/
values.yaml
272 lines (231 loc) · 8.49 KB
/
values.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
# nameOverride replaces the name of the chart in the Chart.yaml file, when this
# is used to construct Kubernetes object names.
# +docs:property
# nameOverride: approver-policy
crds:
# This option decides if the CRDs should be installed
# as part of the Helm installation.
enabled: true
# This option makes it so that the "helm.sh/resource-policy": keep
# annotation is added to the CRD. This will prevent Helm from uninstalling
# the CRD when the Helm release is uninstalled.
# WARNING: when the CRDs are removed, all cert-manager-approver-policy custom resources
# (CertificateRequestPolicy) will be removed too by the garbage collector.
keep: true
# Number of replicas of approver-policy to run.
#
# For example:
# Use integer to set a fixed number of replicas
# replicaCount: 2
#
# Use null, if you want to omit the replicas field and use the Kubernetes default value.
# replicaCount: null
#
# Use a string if you want to insert a variable for post-processing of the rendered template.
# replicaCount: ${REPLICAS_OVERRIDE:=3}
#
# +docs:type=number,string,null
replicaCount: 1
image:
# Target image registry. This value is prepended to the target image repository, if set.
# For example:
# registry: quay.io
# repository: jetstack/cert-manager-approver-policy
# +docs:property
# registry: quay.io
# Target image repository.
repository: quay.io/jetstack/cert-manager-approver-policy
# Override the image tag to deploy by setting this variable.
# If no value is set, the chart's appVersion is used.
# +docs:property
# tag: vX.Y.Z
# Target image digest. Override any tag, if set.
# For example:
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
# +docs:property
# digest: sha256:...
# Kubernetes imagePullPolicy on Deployment.
pullPolicy: IfNotPresent
# Optional secrets used for pulling the approver-policy container image.
imagePullSecrets: []
app:
# Verbosity of approver-policy logging. This is a value from 1 to 5.
logLevel: 1
# Extra CLI arguments that will be passed to the approver-policy process.
extraArgs: []
# List if signer names that approver-policy will be given permission to
# approve and deny. CertificateRequests referencing these signer names can be
# processed by approver-policy.
#
# ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval
# +docs:property
approveSignerNames:
- "issuers.cert-manager.io/*"
- "clusterissuers.cert-manager.io/*"
metrics:
# Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
port: 9402
# The service to expose metrics endpoint.
service:
# Create a Service resource to expose metrics endpoint.
enabled: true
# The service type to expose metrics.
type: ClusterIP
# The ServiceMonitor resource for this Service.
servicemonitor:
# Create Prometheus ServiceMonitor resource for approver-policy.
enabled: false
# The value for the "prometheus" label on the ServiceMonitor. This allows
# for multiple Prometheus instances selecting difference ServiceMonitors
# using label selectors.
prometheusInstance: default
# The interval that the Prometheus will scrape for metrics.
interval: 10s
# The timeout on each metric probe request.
scrapeTimeout: 5s
# Additional labels to give the ServiceMonitor resource.
labels: {}
readinessProbe:
# The container port to expose approver-policy HTTP readiness probe on
# default network interface.
port: 6060
webhook:
# The host that the webhook listens on.
host: 0.0.0.0
# The port that the webhook listens on.
port: 10250
# The timeout of webhook HTTP request.
timeoutSeconds: 5
service:
# The type of Kubernetes Service used by the webhook.
type: ClusterIP
# The nodePort set on the Service used by the webhook.
# +docs:property
# nodePort: 8080
# Deprecated. Use .hostNetwork instead.
# +docs:property
# hostNetwork: false
# Deprecated. Use .dnsPolicy instead.
# +docs:property
# dnsPolicy: ClusterFirst
# Deprecated. Use .affinity instead.
# +docs:property
# affinity: {}
# Deprecated. Use .nodeSelector instead.
# +docs:property
# nodeSelector: {}
# Deprecated. Use .tolerations instead.
# +docs:property
# tolerations: []
# Boolean value, expose pod on hostNetwork.
# Required when running a custom CNI in managed providers such as AWS EKS.
#
# For more information, see [AWS EKS](https://cert-manager.io/docs/installation/compatibility/#aws-eks).
hostNetwork: false
# This value may need to be changed if `hostNetwork: true`
dnsPolicy: ClusterFirst
# A Kubernetes Affinity, if required. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
#
# For example:
# affinity:
# nodeAffinity:
# requiredDuringSchedulingIgnoredDuringExecution:
# nodeSelectorTerms:
# - matchExpressions:
# - key: foo.bar.com/role
# operator: In
# values:
# - master
affinity: {}
# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
# matching labels.
# For more information, see [Assigning Pods to Nodes](https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/).
nodeSelector: {}
# A list of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
#
# For example:
# tolerations:
# - key: foo.bar.com/role
# operator: Equal
# value: master
# effect: NoSchedule
tolerations: []
# List of Kubernetes TopologySpreadConstraints. For more information, see:
# [Pod Topology Spread Constraints](https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/).
#
# For example:
# topologySpreadConstraints:
# - maxSkew: 2
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels:
# app.kubernetes.io/name: cert-manager-approver-policy
# app.kubernetes.io/instance: cert-manager-approver-policy
topologySpreadConstraints: []
podDisruptionBudget:
# Enable or disable the PodDisruptionBudget resource.
#
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
# For example, the PodDisruptionBudget blocks `kubectl drain`
# if it is used on the Node where the only remaining approver-policy
# Pod is currently running.
enabled: false
# Configures the minimum available pods for disruptions.
# Cannot be used if `maxUnavailable` is set.
# +docs:property
# minAvailable: 1
# Configures the maximum unavailable pods for disruptions.
# Cannot be used if `minAvailable` is set.
# +docs:property
# maxUnavailable: 1
# Optional extra volume mounts. Useful for mounting custom root CAs.
#
# For example:
# volumeMounts:
# - name: my-volume-mount
# mountPath: /etc/approver-policy/secrets
volumeMounts: []
# Optional extra volumes.
#
# For example:
# volumes:
# - name: my-volume
# secret:
# secretName: my-secret
volumes: []
# Kubernetes pod resources.
# For more information, see [Resource Management for Pods and Containers](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
#
# For example:
# resources:
# limits:
# cpu: 100m
# memory: 128Mi
# requests:
# cpu: 100m
# memory: 128Mi
resources: {}
# Allow custom labels to be placed on resources - optional.
commonLabels: {}
# Allow custom annotations to be placed on cert-manager-approver pod - optional.
podAnnotations: {}
# Deployment update strategy for the approver-policy Deployment.
#
# This could be needed when deploying approver-policy on each control-plane node
# and setting anti-affinities to forbid two pods on the same node. In this
# situation, default values of maxSurge (25% round up to next integer = 1) and
# maxUnavailable (25% round down to next integer = 0) block the rolling update
# as the new surge pod can't be scheduled on a control-plane node due to
# anti-affinities. Setting maxSurge to 0 and maxUnavailable to 1 would solve the
# problem.
#
# For example:
# strategy:
# type: RollingUpdate
# rollingUpdate:
# maxSurge: 0
# maxUnavailable: 1
#
# For more information, see the [Kubernetes documentation](https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy).
strategy: {}