A timoni.sh module for deploying cert-manager to Kubernetes clusters.
This module is applied to these Kubernetes version in CI:
To create an instance using the default values:
timoni -n cert-manager apply cert-manager oci://ghcr.io/nalum/timoni/modules/cert-manager
To change the default configuration,
create one or more values.cue
files and apply them to the instance.
For example, create a file my-values.cue
with the following content:
values: {
highAvailability: enabled: true
controller: {
config: logging: format: "json"
podDisruptionBudget: minAvailable: 2
monitoring: {
enabled: true
}
image: {
tag: "v1.14.0"
digest: "sha256:2547fde4e736101abf33f8c2503f12aa3a0b42614d3d64cfecf2835c0ee81c10"
}
}
webhook: {
podDisruptionBudget: minAvailable: 3
}
test: enabled: false
}
And apply the values with:
timoni -n cert-manager apply cert-manager oci://ghcr.io/nalum/timoni/modules/cert-manager \
--values ./my-values.cue
To uninstall an instance and delete all its Kubernetes resources:
timoni -n cert-manager delete cert-manager
KEY | TYPE | DEFAULT | DESCRIPTION |
---|---|---|---|
metadata: labels: |
struct |
{} |
Map of string keys and values that can be used to organize and categorize (scope and select) objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels |
metadata: annotations: |
struct |
{} |
Annotations is an unstructured key value map stored with a resource that may be set to store and retrieve arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations |
imagePullSecrets: |
list |
[] |
Reference to one or more secrets to be used when pulling images ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
priorityClassName: |
string |
`` | Optional priority class to be used for the cert-manager pods |
logLevel: |
int |
2 |
Logging verbosity |
rbac: enabled: |
bool |
true |
Create the roles and bindings for cert-manager |
rbac: aggregateClusterRoles: |
bool |
true |
Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |
podSecurityAdmission: mode: |
string |
"enforce" |
Set the PodSecurity admission controller mode for the namespace |
podSecurityAdmission: level: |
string |
"restricted" |
Set the PodSecurity admission controller level for the namespace |
highAvailability: enabled: |
bool |
false |
Enable high availability features |
leaderElection: namespace: |
string |
"kube-system" |
Override the namespace used for the leader election lease |
leaderElection: leaseDuration: |
string |
`` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. |
leaderElection: renewDeadline: |
string |
`` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. |
leaderElection: retryPeriod: |
string |
`` | The duration the clients should wait between attempting acquisition and renewal of a leadership. |
controller: clusterResourceNamespace: |
string |
`` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. |
controller: affinity: |
struct |
{} |
group of affinity scheduling rules. |
controller: dns01RecursiveNameservers: |
string |
`` | Comma separated string with host and port of the recursive nameservers cert-manager should query |
controller: dns01RecursiveNameserversOnly: |
bool |
false |
Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers |
controller: enableCertificateOwnerRef: |
bool |
false |
When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted |
controller: featureGates: |
string |
`` | Comma separated list of feature gates that should be enabled on the controller pod. |
controller: maxConcurrentChallenges: |
int |
60 |
The maximum number of challenges that can be scheduled as 'processing' at once |
controller: podDNSConfig: |
struct |
{} |
Optional DNS settings, useful if you have a public and private DNS zone for the same domain on Route 53. What follows is an example of ensuring cert-manager can access an ingress or DNS TXT records at all times. NOTE: This requires Kubernetes 1.10 or CustomPodDNS feature gate enabled for the cluster to work. |
controller: podDNSPolicy: |
string |
"ClusterFirst" |
|
controller: monitoring: enabled: |
bool |
false |
Enable Prometheus monitoring for the cert-manager controller to use with the Prometheus Operator. |
controller: monitoring: namespace: |
string |
"default" |
The namespace to create the Monitor in |
controller: monitoring: type: |
string |
"Annotations" |
The type of monitoring to enable, can be one of "ServiceMonitor", "PodMonitor" or "Annotations" If ServiceMonitor is used a Service will also be created |
controller: monitoring: prometheusInstance: |
string |
"default" |
Specifies the prometheus label on the created PodMonitor/ServiceMonitor, this is used when different Prometheus instances have label selectors matching different PodMonitor/ServiceMonitor. |
controller: monitoring: targetPort: |
(int|string) |
"http-metrics" |
The target port to set on the Monitor, should match the port that cert-manager controller is listening on for metrics |
controller: monitoring: path: |
string |
"/metrics" |
The path to scrape for metrics |
controller: monitoring: interval: |
string |
"60s" |
The interval to scrape metrics |
controller: monitoring: scrapeTimeout: |
string |
"30s" |
The timeout before a metrics scrape fails |
controller: monitoring: labels: |
struct |
{} |
Additional labels to add to the PodMonitor |
controller: monitoring: annotations: |
struct |
{} |
Additional annotations to add to the PodMonitor |
controller: monitoring: honorLabels: |
bool |
false |
Keep labels from scraped data, overriding server-side labels. |
controller: monitoring: endpointAdditionalProperties: |
struct |
{} |
EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. For example: endpointAdditionalProperties: relabelings: - action: replace sourceLabels: - __meta_kubernetes_pod_node_name targetLabel: instance |
controller: config: |
struct |
{"apiVersion": "controller.config.cert-manager.io/v1alpha1","kind": "ControllerConfiguration","logging": {"verbosity": 2,"format": "text"}, "leaderElectionConfig": {"namespace": "kube-system"}, "kubernetesAPIQPS": 9000,"kubernetesAPIBurst": 9000,"numberOfConcurrentWorkers": 200} |
Used to configure options for the controller pod. This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. Flags will override options that are set here. |
controller: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
controller: containerSecurityContext: capabilities: add: |
list |
[] |
Added capabilities |
controller: containerSecurityContext: capabilities: drop: |
list |
["ALL"] |
Removed capabilities |
controller: containerSecurityContext: privileged: |
(null|bool) |
`` | Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. |
controller: containerSecurityContext: seLinuxOptions: |
(null|struct) |
`` | The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
controller: containerSecurityContext: windowsOptions: |
(null|struct) |
`` | The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. |
controller: containerSecurityContext: runAsUser: |
(null|int) |
`` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
controller: containerSecurityContext: runAsGroup: |
(null|int) |
`` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
controller: containerSecurityContext: runAsNonRoot: |
bool |
true |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. |
controller: containerSecurityContext: readOnlyRootFilesystem: |
bool |
true |
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. |
controller: containerSecurityContext: allowPrivilegeEscalation: |
bool |
false |
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. |
controller: containerSecurityContext: procMount: |
(null|string) |
`` | procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. |
controller: containerSecurityContext: seccompProfile: |
(null|struct) |
`` | The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. |
controller: deploymentAnnotations: |
struct |
{} |
is the annotations for the deployment. |
controller: deploymentLabels: |
struct |
{} |
is the labels for the deployment. |
controller: enableServiceLinks: |
bool |
false |
indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. |
controller: extraArgs: |
list |
[] |
Additional command line flags to pass to cert-manager binaries. To see all available flags run docker run quay.io/jetstack/cert-manager-: --help |
controller: extraEnvs: |
list |
[] |
is a list of additional environment variables to pass to the container. |
controller: image: repository: |
string |
"quay.io/jetstack/cert-manager-controller" |
Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |
controller: image: tag: |
string |
"v1.14.2" |
Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
controller: image: digest: |
string |
"sha256:94c24f76822cbf523eedb36c4c4aaa1eb8fffad31841a82946a175c74e3a9673" |
Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |
controller: image: pullPolicy: |
string |
"IfNotPresent" |
PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |
controller: livenessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
controller: livenessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
controller: livenessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
controller: livenessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
controller: livenessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
controller: livenessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
controller: livenessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
controller: livenessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
controller: livenessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
controller: livenessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
controller: ingressShim: |
struct |
{} |
|
controller: podAnnotations: |
struct |
{} |
is the annotations for the pod. |
controller: podDisruptionBudget: |
struct |
{"enabled": false} |
is the pod disruption budget. |
controller: podLabels: |
struct |
{} |
is the labels for the pod. |
controller: proxy: |
struct |
`` | defines the proxy configuration to be used by the container. |
controller: readinessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
controller: readinessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
controller: readinessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
controller: readinessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
controller: readinessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
controller: readinessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
controller: readinessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
controller: readinessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
controller: readinessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
controller: readinessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
controller: replicas: |
int |
1 |
is the number of desired replicas. |
controller: resources: |
struct |
{} |
is the resource requirements for the container. |
controller: securityContext: runAsNonRoot: |
bool |
true |
|
controller: securityContext: seccompProfile: type: |
string |
"RuntimeDefault" |
|
controller: serviceAccount: annotations: |
struct |
{} |
is the annotations for the service account. |
controller: serviceAccount: labels: |
struct |
{} |
is the labels for the service account. |
controller: serviceAccount: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
controller: service: annotations: |
struct |
{} |
is the annotations for the service. |
controller: service: labels: |
struct |
{} |
is the labels for the service. |
controller: service: type: |
string |
"ClusterIP" |
is the type of the service. |
controller: strategy: |
struct |
{} |
is the deployment strategy to use to replace existing pods with new ones. |
controller: tolerations: |
list |
[] |
is the tolerations for the pod. |
controller: topologySpreadConstraints: |
list |
[] |
is the topology spread constraints for the pod. |
controller: volumeMounts: |
list |
[{"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount","name": "serviceaccount-token","readOnly": true}] |
is the volume mounts for the container. |
controller: volumes: |
list |
[{"name": "serviceaccount-token","projected": {"defaultMode": 444,"sources": [{"serviceAccountToken": {"expirationSeconds": 3607,"path": "token"}}, {"configMap": {"name": "kube-root-ca.crt","items": [{"key": "ca.crt","path": "ca.crt"}]}}, {"downwardAPI": {"items": [{"path": "namespace","fieldRef": {"apiVersion": "v1","fieldPath": "metadata.namespace"}}]}}]}}] |
is the volumes for the pod. |
webhook: featureGates: |
string |
`` | is a comma separated list of feature gates to enable. |
webhook: affinity: |
struct |
{} |
group of affinity scheduling rules. |
webhook: hostNetwork: |
bool |
false |
enalbes host networking for the webhook pod. |
webhook: loadBalancerIP: |
string |
`` | is the IP address to bind to when running the webhook pod. |
webhook: mutatingWebhookConfigurationAnnotations: |
struct |
{} |
is a map of annotations to add to the mutating webhook configuration. |
webhook: securePort: |
int |
10250 |
set the port that the webhook should listen on for requests. |
webhook: timeoutSeconds: |
int |
10 |
number of seconds to wait before timing out a request to the webhook. |
webhook: validatingWebhookConfigurationAnnotations: |
struct |
{} |
is a map of annotations to add to the validating webhook configuration. |
webhook: args: |
list |
[] |
are the arguments to pass to the webhook pod. |
webhook: networkPolicy: |
struct |
{"ingress": [{"from": [{"ipBlock": {"cidr": "0.0.0.0/0"}}]}],"egress": [{"ports": [{"port": 80,"protocol": "TCP"}, {"port": 443,"protocol": "TCP"}, {"port": 53,"protocol": "TCP"}, {"port": 53,"protocol": "UDP"}, {"port": 6443,"protocol": "TCP"}],"to": [{"ipBlock": {"cidr": "0.0.0.0/0"}}]}]} |
is a map of network policy rules to apply to the webhook pod. |
webhook: config: |
struct |
{"apiVersion": "webhook.config.cert-manager.io/v1alpha1","kind": "WebhookConfiguration","securePort": 10250} |
Used to configure options for the webhook pod. This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. Flags will override options that are set here. |
webhook: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
webhook: containerSecurityContext: capabilities: add: |
list |
[] |
Added capabilities |
webhook: containerSecurityContext: capabilities: drop: |
list |
["ALL"] |
Removed capabilities |
webhook: containerSecurityContext: privileged: |
(null|bool) |
`` | Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. |
webhook: containerSecurityContext: seLinuxOptions: |
(null|struct) |
`` | The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
webhook: containerSecurityContext: windowsOptions: |
(null|struct) |
`` | The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. |
webhook: containerSecurityContext: runAsUser: |
(null|int) |
`` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
webhook: containerSecurityContext: runAsGroup: |
(null|int) |
`` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
webhook: containerSecurityContext: runAsNonRoot: |
bool |
true |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. |
webhook: containerSecurityContext: readOnlyRootFilesystem: |
bool |
true |
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. |
webhook: containerSecurityContext: allowPrivilegeEscalation: |
bool |
false |
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. |
webhook: containerSecurityContext: procMount: |
(null|string) |
`` | procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. |
webhook: containerSecurityContext: seccompProfile: |
(null|struct) |
`` | The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. |
webhook: deploymentAnnotations: |
struct |
{} |
is the annotations for the deployment. |
webhook: deploymentLabels: |
struct |
{} |
is the labels for the deployment. |
webhook: enableServiceLinks: |
bool |
false |
indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. |
webhook: extraArgs: |
list |
[] |
Additional command line flags to pass to cert-manager binaries. To see all available flags run docker run quay.io/jetstack/cert-manager-: --help |
webhook: extraEnvs: |
list |
[] |
is a list of additional environment variables to pass to the container. |
webhook: image: repository: |
string |
"quay.io/jetstack/cert-manager-webhook" |
Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |
webhook: image: tag: |
string |
"v1.14.2" |
Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
webhook: image: digest: |
string |
"sha256:8c2974322be244119eff2112ce1ea935dcd15bc9cc50b42c6796f8d66d09f9e3" |
Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |
webhook: image: pullPolicy: |
string |
"IfNotPresent" |
PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |
webhook: livenessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
webhook: livenessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
webhook: livenessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
webhook: livenessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
webhook: livenessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
webhook: livenessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
webhook: livenessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
webhook: livenessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
webhook: livenessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
webhook: livenessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
webhook: url: host: |
string |
`` | Overrides the mutating webhook and validating webhook so they reach the webhook service using the host field instead of a service. |
webhook: podAnnotations: |
struct |
{} |
is the annotations for the pod. |
webhook: podDisruptionBudget: |
struct |
{"enabled": false} |
is the pod disruption budget. |
webhook: podLabels: |
struct |
{} |
is the labels for the pod. |
webhook: proxy: |
struct |
`` | defines the proxy configuration to be used by the container. |
webhook: readinessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
webhook: readinessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
webhook: readinessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
webhook: readinessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
webhook: readinessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
webhook: readinessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
webhook: readinessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
webhook: readinessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
webhook: readinessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
webhook: readinessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
webhook: replicas: |
int |
1 |
is the number of desired replicas. |
webhook: resources: |
struct |
{} |
is the resource requirements for the container. |
webhook: securityContext: runAsNonRoot: |
bool |
true |
|
webhook: securityContext: seccompProfile: type: |
string |
"RuntimeDefault" |
|
webhook: serviceAccount: annotations: |
struct |
{} |
is the annotations for the service account. |
webhook: serviceAccount: labels: |
struct |
{} |
is the labels for the service account. |
webhook: serviceAccount: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
webhook: service: annotations: |
struct |
{} |
is the annotations for the service. |
webhook: service: labels: |
struct |
{} |
is the labels for the service. |
webhook: service: type: |
string |
"ClusterIP" |
is the type of the service. |
webhook: strategy: |
struct |
{} |
is the deployment strategy to use to replace existing pods with new ones. |
webhook: tolerations: |
list |
[] |
is the tolerations for the pod. |
webhook: topologySpreadConstraints: |
list |
[] |
is the topology spread constraints for the pod. |
webhook: volumeMounts: |
list |
[{"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount","name": "serviceaccount-token","readOnly": true}] |
is the volume mounts for the container. |
webhook: volumes: |
list |
[{"name": "serviceaccount-token","projected": {"defaultMode": 444,"sources": [{"serviceAccountToken": {"expirationSeconds": 3607,"path": "token"}}, {"configMap": {"name": "kube-root-ca.crt","items": [{"key": "ca.crt","path": "ca.crt"}]}}, {"downwardAPI": {"items": [{"path": "namespace","fieldRef": {"apiVersion": "v1","fieldPath": "metadata.namespace"}}]}}]}}] |
is the volumes for the pod. |
caInjector: config: |
struct |
{} |
configures the CAInjector with a custom configmap. |
caInjector: affinity: |
struct |
{} |
group of affinity scheduling rules. |
caInjector: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
caInjector: containerSecurityContext: capabilities: add: |
list |
[] |
Added capabilities |
caInjector: containerSecurityContext: capabilities: drop: |
list |
["ALL"] |
Removed capabilities |
caInjector: containerSecurityContext: privileged: |
(null|bool) |
`` | Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. |
caInjector: containerSecurityContext: seLinuxOptions: |
(null|struct) |
`` | The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
caInjector: containerSecurityContext: windowsOptions: |
(null|struct) |
`` | The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. |
caInjector: containerSecurityContext: runAsUser: |
(null|int) |
`` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
caInjector: containerSecurityContext: runAsGroup: |
(null|int) |
`` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
caInjector: containerSecurityContext: runAsNonRoot: |
bool |
true |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. |
caInjector: containerSecurityContext: readOnlyRootFilesystem: |
bool |
true |
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. |
caInjector: containerSecurityContext: allowPrivilegeEscalation: |
bool |
false |
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. |
caInjector: containerSecurityContext: procMount: |
(null|string) |
`` | procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. |
caInjector: containerSecurityContext: seccompProfile: |
(null|struct) |
`` | The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. |
caInjector: deploymentAnnotations: |
struct |
{} |
is the annotations for the deployment. |
caInjector: deploymentLabels: |
struct |
{} |
is the labels for the deployment. |
caInjector: enableServiceLinks: |
bool |
false |
indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. |
caInjector: extraArgs: |
list |
[] |
Additional command line flags to pass to cert-manager binaries. To see all available flags run docker run quay.io/jetstack/cert-manager-: --help |
caInjector: extraEnvs: |
list |
[] |
is a list of additional environment variables to pass to the container. |
caInjector: image: repository: |
string |
"quay.io/jetstack/cert-manager-cainjector" |
Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |
caInjector: image: tag: |
string |
"v1.14.2" |
Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
caInjector: image: digest: |
string |
"sha256:20878790620de378a206d74f23e472f99b33fa79f07f744d1de22807ede9c9ce" |
Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |
caInjector: image: pullPolicy: |
string |
"IfNotPresent" |
PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |
caInjector: livenessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
caInjector: livenessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
caInjector: livenessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
caInjector: livenessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
caInjector: livenessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
caInjector: livenessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
caInjector: livenessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
caInjector: livenessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
caInjector: livenessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
caInjector: livenessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
caInjector: podAnnotations: |
struct |
{} |
is the annotations for the pod. |
caInjector: podDisruptionBudget: |
struct |
{"enabled": false} |
is the pod disruption budget. |
caInjector: podLabels: |
struct |
{} |
is the labels for the pod. |
caInjector: proxy: |
struct |
`` | defines the proxy configuration to be used by the container. |
caInjector: readinessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
caInjector: readinessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
caInjector: readinessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
caInjector: readinessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
caInjector: readinessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
caInjector: readinessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
caInjector: readinessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
caInjector: readinessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
caInjector: readinessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
caInjector: readinessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
caInjector: replicas: |
int |
1 |
is the number of desired replicas. |
caInjector: resources: |
struct |
{} |
is the resource requirements for the container. |
caInjector: securityContext: runAsNonRoot: |
bool |
true |
|
caInjector: securityContext: seccompProfile: type: |
string |
"RuntimeDefault" |
|
caInjector: serviceAccount: annotations: |
struct |
{} |
is the annotations for the service account. |
caInjector: serviceAccount: labels: |
struct |
{} |
is the labels for the service account. |
caInjector: serviceAccount: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
caInjector: service: annotations: |
struct |
{} |
is the annotations for the service. |
caInjector: service: labels: |
struct |
{} |
is the labels for the service. |
caInjector: service: type: |
string |
"ClusterIP" |
is the type of the service. |
caInjector: strategy: |
struct |
{} |
is the deployment strategy to use to replace existing pods with new ones. |
caInjector: tolerations: |
list |
[] |
is the tolerations for the pod. |
caInjector: topologySpreadConstraints: |
list |
[] |
is the topology spread constraints for the pod. |
caInjector: volumeMounts: |
list |
[{"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount","name": "serviceaccount-token","readOnly": true}] |
is the volume mounts for the container. |
caInjector: volumes: |
list |
[{"name": "serviceaccount-token","projected": {"defaultMode": 444,"sources": [{"serviceAccountToken": {"expirationSeconds": 3607,"path": "token"}}, {"configMap": {"name": "kube-root-ca.crt","items": [{"key": "ca.crt","path": "ca.crt"}]}}, {"downwardAPI": {"items": [{"path": "namespace","fieldRef": {"apiVersion": "v1","fieldPath": "metadata.namespace"}}]}}]}}] |
is the volumes for the pod. |
acmeSolver: image: repository: |
string |
"quay.io/jetstack/cert-manager-acmesolver" |
Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |
acmeSolver: image: tag: |
string |
"v1.14.2" |
Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
acmeSolver: image: digest: |
string |
"sha256:958f9455bfa57dc7b289fc0d32f01d952b8b028a3dbe54300fb4dc633e109fa2" |
Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |
acmeSolver: image: pullPolicy: |
string |
"IfNotPresent" |
PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |
test: enabled: |
bool |
true |
Enable startupAPICheck to verify the cert-manager API is available |
test: startupAPICheck: affinity: |
struct |
{} |
group of affinity scheduling rules. |
test: startupAPICheck: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
test: startupAPICheck: containerSecurityContext: capabilities: add: |
list |
[] |
Added capabilities |
test: startupAPICheck: containerSecurityContext: capabilities: drop: |
list |
["ALL"] |
Removed capabilities |
test: startupAPICheck: containerSecurityContext: privileged: |
(null|bool) |
`` | Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: containerSecurityContext: seLinuxOptions: |
(null|struct) |
`` | The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: containerSecurityContext: windowsOptions: |
(null|struct) |
`` | The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. |
test: startupAPICheck: containerSecurityContext: runAsUser: |
(null|int) |
`` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: containerSecurityContext: runAsGroup: |
(null|int) |
`` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: containerSecurityContext: runAsNonRoot: |
bool |
true |
Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. |
test: startupAPICheck: containerSecurityContext: readOnlyRootFilesystem: |
bool |
true |
Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: containerSecurityContext: allowPrivilegeEscalation: |
bool |
false |
AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: containerSecurityContext: procMount: |
(null|string) |
`` | procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: containerSecurityContext: seccompProfile: |
(null|struct) |
`` | The seccomp options to use by this container. If seccomp options are provided at both the pod & container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. |
test: startupAPICheck: deploymentAnnotations: |
struct |
{} |
is the annotations for the deployment. |
test: startupAPICheck: deploymentLabels: |
struct |
{} |
is the labels for the deployment. |
test: startupAPICheck: enableServiceLinks: |
bool |
false |
indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. |
test: startupAPICheck: extraArgs: |
list |
["-v"] |
Additional command line flags to pass to cert-manager binaries. To see all available flags run docker run quay.io/jetstack/cert-manager-: --help Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl: --help We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example. |
test: startupAPICheck: extraEnvs: |
list |
[] |
is a list of additional environment variables to pass to the container. |
test: startupAPICheck: image: repository: |
string |
"quay.io/jetstack/cert-manager-ctl" |
Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |
test: startupAPICheck: image: tag: |
string |
"v1.14.2" |
Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
test: startupAPICheck: image: digest: |
string |
"sha256:de4ee13b1f85907d569136553bd1f5245a7c44f6b28c5622d2bc2b83e0576474" |
Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |
test: startupAPICheck: image: pullPolicy: |
string |
"IfNotPresent" |
PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |
test: startupAPICheck: livenessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
test: startupAPICheck: livenessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
test: startupAPICheck: livenessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
test: startupAPICheck: livenessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
test: startupAPICheck: livenessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
test: startupAPICheck: livenessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
test: startupAPICheck: livenessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
test: startupAPICheck: livenessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
test: startupAPICheck: livenessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
test: startupAPICheck: livenessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
test: startupAPICheck: podDisruptionBudget: |
struct |
{"enabled": false} |
is the pod disruption budget. |
test: startupAPICheck: backoffLimit: |
int |
4 |
is the number of retries before considering a Job as failed. |
test: startupAPICheck: jobAnnotations: |
struct |
{} |
is a map of annotations to add to the job. |
test: startupAPICheck: timeout: |
string |
"1m" |
Timeout for 'kubectl check api' command |
test: startupAPICheck: podAnnotations: |
struct |
{} |
is the annotations for the pod. |
test: startupAPICheck: podLabels: |
struct |
{} |
is the labels for the pod. |
test: startupAPICheck: proxy: |
struct |
`` | defines the proxy configuration to be used by the container. |
test: startupAPICheck: readinessProbe: initialDelaySeconds: |
int |
`` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
test: startupAPICheck: readinessProbe: exec: |
(null|struct) |
`` | Exec specifies the action to take. |
test: startupAPICheck: readinessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
test: startupAPICheck: readinessProbe: periodSeconds: |
int |
`` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
test: startupAPICheck: readinessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
test: startupAPICheck: readinessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
test: startupAPICheck: readinessProbe: httpGet: |
(null|struct) |
`` | HTTPGet specifies the http request to perform. |
test: startupAPICheck: readinessProbe: tcpSocket: |
(null|struct) |
`` | TCPSocket specifies an action involving a TCP port. |
test: startupAPICheck: readinessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
test: startupAPICheck: readinessProbe: grpc: |
(null|struct) |
`` | GRPC specifies an action involving a GRPC port. |
test: startupAPICheck: replicas: |
int |
1 |
is the number of desired replicas. |
test: startupAPICheck: resources: |
struct |
{} |
is the resource requirements for the container. |
test: startupAPICheck: securityContext: runAsNonRoot: |
bool |
true |
|
test: startupAPICheck: securityContext: seccompProfile: type: |
string |
"RuntimeDefault" |
|
test: startupAPICheck: serviceAccount: annotations: |
struct |
{} |
is the annotations for the service account. |
test: startupAPICheck: serviceAccount: labels: |
struct |
{} |
is the labels for the service account. |
test: startupAPICheck: serviceAccount: automountServiceAccountToken: |
bool |
false |
indicates whether a service account token should be automatically mounted. |
test: startupAPICheck: service: annotations: |
struct |
{} |
is the annotations for the service. |
test: startupAPICheck: service: labels: |
struct |
{} |
is the labels for the service. |
test: startupAPICheck: service: type: |
string |
"ClusterIP" |
is the type of the service. |
test: startupAPICheck: strategy: |
struct |
{} |
is the deployment strategy to use to replace existing pods with new ones. |
test: startupAPICheck: tolerations: |
list |
[] |
is the tolerations for the pod. |
test: startupAPICheck: topologySpreadConstraints: |
list |
[] |
is the topology spread constraints for the pod. |
test: startupAPICheck: volumeMounts: |
list |
[{"mountPath": "/var/run/secrets/kubernetes.io/serviceaccount","name": "serviceaccount-token","readOnly": true}] |
is the volume mounts for the container. |
test: startupAPICheck: volumes: |
list |
[{"name": "serviceaccount-token","projected": {"defaultMode": 444,"sources": [{"serviceAccountToken": {"expirationSeconds": 3607,"path": "token"}}, {"configMap": {"name": "kube-root-ca.crt","items": [{"key": "ca.crt","path": "ca.crt"}]}}, {"downwardAPI": {"items": [{"path": "namespace","fieldRef": {"apiVersion": "v1","fieldPath": "metadata.namespace"}}]}}]}}] |
is the volumes for the pod. |
By default this module is configured for a production deployment and should comply with the restricted Kubernetes pod security standard, any changes would potentially result in a deployment that doesn't meet these standards.
values: {
logLevel: 4
// There are two ways to setup high availability one is to set the replicas in each controller section, another is
// this shortcut, which defaults to the recommended settings defined here: https://cert-manager.io/docs/installation/best-practice/#high-availability
highAvailability: enabled: true
// Setting the above true will ignore controller: replicas: etc and use the below
// highAvailanility: controllerReplicas: 2
// highAvailanility: webhookReplicas: 3
// highAvailanility: caInjectorReplicas: 2
// By default ServiceAccount tokens are not mounted, instead a Volume and VolumeMount are setup to add the
// ServiceAccount token to the Pod, so here we're reversing that
controller: automountServiceAccountToken: true
controller: serviceAccount: automountServiceAccountToken: true
controller: volumes: []
controller: volumeMounts: []
caInjector: automountServiceAccountToken: true
caInjector: serviceAccount: automountServiceAccountToken: true
caInjector: volumes: []
caInjector: volumeMounts: []
webhook: automountServiceAccountToken: true
webhook: serviceAccount: automountServiceAccountToken: true
webhook: volumes: []
webhook: volumeMounts: []
test: startupAPICheck: automountServiceAccountToken: true
test: startupAPICheck: serviceAccount: automountServiceAccountToken: true
test: startupAPICheck: volumes: []
test: startupAPICheck: volumeMounts: []
}