github.com/verrazzano/verrazzano@v1.7.0/platform-operator/thirdparty/charts/cert-manager/README.md (about) 1 # cert-manager 2 3 cert-manager is a Kubernetes addon to automate the management and issuance of 4 TLS certificates from various issuing sources. 5 6 It will ensure certificates are valid and up to date periodically, and attempt 7 to renew certificates at an appropriate time before expiry. 8 9 ## Prerequisites 10 11 - Kubernetes 1.18+ 12 13 ## Installing the Chart 14 15 Full installation instructions, including details on how to configure extra 16 functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/). 17 18 Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources. 19 This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. 20 21 ```bash 22 $ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml 23 ``` 24 25 To install the chart with the release name `my-release`: 26 27 ```console 28 ## Add the Jetstack Helm repository 29 $ helm repo add jetstack https://charts.jetstack.io 30 31 ## Install the cert-manager helm chart 32 $ helm install my-release --namespace cert-manager --version v1.9.1 jetstack/cert-manager 33 ``` 34 35 In order to begin issuing certificates, you will need to set up a ClusterIssuer 36 or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). 37 38 More information on the different types of issuers and how to configure them 39 can be found in [our documentation](https://cert-manager.io/docs/configuration/). 40 41 For information on how to configure cert-manager to automatically provision 42 Certificates for Ingress resources, take a look at the 43 [Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/). 44 45 > **Tip**: List all releases using `helm list` 46 47 ## Upgrading the Chart 48 49 Special considerations may be required when upgrading the Helm chart, and these 50 are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/). 51 52 **Please check here before performing upgrades!** 53 54 ## Uninstalling the Chart 55 56 To uninstall/delete the `my-release` deployment: 57 58 ```console 59 $ helm delete my-release 60 ``` 61 62 The command removes all the Kubernetes components associated with the chart and deletes the release. 63 64 If you want to completely uninstall cert-manager from your cluster, you will also need to 65 delete the previously installed CustomResourceDefinition resources: 66 67 ```console 68 $ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.9.1/cert-manager.crds.yaml 69 ``` 70 71 ## Configuration 72 73 The following table lists the configurable parameters of the cert-manager chart and their default values. 74 75 | Parameter | Description | Default | 76 | ------------------------------------------------------------- | ----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------ | 77 | `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | 78 | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | 79 | `global.priorityClassName` | Priority class name for cert-manager and webhook pods | `""` | 80 | `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` | 81 | `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` | 82 | `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` | 83 | `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | | 84 | `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | | 85 | `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | | 86 | `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | 87 | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | 88 | `image.tag` | Image tag | `v1.9.1` | 89 | `image.pullPolicy` | Image pull policy | `IfNotPresent` | 90 | `replicaCount` | Number of cert-manager replicas | `1` | 91 | `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | 92 | `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` | 93 | `extraArgs` | Optional flags for cert-manager | `[]` | 94 | `extraEnv` | Optional environment variables for cert-manager | `[]` | 95 | `serviceAccount.create` | If `true`, create a new service account | `true` | 96 | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | 97 | `serviceAccount.annotations` | Annotations to add to the service account | | 98 | `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | 99 | `volumes` | Optional volumes for cert-manager | `[]` | 100 | `volumeMounts` | Optional volume mounts for cert-manager | `[]` | 101 | `resources` | CPU/memory resource requests/limits | `{}` | 102 | `securityContext` | Optional security context. The yaml block should adhere to the [SecurityContext spec](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.22/#securitycontext-v1-core) | `{}` | 103 | `containerSecurityContext` | Security context to be set on the controller component container | `{}` | 104 | `nodeSelector` | Node labels for pod assignment | `{}` | 105 | `affinity` | Node affinity for pod assignment | `{}` | 106 | `tolerations` | Node tolerations for pod assignment | `[]` | 107 | `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | | 108 | `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | | 109 | `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | | 110 | `prometheus.enabled` | Enable Prometheus monitoring | `true` | 111 | `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` | 112 | `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) | 113 | `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` | 114 | `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` | 115 | `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` | 116 | `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` | 117 | `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | | 118 | `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | 119 | `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` | 120 | `podAnnotations` | Annotations to add to the cert-manager pod | `{}` | 121 | `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` | 122 | `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | | 123 | `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | 124 | `podLabels` | Labels to add to the cert-manager pod | `{}` | 125 | `serviceLabels` | Labels to add to the cert-manager controller service | `{}` | 126 | `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` | 127 | `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | 128 | `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | 129 | `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | 130 | `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | 131 | `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` | 132 | `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | 133 | `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` | 134 | `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` | 135 | `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | 136 | `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` | 137 | `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` | 138 | `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` | 139 | `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` | 140 | `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | 141 | `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` | 142 | `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | | 143 | `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | | 144 | `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | | 145 | `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` | 146 | `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | 147 | `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | 148 | `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | 149 | `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | 150 | `webhook.image.tag` | Webhook image tag | `v1.9.1` | 151 | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | 152 | `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | 153 | `webhook.securityContext` | Security context for webhook pod assignment | `{}` | 154 | `webhook.containerSecurityContext` | Security context to be set on the webhook component container | `{}` | 155 | `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` | 156 | `webhook.serviceType` | The type of the `Service`. | `ClusterIP` | 157 | `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | | 158 | `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | | 159 | `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` | 160 | `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` | 161 | `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | 162 | `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` | 163 | `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` | 164 | `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` | 165 | `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` | 166 | `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` | 167 | `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` | 168 | `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` | 169 | `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | 170 | `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` | 171 | `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` | 172 | `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` | 173 | `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` | 174 | `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` | 175 | `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` | 176 | `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | | 177 | `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | | 178 | `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` | 179 | `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` | 180 | `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | 181 | `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | 182 | `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | 183 | `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | 184 | `cainjector.image.tag` | cainjector image tag | `v1.9.1` | 185 | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | 186 | `cainjector.securityContext` | Security context for cainjector pod assignment | `{}` | 187 | `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | `{}` | 188 | `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` | 189 | `startupapicheck.securityContext` | Pod Security Context to be set on the startupapicheck component Pod | `{}` | 190 | `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` | 191 | `startupapicheck.backoffLimit` | Job backoffLimit | `4` | 192 | `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` | 193 | `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` | 194 | `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` | 195 | `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` | 196 | `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` | 197 | `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` | 198 | `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` | 199 | `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` | 200 | `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` | 201 | `startupapicheck.image.tag` | startupapicheck image tag | `v1.9.1` | 202 | `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` | 203 | `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` | 204 | `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | 205 | `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | | 206 | `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` | 207 208 Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. 209 210 Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, 211 212 ```console 213 $ helm install my-release -f values.yaml . 214 ``` 215 216 > **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml) 217 218 ## Contributing 219 220 This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).