | Period seconds for livenessProbe | `10` |
| `cainjector.livenessProbe.timeoutSeconds` | Timeout seconds for livenessProbe | `1` |
| `cainjector.livenessProbe.failureThreshold` | Failure threshold for livenessProbe | `3` |
| `cainjector.livenessProbe.successThreshold` | Success threshold for livenessProbe | `1` |
| `cainjector.readinessProbe.enabled` | Enable readinessProbe | `true` |
| `cainjector.readinessProbe.initialDelaySeconds` | Initial delay seconds for readinessProbe | `5` |
| `cainjector.readinessProbe.periodSeconds` | Period seconds for readinessProbe | `5` |
| `cainjector.readinessProbe.timeoutSeconds` | Timeout seconds for readinessProbe | `1` |
| `cainjector.readinessProbe.failureThreshold` | Failure threshold for readinessProbe | `3` |
| `cainjector.readinessProbe.successThreshold` | Success threshold for readinessProbe | `1` |
| `cainjector.startupProbe.enabled` | Enable startupProbe | `false` |
| `cainjector.startupProbe.initialDelaySeconds` | Initial delay seconds for startupProbe | `5` |
| `cainjector.startupProbe.periodSeconds` | Period seconds for startupProbe | `5` |
| `cainjector.startupProbe.timeoutSeconds` | Timeout seconds for startupProbe | `1` |
| `cainjector.startupProbe.failureThreshold` | Failure threshold for startupProbe | `3` |
| `cainjector.startupProbe.successThreshold` | Success threshold for startupProbe | `1` |
| `cainjector.customStartupProbe` | Override default startup probe | `{}` |
| `cainjector.customLivenessProbe` | Override default liveness probe | `{}` |
| `cainjector.customReadinessProbe` | Override default readiness probe | `{}` |
| `cainjector.extraArgs` | Extra arguments to pass to the CAInjector container | `[]` |
| `cainjector.extraEnvVars` | Add extra environment variables to the CAInjector container | `[]` |
| `cainjector.extraEnvVarsCM` | Name of existing ConfigMap containing extra env vars | `""` |
| `cainjector.extraEnvVarsSecret` | Name of existing Secret containing extra env vars | `""` |
| `cainjector.extraVolumes` | Optionally specify extra list of additional volumes for CAInjector pods | `[]` |
| `cainjector.extraVolumeMounts` | Optionally specify extra list of additional volumeMounts for CAInjector container(s) | `[]` |
| `cainjector.initContainers` | Add additional init containers to the CAInjector pods | `[]` |
| `cainjector.sidecars` | Add additional sidecar containers to the CAInjector pod | `[]` |
| `cainjector.serviceAccount.create` | Specifies whether a ServiceAccount should be created | `true` |
| `cainjector.serviceAccount.name` | The name of the ServiceAccount to use. | `""` |
| `cainjector.serviceAccount.annotations` | Additional custom annotations for the ServiceAccount | `{}` |
| `cainjector.serviceAccount.automountServiceAccountToken` | Automount service account token for the server service account | `false` |
### Metrics Parameters
@@ -393,6 +393,12 @@ helm install my-release -f values.yaml oci://REGISTRY_NAME/REPOSITORY_NAME/cert-
## Configuration and installation details
### Resource requests and limits
Bitnami charts allow setting resource requests and limits for all containers inside the chart deployment. These are inside the `resources` value (check parameter table). Setting requests is essential for production workloads and these should be adapted to your specific use case.
To make this process easier, the chart contains the `resourcesPreset` values, which automatically sets the `resources` section according to different presets. Check these presets in [the bitnami/common chart](https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15). However, in production workloads using `resourcePreset` is discouraged as it may not fully adapt to your specific needs. Find more information on container resource management in the [official Kubernetes documentation](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
### [Rolling VS Immutable tags](https://docs.bitnami.com/tutorials/understand-rolling-tags-containers)
It is strongly recommended to use immutable tags in a production environment. This ensures your deployment does not change automatically if the same tag is updated with a different image.

1
bitnami/cert-manager/templates/NOTES.txt
View File

@@ -11,3 +11,4 @@ https://cert-manager.io/docs/configuration/
To configure a new ingress to automatically provision certificates, you will find some information in the following link:
https://cert-manager.io/docs/usage/ingress/
{{- include "common.warnings.resources" (dict "sections" (list "cainjector" "controller" "webhook") "context" $) }}

2
bitnami/cert-manager/templates/cainjector/deployment.yaml
View File

@@ -160,6 +160,8 @@ spec:
{{- end }}
{{- if .Values.cainjector.resources }}
resources: {{- toYaml .Values.cainjector.resources | nindent 12 }}
{{- else if ne .Values.cainjector.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.cainjector.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.cainjector.extraVolumeMounts }}

2
bitnami/cert-manager/templates/controller/deployment.yaml
View File

@@ -168,6 +168,8 @@ spec:
{{- end }}
{{- if .Values.controller.resources }}
resources: {{- toYaml .Values.controller.resources | nindent 12 }}
{{- else if ne .Values.controller.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.controller.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.controller.extraVolumeMounts }}

2
bitnami/cert-manager/templates/webhook/deployment.yaml
View File

@@ -154,6 +154,8 @@ spec:
{{- end }}
{{- if .Values.webhook.resources }}
resources: {{- toYaml .Values.webhook.resources | nindent 12 }}
{{- else if ne .Values.webhook.resourcesPreset "none" }}
resources: {{- include "common.resources.preset" (dict "type" .Values.webhook.resourcesPreset) | nindent 12 }}
{{- end }}
volumeMounts:
{{- if .Values.webhook.extraVolumeMounts }}

73
bitnami/cert-manager/values.yaml
View File

@@ -13,7 +13,6 @@ global:
imageRegistry: ""
imagePullSecrets: []
storageClass: ""
## @section Common parameters
## @param kubeVersion Override Kubernetes version
@@ -50,7 +49,6 @@ installCRDs: false
## @param replicaCount Number of cert-manager replicas
##
replicaCount: 1
## @section Controller deployment parameters
## Controller deployment parameters
@@ -123,12 +121,21 @@ controller:
debug: false
## Controller containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param controller.resources.limits The resources limits for the Controller container
## @param controller.resources.requests The requested resources for the Controller container
## @param controller.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resources:
limits: {}
requests: {}
resourcesPreset: "none"
## @param controller.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## controller pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param controller.podSecurityContext.enabled Enabled Controller pods' Security Context
@@ -384,7 +391,6 @@ controller:
## @param controller.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
##
automountServiceAccountToken: false
## Controller Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
@@ -443,7 +449,6 @@ controller:
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## @section Webhook deployment parameters
## Webhook deployment parameters
@@ -485,14 +490,21 @@ webhook:
debug: false
## Webhook containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
## @param webhook.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if controller.resources is set (controller.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resources:
## @param webhook.resources.limits The resources limits for the Webhook container
##
limits: {}
## @param webhook.resources.requests The requested resources for the Webhook container
##
requests: {}
resourcesPreset: "none"
## @param webhook.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## webhook pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param webhook.podSecurityContext.enabled Enabled Webhook pods' Security Context
@@ -732,7 +744,6 @@ webhook:
## @param webhook.hostNetwork Specifies hostNetwork value
##
hostNetwork: false
## Webhook Network Policies
## Ref: https://kubernetes.io/docs/concepts/services-networking/network-policies/
##
@@ -791,7 +802,6 @@ webhook:
##
ingressNSMatchLabels: {}
ingressNSPodMatchLabels: {}
## @section CAInjector deployment parameters
## CAInjector deployment parameters
@@ -800,7 +810,6 @@ cainjector:
## @param cainjector.replicaCount Number of CAInjector replicas
##
replicaCount: 1
## Bitnami CAInjector image
## ref: https://hub.docker.com/r/bitnami/cainjector/tags/
## @param cainjector.image.registry [default: REGISTRY_NAME] CAInjector image registry
@@ -835,13 +844,21 @@ cainjector:
## CAInjector containers' resource requests and limits
## ref: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/
##
resources:
## @param cainjector.resources.limits The resources limits for the CAInjector container
##
limits: {}
## @param cainjector.resources.requests The requested resources for the CAInjector container
##
requests: {}
## @param cainjector.resourcesPreset Set container resources according to one common preset (allowed values: none, nano, small, medium, large, xlarge, 2xlarge). This is ignored if cloneHtdocsFromGit.resources is set (cloneHtdocsFromGit.resources is recommended for production).
## More information: https://github.com/bitnami/charts/blob/main/bitnami/common/templates/_resources.tpl#L15
##
resourcesPreset: "none"
## @param cainjector.resources Set container requests and limits for different resources like CPU or memory (essential for production workloads)
## Example:
## resources:
## requests:
## cpu: 2
## memory: 512Mi
## limits:
## cpu: 3
## memory: 1024Mi
##
resources: {}
## cainjector pods' Security Context
## ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-pod
## @param cainjector.podSecurityContext.enabled Enabled CAInjector pods' Security Context
@@ -1079,9 +1096,7 @@ cainjector:
## @param cainjector.serviceAccount.automountServiceAccountToken Automount service account token for the server service account
##
automountServiceAccountToken: false
## @section Metrics Parameters
metrics:
## @param metrics.enabled Start metrics
##
@@ -1097,7 +1112,6 @@ metrics:
prometheus.io/path: "/metrics"
prometheus.io/scrape: "true"
prometheus.io/port: "{{ .Values.controller.containerPort }}"
## Prometheus Operator ServiceMonitor resource
##
serviceMonitor:
@@ -1150,7 +1164,6 @@ metrics:
## @param metrics.serviceMonitor.honorLabels honorLabels chooses the metric's labels on collisions with target labels
##
honorLabels: false
## @section Other Parameters
## RBAC configuration