From bafb7338a494a5d29992b22d3c371910588abd50 Mon Sep 17 00:00:00 2001
From: Vaughn Dice <vaughn.dice@fermyon.com>
Date: Thu, 13 Jun 2024 15:54:12 -0600
Subject: [PATCH] feat(marketplace): initial marketplace directory with helm
 charts

Signed-off-by: Vaughn Dice <vaughn.dice@fermyon.com>
---
 marketplace/README.md                         |   14 +
 .../spinkube-azure-marketplace/Chart.lock     |   12 +
 .../spinkube-azure-marketplace/Chart.yaml     |   39 +
 .../spinkube-azure-marketplace/README.md      |   66 +
 .../charts/cert-manager-v0.1.0.tgz            |  Bin 0 -> 20733 bytes
 .../charts/cert-manager/.gitignore            |    3 +
 .../charts/cert-manager/.helmignore           |   27 +
 .../charts/cert-manager/Chart.yaml            |   23 +
 .../charts/cert-manager/README.template.md    | 1818 +++++++++++++++++
 .../cert-manager/signkey_annotation.txt       |    2 +
 .../charts/cert-manager/templates/NOTES.txt   |   15 +
 .../cert-manager/templates/_helpers.tpl       |  188 ++
 .../templates/cainjector-config.yaml          |   18 +
 .../templates/cainjector-deployment.yaml      |  124 ++
 .../cainjector-poddisruptionbudget.yaml       |   29 +
 .../templates/cainjector-psp-clusterrole.yaml |   20 +
 .../cainjector-psp-clusterrolebinding.yaml    |   22 +
 .../templates/cainjector-psp.yaml             |   51 +
 .../templates/cainjector-rbac.yaml            |  103 +
 .../templates/cainjector-serviceaccount.yaml  |   27 +
 .../templates/controller-config.yaml          |   18 +
 .../cert-manager/templates/deployment.yaml    |  223 ++
 .../templates/networkpolicy-egress.yaml       |   23 +
 .../templates/networkpolicy-webhooks.yaml     |   25 +
 .../templates/poddisruptionbudget.yaml        |   29 +
 .../cert-manager/templates/podmonitor.yaml    |   50 +
 .../templates/psp-clusterrole.yaml            |   18 +
 .../templates/psp-clusterrolebinding.yaml     |   20 +
 .../charts/cert-manager/templates/psp.yaml    |   49 +
 .../charts/cert-manager/templates/rbac.yaml   |  565 +++++
 .../cert-manager/templates/service.yaml       |   31 +
 .../templates/serviceaccount.yaml             |   25 +
 .../templates/servicemonitor.yaml             |   50 +
 .../templates/startupapicheck-job.yaml        |   87 +
 .../startupapicheck-psp-clusterrole.yaml      |   24 +
 ...tartupapicheck-psp-clusterrolebinding.yaml |   26 +
 .../templates/startupapicheck-psp.yaml        |   51 +
 .../templates/startupapicheck-rbac.yaml       |   48 +
 .../startupapicheck-serviceaccount.yaml       |   27 +
 .../templates/webhook-config.yaml             |   18 +
 .../templates/webhook-deployment.yaml         |  192 ++
 .../templates/webhook-mutating-webhook.yaml   |   48 +
 .../webhook-poddisruptionbudget.yaml          |   29 +
 .../templates/webhook-psp-clusterrole.yaml    |   18 +
 .../webhook-psp-clusterrolebinding.yaml       |   20 +
 .../cert-manager/templates/webhook-psp.yaml   |   54 +
 .../cert-manager/templates/webhook-rbac.yaml  |   83 +
 .../templates/webhook-service.yaml            |   32 +
 .../templates/webhook-serviceaccount.yaml     |   25 +
 .../templates/webhook-validating-webhook.yaml |   49 +
 .../charts/cert-manager/values.yaml           | 1284 ++++++++++++
 .../charts/kwasm-operator-0.2.3.tgz           |  Bin 0 -> 2726 bytes
 .../charts/kwasm-operator/Chart.yaml          |   24 +
 .../charts/kwasm-operator/templates/NOTES.txt |    1 +
 .../kwasm-operator/templates/_helpers.tpl     |   62 +
 .../kwasm-operator/templates/clusterrole.yaml |   15 +
 .../templates/clusterrolebinding.yaml         |   13 +
 .../kwasm-operator/templates/deployment.yaml  |   66 +
 .../charts/kwasm-operator/templates/role.yaml |   16 +
 .../kwasm-operator/templates/rolebinding.yaml |   14 +
 .../kwasm-operator/templates/service.yaml     |   15 +
 .../templates/serviceaccount.yaml             |   12 +
 .../templates/tests/test-connection.yaml      |   15 +
 .../charts/kwasm-operator/values.yaml         |   63 +
 .../charts/spin-operator-0.1.0.tgz            |  Bin 0 -> 5525 bytes
 .../charts/spin-operator/.helmignore          |   23 +
 .../charts/spin-operator/Chart.yaml           |   23 +
 .../charts/spin-operator/README.md            |   87 +
 .../charts/spin-operator/templates/NOTES.txt  |   26 +
 .../spin-operator/templates/_helpers.tpl      |   73 +
 .../spin-operator/templates/deployment.yaml   |   81 +
 .../templates/leader-election-rbac.yaml       |   59 +
 .../spin-operator/templates/manager-rbac.yaml |  113 +
 .../templates/metrics-reader-rbac.yaml        |   14 +
 .../templates/metrics-service.yaml            |   17 +
 .../mutating-webhook-configuration.yaml       |   49 +
 .../spin-operator/templates/proxy-rbac.yaml   |   40 +
 .../templates/selfsigned-issuer.yaml          |    8 +
 .../templates/serviceaccount.yaml             |   11 +
 .../spin-operator/templates/serving-cert.yaml |   16 +
 .../validating-webhook-configuration.yaml     |   49 +
 .../templates/webhook-service.yaml            |   16 +
 .../charts/spin-operator/values.yaml          |   94 +
 .../charts/spinkube-azure-marketplace/crds    |    1 +
 .../templates/kwasm.annotation.yaml           |   43 +
 .../spin-operator.runtime-class.yaml          |    5 +
 .../spinkube-azure-marketplace/values.yaml    |   56 +
 marketplace/manifest.yaml                     |   12 +
 88 files changed, 7074 insertions(+)
 create mode 100644 marketplace/README.md
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/Chart.lock
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/Chart.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/README.md
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager-v0.1.0.tgz
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.gitignore
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.helmignore
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/Chart.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/README.template.md
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/signkey_annotation.txt
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/NOTES.txt
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/_helpers.tpl
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-config.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-deployment.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-serviceaccount.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/controller-config.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/deployment.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-egress.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-webhooks.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/poddisruptionbudget.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/podmonitor.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrole.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrolebinding.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/service.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/serviceaccount.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/servicemonitor.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-job.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-config.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-deployment.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-mutating-webhook.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrole.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-service.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-serviceaccount.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-validating-webhook.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/values.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator-0.2.3.tgz
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/Chart.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/NOTES.txt
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/_helpers.tpl
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrole.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrolebinding.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/deployment.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/role.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/rolebinding.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/service.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/serviceaccount.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/tests/test-connection.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/values.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator-0.1.0.tgz
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/.helmignore
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/Chart.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/README.md
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/NOTES.txt
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/_helpers.tpl
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/deployment.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/leader-election-rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/manager-rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-reader-rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-service.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/mutating-webhook-configuration.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/proxy-rbac.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/selfsigned-issuer.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serviceaccount.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serving-cert.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/validating-webhook-configuration.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/webhook-service.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/values.yaml
 create mode 120000 marketplace/charts/spinkube-azure-marketplace/crds
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/templates/kwasm.annotation.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/templates/spin-operator.runtime-class.yaml
 create mode 100644 marketplace/charts/spinkube-azure-marketplace/values.yaml
 create mode 100644 marketplace/manifest.yaml

diff --git a/marketplace/README.md b/marketplace/README.md
new file mode 100644
index 0000000..f27fede
--- /dev/null
+++ b/marketplace/README.md
@@ -0,0 +1,14 @@
+# SpinKube for Azure Marketplace
+
+This directory holds assets comprising a SpinKube offering on [Azure Marketplace](https://learn.microsoft.com/en-us/partner-center/marketplace-offers/).
+
+These resources aren't necessarily meant to be used directly. Rather, they represent the assets bundled together to form a Marketplace offering, which users can then install via the Azure portal.
+
+- [spinkube-azure-marketplace Helm chart](./charts/spinkube-azure-marketplace/)
+
+## TODO
+
+- [manifest.yaml](./manifest.yaml)
+- [Test parameter file](./parameterFile.json)
+- [ARM template](./mainTemplate.json)
+- [createUIDefinition.json](./createUIDefinition.json)
diff --git a/marketplace/charts/spinkube-azure-marketplace/Chart.lock b/marketplace/charts/spinkube-azure-marketplace/Chart.lock
new file mode 100644
index 0000000..031fdee
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/Chart.lock
@@ -0,0 +1,12 @@
+dependencies:
+- name: spin-operator
+  repository: file://charts/spin-operator
+  version: 0.1.0
+- name: cert-manager
+  repository: file://charts/cert-manager
+  version: v0.1.0
+- name: kwasm-operator
+  repository: file://charts/kwasm-operator
+  version: 0.2.3
+digest: sha256:2b941a3f31eb39c2738e801f30881e3ed734379ae50968cf2419c2929386f4ff
+generated: "2024-06-12T14:02:14.844986-06:00"
diff --git a/marketplace/charts/spinkube-azure-marketplace/Chart.yaml b/marketplace/charts/spinkube-azure-marketplace/Chart.yaml
new file mode 100644
index 0000000..57ad93b
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/Chart.yaml
@@ -0,0 +1,39 @@
+apiVersion: v2
+name: spinkube-azure-marketplace
+description: A Helm chart for SpinKube on Azure Marketplace
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.1.0"
+
+
+dependencies:
+  - name: spin-operator
+    version: "0.1.0"
+    repository: "file://charts/spin-operator"
+    condition: spin-operator.enabled
+  - name: cert-manager
+    version: v0.1.0
+    repository: "file://charts/cert-manager"
+    condition: cert-manager.enabled
+  - name: kwasm-operator
+    version: 0.2.3
+    repository: "file://charts/kwasm-operator"
+    condition: kwasm-operator.enabled
diff --git a/marketplace/charts/spinkube-azure-marketplace/README.md b/marketplace/charts/spinkube-azure-marketplace/README.md
new file mode 100644
index 0000000..e9f8929
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/README.md
@@ -0,0 +1,66 @@
+# SpinKube for Azure Marketplace Helm Chart
+
+This is a Helm chart for a SpinKube offering on [Azure Marketplace](https://learn.microsoft.com/en-us/partner-center/marketplace-offers/).
+
+This chart isn't intended for users to install directly, although it is possible to do so. Rather, it is bundled together with other assets in the [marketplace](../../../marketplace/) directory as a Azure Marketplace offering. End users can then install SpinKube via the Azure portal.
+
+## Assembly
+
+Azure Marketplace requires that all images references in an offering's chart (and any dependency sub-charts) must follow
+the pattern of `global.azure.images.<image>`.  See the [documentation for more details](https://learn.microsoft.com/en-us/partner-center/marketplace/azure-container-technical-assets-kubernetes?tabs=linux%2Clinux2#update-the-helm-chart).
+
+To comply, all of the sub-charts have been manually forked and updated appropriately.  Here is a brief listing of chart and version (or git tag) to track pending automation:
+
+- **Spin Operator**
+
+  [v0.2.0 tag of spinkube/spin-operator](https://github.com/spinkube/spin-operator/tree/v0.2.0/charts/spin-operator)
+
+- **Cert Manager**
+
+  [v1.14.3 tag of cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/v1.14.3/deploy/charts/cert-manager)
+
+- **Kwasm Operator**
+
+  [kwasm-operator-0.2.3 tag of kwasm/kwasm-operator](https://github.com/KWasm/kwasm-operator/tree/kwasm-operator-0.2.3/charts/kwasm-operator)
+
+### Other notes
+
+- Currently this marketplace chart uses a symbolic link to the top-level `crds/` folder
+- It doesn't do the same for the `templates/` folder mostly because of the image reference modification to `templates/kwasm.annotation.yaml`,
+  but we may want to revisit this in the future if there are more shareable templates added
+
+## Installation
+
+To install this chart onto a cluster, first create your Kubernetes cluster.
+
+You can follow [these steps to create an AKS cluster](../README.md#create-a-new-aks-cluster).
+
+## Install SpinKube
+
+```bash
+helm upgrade --install spinkube \
+  ./charts/spinkube-azure-marketplace \
+  --wait \
+  --namespace spinkube \
+  --create-namespace
+
+kubectl apply -f ../spin-operator.shim-executor.yaml
+```
+
+## Deploy a Spin App
+```bash
+kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/samples/simple.yaml
+```
+
+and then check the status of the Spin App:
+```bash
+kubectl port-forward services/simple-spinapp 8080:80
+```
+```bash
+curl http://localhost:8080/hello
+```
+
+## TODO
+
+- Include shim-executor installation in chart (perhaps via approach used in https://github.com/jpflueger/spinkube-oneclick)
+  - Probably applies to both root-level chart and this marketplace chart
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager-v0.1.0.tgz b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager-v0.1.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..c9e7f66f49a6517cfceb06add8f57b45c2be2b8b
GIT binary patch
literal 20733
zcmV)YK&-zXiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PMYcciT3$INHDUDRAVO<)p{d%d(y5o}Be_ZFlO^#PPMA_RO6%
zD}_i%LQN4Y0LoF@+|T}7c#+^sq8^r=hMZZcMFJbIjlDNE_QOS#J5w0IF{16W38cI=
zhg1KXZ9bh&r*quz%l~#do$P<Ry<Yd5ZvXhOcYJix=^cI3=^h^S``>`hR(nzMM2tiF
zO=sh_vV;3V9vB3KLyk$n1`Plp<#+^LK8c1cOxiwnQNYjuoQBYyAg9;r<O_uqQRE{i
z%I*L0$K~zE>zj+4i?<i2w-=v3?>AtGe?pXD5)8ns+kj!1{Oq*4txm&3%%wQw^4%%;
z0r^wl3S0yuLV=B<jR~2e0hn+evO&8&#<CMGnYL4ioT`Fd0oGKZ@S&xuMGR4w1RMo?
zF@&~vbm(@5uX`t*(JR+`-SJ*`UiFVV-tp_BPVe}2A9Y_Hz8W2k+CCW*`H#b<(Dz$m
zFmBwV`2(RI8#J8sP#ka{4UyxcF=;r!N1UO+rSp(C9Ke0n5MSe&+W+r2pxf&8S{<je
z-<U!iaEJp$C0I0t*dL^zJ64hZGbUv0qcJ5>$iz?^00dCXV_A&`01@?*NwdqfFlpp#
zHyDYii)43JTAf)27oK`Ud}U8+VP?>e5ZgKfSV;f7y?(#b&(QyVr+Zk_|6M$L;6FX$
zvH?S`Air<^;gccs8;w11jz%!@IZ#NEqr|Po9=Mxe1~3B<{PXnPTW3V*6mpI{Fv31+
zNf@pVDFQP{F&z4c0ZzaWfe<o=Jb(jEz??)Ba5N2l$PsHb#<B;38SQ}^G(r>wE)w-f
zfB>OjN+<#hxfF2&E)u{VCMW=5<oh@n13ZOe#3T%gMhPJkG?fNOG=xc8jJ(YuyJu~e
z1S33-C~`vLIf5-nO4t?v9SO||DV{-&9E!%6aXN1c@Un^T2?gjAoQ6J9{Z{Q?N4|fn
zI;vj-;AqO*)G!5jHJE0jpc?qszZ<gZTR23%94`z*e=h&<eL#_>yRy)=<ia2z905Lo
z9B{Ef9zjgJ1JLt;AH(4jlvD>UMNq7qHxJ+xyU_RNU^thB#AHz7`-rkuJX}6O%&LDN
zmJv+gOs<q@NYvDg;XwW}Yixeo*aX~&aWahos`*0W76^%Vrz^Gr4#pHQc4t94J$rX?
zHi5p6f-$-!{tVF{?(VKT-Ah&0OneFrGW<*-0yW6ih9P$3t3BvWQ7c<|)@@a4Rdipi
zt=-`>B*Z7|LXK`j<Zjl#g0AJ^yJR{gfx@5x_~Wy}sJjUQK{OpA3djf$-vc)&^sx(X
z^~Rz|>;a8w<N*jA7((|Ryto`md}4?n08f*NALE^+D2AX53~^Dt+j%KlRFo#9Bt(?Y
z_2!&m!Tx{1j1xM4i>H_mKv(tfy_5){4?>Cw#e5E2AF|Y@A1PE!<5EaGu>hvlnW%K7
zc3o3IrbFlo1QTtXNxTOX{T5-0JaFbmj3atO1hIla>cw|B@Nh8B(?SVL?VthRG(sBq
z>3B@hSinz#<;0#XGl4=Jbw<z?<co@OEkXVkk}eA)To*Csz=%%*`S0&-G0OIy1=W#I
zW!IqTnB6bkbun|qyG3p!ChwZ~*qvu)>pJ_rct-Ygt*iHU7lVRI4^WIgq{x+|2M6}F
zbX&cyTmXuuWTrlMTfHL*69s~scmptkJ~Oj@W=Ocih<tOLh&cwQVR%ZXM0GJ@$ox)*
zzXxsw;!Y5lAvz>XU>+HzxgWTJ!5E3x9pHdt@PPRQ9D^Ye%O|Q%3FEpx5@gdS<F{yr
z`~m2RHhcs<L@#{BcFp|0pCL-Ir$!(c1q-2@L3LFVAYBzmnlJ0e6$YRwj}~msIGReF
zH#^>os66c{{t%GB(ePXtc-Rvx7(8I#2M-W)07qPqhap3BCI$vIBvpq^a0n<0&;#^A
z6maYV!TzTqmy<vMbmgwHi<1$6z(*b!MqC4n0to|oW@yYOycG)<XfzTdogrVbqbdA^
zr_nSsl623+XatR5oP?oh42^`;fVlujQRqWgyqyCW5I(U--_me$v`PbK=v=ou0LL9>
zPc05OqBH1&A>t1R1!gjsVWiNN6ElTk%P9&Qpa(f0W_~m{F#}eo#W0vGg@du4nQ6pC
z5#S?15hpMZvJv_%g1%<%cAw+PS~xt}opS^|9|vdv`sv|W^NoP(V-#=(*n~vBr;sHx
zY>6)d0T`CmVBp#9K;Phk8T*pHaXP<76ccX%x<^b%sFwlbLI}z+fU}!(b`Y<&V1Fp^
zkS8Wa@GU_Fq>h0TpsF<XBoI-rffZEox1leMtdx8fi$vnvRm?@H;-F0YofmQ9N^<R^
zpw-xG=(*KA05i}%5L-h~yO0tuQhQtoS9+=?PZbEj3FwJ6KNNq3l*|O(nBeiGu?OG`
zVjm8%kNI4+aybIO#J&4((EY`R34KOH_ZXJj4{^D8zl6j)$Bagj4SyGTW5ipU^1czY
z@)rgAitvmwK+G`95h_jq3YenLQZ_{tiH+CT10)dQCIS#J9E^Rjml%ga?uT;g1F^#a
z$5Yg5=uw=JC{Ut;IA(-CnNLx`K@^Hz3>c@7qw&00K(JQAi>r$B$}K{R_^nF<7loX)
z9|*no3H0PEBOJFASnWO20Xajd^T8g7dnbPYz~><vfEyx@E+6Co)CX$6(uIK_fVUAH
zqXFnxuRa8N(S0OlC2m5>dj%`0B<u^hoC1wJ%;cY%cV>&nl6idSkyI$8XeJ4PM;-#P
zK7vdL<e3pa3OJ;50a!y~fJN>E2(GURL2yMp1fp<Ep@&-8v(!OpXC#Lj`oz5lzle2m
zxeq)Faqx?Tfk%4tOU9{5mTc-lBAxgtQI4W1#DVBaMtIp1%?b!^L@5fmC>sT$r08Wv
z{Ai@452m;j4kVX~7ez{?5*@7xX@N5s0E8tE68uUE%n}|9BtsGC`U17aEzo@_mI;Co
zQ5OXqj*%9$)#u*P-(RX3Jd--zSVYDn@Jkv$e$lddt4u1N;^5RqrosVgHXH@dWQbOu
zmk%(vUm9Y7(<uZDg^)^l)W?hqLOw!}3#v7i!jYt1nr;q}K?RLujXj&Tgv4t#bnSnL
z%IW~3NWPiB<Ot@P^Q3OX$T02%d68%XGO!;~A|!nrjQ0gm6a=X;g`dtypfNQ*l`<iq
zG#XN+Fo;ilv1S7pHHKs#k!GWYLdsfTM5V5{<m9HR55R8`oVPG(6ttniET+N5El?B+
z$(vX$w0}jMap>Ns&c}`gsgV<+RS!6n@~9%vLL4(ZPI6MCol@u`54Wi^tfE8mLSmnR
z<o-gFA%%pcxW?gl0A~N&`e*C^iw_q{I07CXBc`btF};StT+}H8r|Jv<o50@D@t}h`
zCq2*eyzb~^^lIe3dfj;qdoDa49Uq~SWA|v(@p>b7G<-Eg{gc;+M-UzMk5165;m}3H
zUPpDwI(Nk?D1B-ofyG|MAjA0E09=l)2*0L?p@0j-UUYupM98ref%B_dBd<_#YW7gT
zG4vTg+-*r@(WlZ&#v();dx@H<1-_dbVM(nDgHyXD$kJGbnO=0{$s-yL0A`InwPK2e
zC6(nmXu1L;PNtA+O_<S+X+b`@plUT-eS+3qyt2+<datM2kg60Wg)fPaBOKUVNglLZ
za|Rn~LCE*Dva}(2o7TOE3X<x~RcRsCrsrKtq55{tQrJ$AAC4kl=}dJKh6~0t05Sme
zHJpb+AwdW39K2xBP`!QG2-1Vqoj-M5DVr%|50Q&USd3_bBoBaQkN~QJ7B$uL+{kEC
z5`C3eZ9S?i6m`6}_OO~H7<d|(7`Om;0H6Yd85pAgDQX`vb8;U=zAwKUg=N`R3@n|J
zrLBUVhs~eK?P{zSB^jmaJ_EO@i7RW)zN(G2ctx!yI^NA1^fMa6Q?V!HT%TTFrgrW~
zvTY3&Xs}`_psA8>@s8Z1z$~r>SS&#?>=06p-N=WMtu}J~-K*Ht&uY(L21Y&{OZ|f4
z;0N)Yg4ud$5@6I&4|>zdy`uH3F@aL_#zz8&6<kXj`~D#ibYf(kDnDq#7~ehsq9x^+
zXJ*6+y@xd!F>K7#5^}@7z~x9O@R1?39++V$hs*?w(?CqKVPj&8{D=cD)+sQ(X{FLl
z-p^P!gYo6g_X1jmdD$HSkScLcP`6g$K}d~TpKNS9fn?Y%Ri;1*5B+cgyQ=Oz4!i+K
zj^##JmD@!X@yU3MgK>O}igkMf&@=DU4b}i~^oi?QDLvhp-QSeL&C<8&9>py6^!oDu
zy}liQ*PTwM;M;c*75qH;swBeqqeQ0rnb3Pg*#PuRnUqv%x^o(n02}Kf9!C6oIWVK*
z)#cAIlX!F)FyuxQo!#DiU~r7i1y{mK$7Pql_!J_Fg&dG-;TDg@!RQA479qxyHDKkn
zMZX{5{Pg<rHVQ*RdAjIZ%n?nu5e<JuZl;*NB>Nuw98u(*L3bh+I8%ns5WU47It@dA
zp83c#TU3uhT^86SKd^#g-$91mGZKiiHV(40`xEq~M)B<Q)c!C<oMM;Vy}ivKlfHS2
ze*;aBY>C3&1kIv?nKF)U&2gbs+zaG&2(y}UKvA`2-&31%rNS*Xa~pd1Oa79G#j<O1
z)f5#xzq;*o!7cJf;B122d!?pXa#!Zs`@ap{DQbHG>vY?Dnq)db(u^}A)RCVZhWwG^
z%4P~qgp5nIh1B&=2vfp^K;J~tawE#{ObcOp6e)>R3p>9>h|U|b(Hm3A8o7}kzbEQ;
z)`lRj!u@$H?-e&Hrf!C)!dR*K)!Lr;*rRAQaAkj7XuzrY783#FL`VSw-Xq|XKs4_~
z@{ZS4yG@+c1=UQ1<HGKgkMw;Yc4f>F6B;J3EyV=;LPVCVOCDAA4Pco<Z-@g(=aNwp
zz>t)<EiH_KL!$tA#Jv~C;3%kkz8w6QwpRLY;5b5tmQ3w~oH!#<NG)epsRro~a|-F)
zzDz%mYZU9cYz3U5H8>$Q^597Yqb=m5=o6>#l#b1&c7S7boW1$>z_A1ts$n`Y%%r|F
zIY=!83TBv+K<ZahmK;^rLIS@CW)k*ZYy)xo{@umLpH6RNkEMh$0Q-zgwbo}}bmJzr
zP_VSzMx-riRtks(b7V%Xr^pSX0qAz7hAvN~uHmrv4$Ioh>_%c`aGKVr{y6cGHL)dO
z?MD385WQ>S0dq|$#TO-bY-Y2<G(h<Zed6uBxNM5(CdFBeM!_k&BEbzIJif(d$aTpy
zyrx7*ed?N0tE(fa@6}d9idq`APj*E5#$L#R=Kd&IEdied0=ME3>|zGu!ngUUkW$e#
z#WU=qF}h$b^!1gWxo>u1sIFHqVro`AN<#IQ15V$*l^QJQ3F;;$^n2_hB^_F)o@9s3
zh#yT+?#Nb-->rtOQm|ds7a-3<RYAtHVF16AwGH%j&$gE8sOZR+T$r3@&$b)1c}+Z4
z)LKZqip?xJK&uu);@KuOHl!-O)Th*<jv776b~?Mfp^{;oU)`DmCOZ()#whXu9wnAu
z5QNdt$F35Cly#h}^*afq)>mJvN*$d?rVs~W|KE^^BXD%s0zZpW;)tlTtT@#MhF%MS
zN?sP?VBFZtpe+o5vUgE82-4sRC`l3A{qLQ;@}(Y=mxjJCuMOp?SJ|P+^Ru@1VQGt#
zZbyLm<xJY5T@&y8>h_nE`af3pCxg@aKQZwSgx<FdRhL>$sU}^8ml*w@6Cf_Y;b1HT
zS4rOVxAva=;i%WTfg)r-517%@Hm^v4ns(O|<vh^k)KLVCF!JTC7fDdr16W-}i0&xS
z7Y6ebe2Ga4Pg>vy@_=TD9w<c#6b<e(apchY<ispYbxNsmy-Xh_(3p9}x`@`J%%gaz
z=AwKS?Sq;n)0*Rx1Df5I{9iM9^QtBP7hm@T#6!38Dx6TU2?PlN9Ql3<1v!bYdsGR{
zE=6r7C%>@=rjRSqTkZT+?yWU&asELw?5e{NV|X0MnGwyjwNV02EYsAjy;kbTZb7Oq
zP?O6kPQY6nM4wb&MW-%#ay=|-DdVVAm7j6oiOsJDhy}t-@h9Yg_qS$ewekyNPp06x
z=^+y~5NC$yQ)0J)#{r?Jp=rhK1WyYzsEH8<i`0e|M<OAk8yb_gwoP~HjRm}=L8%K2
zaoAB;H`%uZ%HvEY?s4F4uO~lZX@isL$&XTZwyY=8dt`fE`G)|P?~8nG4!`PPg;>UZ
z+)df}{cv}8{qg$d{r~>6_?)68Q~T<ANfkLdbtMC3S#j?8GzSUWDAYfT{r6Fp9Dt_y
zF=)5d&sUvSon}ctZXc&3EY%aXv@2KdH|xhiV^5kb2}Uj0yyEuEz9|3X`jJ=M<A9j%
zc6%qSPOH=E9{9wC{)8~zkm9XPB~M3EKRG`T(unE7|056km5gQMOCPJ414G=Nbz8lY
z_8!#momtm$1>Gn*OafENumM4oPBZV~-knQH<~An3my#gq*B76V8!0o;SchhlxI09r
zX=R;c0T-V_vA2}#Ui?vfzDM%`7!lGMLMq*_DDjb91OPGjP>@e>8Kl1`RsSIU($Q9n
zjd;{rT0D)-B&-FxBR*2cVfI*S#N#FwuToM@4{7o2B-3*7TLgXmR_iA86sUK~EOh{`
zh+b9Hu-h`nvf}9piBHD!+fW=4Ed}!9O_pkq$p+oH!DUld(oHjwQ~2rj9z7)YC#J@a
zVusC+R=VrrY@mw^3GqX~AjfQkl_8Fq%hO=~0Oz`#lyee(ZxB;%0)2L|uoZ@3rb%N=
znDJO#R3%nQ*jG`F@)^;~{T9zqfEc@`MCm(t>@SehdKhJiF%?Z6FV%I~g+6TzEu)7a
zQmWbq1RkKe_SX7Fbs8b=y~FO&1MqcU1hF0}n@eR%!6D@=+a?Zx3mH;2xw5`7=anZo
zsk%_m<(WWPxCexj0K4jaD>r^)G0b!oir9qsT6`SB*fx)_jEQ@)S5gL5iShj{k~mu6
zXqqge{pZjp!}hDr@$j(IJ?Xf|U3mCvggo!4@4By%hx)E}+&ejfUFaPS+wN3tB<M}s
zFbvxf$9|iMqqrLqPyS@BG1+_D>vx^Ez5Y?2r}_3o3~ZA@tyq&6Y|uYPKAhhomjoUg
zfNrM&Kq!rz)9=I)mP9;xdDH-aMe-1QXXbSPx(xtE5c?5D*4tMCGgbRq7w{Gb_d?qC
zq%t@$&A@@W0F{@*LlW`C9wlbvjXi*aUy;j=|6V8$c!jdpL2_16SQK#hNub!d)V(+M
zgq(iQT8(_~N=>h?DVd7iMy$~Y<G)kZtVt1pqnHzUYqQJ}Sc|sugsaTw_iRY-HD_pn
z%Ten7Brze7b;Yb9bI<Zi(!-XXO5G!4Nc{^S$^gzT8WJyC>_D3SnF5&Xr?gCBLqSiQ
zxaS6GDdCjmUTjU3Xbt`Ofn}M46NkWu33eyO7Ev2=jU~EBU~;;oi2!*BjIQaO>O6R%
zdf)*PaVE_J^wcE=RNA2Py#V-tnKaHxLum_oXdosXYZYv&^b}{Dma=e-#w>fcW+52J
zyBcYjiCL4FZENj*QQRulbL&}5H+`UH0W;$P6Z@}vcqExRw^7gVFQ(LPssX0?A&d8z
z29|(GH_DWMMbg#Fm@Rrni4S6L4-V-Vado-LiLJWN4n<Q2*$Y`f)e-DQfh*f^m`ULX
zN&9OO$PH>Po~1M)yKpV7177z#J-d4$6uXoF=294<TvhRT0NUnNk&{kR*{*0l=bU>q
z1vXAO(A0{10I{z?s26vt`~Vy#a88#fZPPQ`h(({+1S<oiT+dtpsla+nT7DuFn%;~k
znd<I)z=Iqf7{eZ^w~<;eNA6>zc@i)tBp}qNkW-uFBJe_j1D<sGTJcA*Z!#84mO?vB
z3Tdlq1rBL&u@?bFvL8x6t=8ivc_qzBQ+|jUH*M*7ix%`TE@ZcqymX{<3JC_rqb&Xc
zfTFNQI8EL=;N!<B;_zc4oO}$4_fZ`8J_brrWXdZ1moNq~4M+{Bz*B1Bcw(KGa@mQ^
z0fvN6Y$_|nwG6S89%o#cmC2(#!!vY{a5@P>+JaHUq}nI|5FknkZ7Gk^GOBE~yGx3k
zG`k~eoHV!+A^uBJx@0akp>i20HHE7woYqREj|@Mf;e?R;M&m*Kp$-cby*727*kv<u
zf7`a(rnK=+Ic}P^)^Xm{{ccro;shY)Q>pw^<Y`k*$?5f_-X1BJUvs9iCke5T1hLCC
z7v$C)09|Q|#Q-#?R3-fXBz<j+@v+f6DDVHn4q&Pu`qVEfR8op%RAJ~7M}e2v<+NwY
zJ`)FHM|a;zS@JluZW7_;XJkAs;zid)$oO$7haoab_4o%w(Y`oe&sE1iFhm((g7D)h
zlCJ1RST+ioKzqyD>X#p1-P$Vv^({^*uIh5C4HEI#DdJm!g5Sm@UMldRJ3*ehg_Z0Y
zOc7&njAA?ZrZ%Dho^}lv0sulD@|p+g3@DF?9ziVF=hC-CLW>xpz{7AH5OJ;+V+<!+
z#}r?G*h3cG@{<0hJV7znhKj@3#q|8@R-R>jsXIRacW2iYv;%PW_Ex!RpfTYXs+aQm
zBK3yIfCCTei^5)}T;FWemXOrEs@~m_oFAE)R!#usEQ1+xMgk8}e=aNNvU19mPokdo
z31lk9kvowd&}5`9PATFM4U#iH3OqT-tpWwnp?2(A?qFbWMj92xe!Uy{7f1%axrc$o
zfz^Br$^$al&IN`vF7qsq6_sa!W+7>}0{LA_X{l`-??Xi@)hX8;ag7yX%hbONz(0Px
zhz)4;wKqGk)V|gYw-|}B@s(;Hu~Kr84LlD0`&bX8ty9$fy1cR{0qFM+<&tzey`xSG
zumnGp;JT-f-Hj+x$8TBiKnDgP^j>UIvyF%3Q>^$35b{jy56=T5Owj}MeFKt4K9ZI?
z>W)KNdtcmr{O<DV{NwG#%}<wS7b(j+X##?cjkWTNVBo(%x6|pglIh3xJ!2H8cn?Cx
z7h{w@V1nhCsWefoq+=TqJM000F@;`aT)i}DO;AP*wFm=12pI<kUv!Uh^VW#{T;lWB
zssRfOLU}1q%twh=P`-tds0CVnD~em7KV>2p7=bSpyTE>#@y50qi|4G!R5ou|YGx|2
zD!nG&7UIC=ElLZ;(*nEN63g0R+uAbgS^!qFugy<GVqCkk$yj7!TgAw>$jsI@v`tKH
zml@ki1w>H<46tqtjO2*&C~+`y^3Ph4Fu+z~VSpvkFv>JC+l`0;HV7C2R*i~La`Y^W
zj8QbyO=Dv`#$Ze0W0VgyA0q>-?B;CfQ05A%D6T=dE%^G)UaLreg$)*&gRkF`v9c~{
ztjwf){RZDfTpnIaCDWp?CkyIqv1>oYC+k%@H(OY%pnHoe402Hc#hIfOyX?lsxYAKB
z24x1p7VM2248xA{W?9C<L|Yv-bIyv2<2a@RBxuHUY-^<E72%huZ^lduSdRmmg5OC?
z&P8jz(%cw8>&=W<E3NQL+3UngKshgRFsX96S=_UxF)gr65r-b+u$9p+TGJ<I&;Df3
zo@G~OdvWWS2W$Bwnw?-A;G~?eC3i%l#LW33+D?GrU;kD@v%Wom@=R?cG9_~qo@j{l
zvyLOSq-||&U5Iut9O3bs{|X_WIGpI;j%ez?jm)}vOeLveN^2?dL6rbl!B^0Nw&1*z
zxC?3=i5&*@@081+f%6z{g8*b42Sr0~)An5oqgU%fax4_miTKCy@d&wd*GKKWxCf4G
zfyG12ZTy_IQ;`|cp}ux1uzNc0sJpBJ%cn9krvjTOg9OmS&tzVx>C3tkb5t}hN9#<>
zR((*Ec$o1*Sw$aF$qywJXmBH66scv~mN!b_N@qP%7Wkw{uJWYj?ByiSGHN$`F>Tf!
zbIVl?+buR*VA`Hy!bSYQf_ZzYP{zPL^DW{2#YXPdJS4%7o{ypXg7r(8y92Pu;N1*9
zYw~X1r;Xmt+XA!qbgOa3f-l7Mec@!58o-;WwM^j63{^IQHx-tf!JCp9L-+)JGotkx
z#_)?P6`R8^nxPmCD!VNIoIbN>+^g3Dl^n_oJe_s6je%wQvLraB5gSv%F-!F)g#j}2
zEiDL<nTXpZjZ}}3X+UXM8->UOn+3@%ov=)xOt4C*%u=9_5H1s}7%+2D$jlfst)Piu
zgRqJDz=>d`(23wNf+v<PjvYX8b#>F?h=!$&mY9iECN6p_t<+|Lf!pe_6stv3OaZSP
zPq9QNSGB>7uE4i?|GkaN?`_|FZ|T~*+v#)~Mfb~%G{wN9q7{(YFd)^5Rwjh;D-{|6
zOo?ZiPTZJGIAWn9CQ}y4m`ui(!&(ZnRN#fV&^rD37F_&z`%?LZsH9Fx5p;E#lyaeu
zUGg$<X46~Q34ItOEe+=qo~tf1Tr!<Tf%I5XDk0H=IG^u>%WH6Ud44086?#+56ywqQ
zN{J={f(`@`5A_zy%wm>Jmz?mdWsE=%AG=%~e&zW6<fc`+C`)3drt=^%y-QZ=7n@j5
zU@%taO&FwZ!zc%Mq%lU`u9dBn^)3~IKEZ(rc}P+Er1=R9JRf;2@F5k@CH5u!6cXij
zpVGT=lJ?<=H&;t+Ux^<sWQZNulo_byRO_cTFwmVS(_=wjjdxiq;e&Vb`r8D6zP87u
z>^6J?Jurm6kYTA<`B-$)hTUxOO^m4jovwa)Jpj#ar)B=%Oa~Cxmw6fex5Tpig@GU>
zG8VHMW0C0?mZ7i>r~D<N{x2rvO29aRp7y>}MO!8bXRJXN%RW$DRCm^iT0|qCia3LH
zx;|TBuL~5Wb1JNC4PcSk{iTTl5&0;$b5elkDS|Eus>&;-$fN*<gCU6m4{$2Z-)=ca
z)nO$}ye%P$Cnf<n{LUxty?r&}Vvi0$M}`*Yv|}mmVvBtz5l?kK`7e=Mn}Jsyi8}rM
z;ejB64@eoqsz5=Mvjry4snN>9$#7Np)K{H&xFIE+xWpfTyR+*|v3~!sQn{lIihVdY
z#rDAa0K5-Ta67>xB~8Bn@%$j;<7=C?Dmg(g>llQji^u)`VJp-4@v^~ivMN$+8k7xy
zR9Ln`fNKY4Gr;Z8YyfQ2wO8%IEjjl}VyoPHK|vqOb1R*KOW6lP8x0p?{kPI<Xo@9c
zWG3Y-<AI!4sH|2sLsQ(^7iaFDbiJCzziMgY)J>A|t&qH_#MPie9Q0&qz9LIyYgJb;
zRz5p58>7HpISzxaG=8Zl=;~D}2)e3M7zACFE{TD@xy`G!;<ef9(s-)LWPRn9uZ1&F
z8^6}ZueI@OZTz}h<5!Cm?b!a+YIz+K*foRjCyhRa-J5k3sAT%4DO)I+j0pgg0Fh-J
z;5cgkI&rx-$+2Nu)@ym;bwdNTG{6PI%QLoNi;q>cSyFA5RGTH$W=XYKQf-#>{LGSU
zHDj4+(yE3;7W>|nEm2DFDQRbgl)DME+M=koD5@=rHnJ#6c2jLsWH(q}#Xa#=-09i7
z3vf&P8KR8_bf<{PzXxluyrlNdSYFcPHdvkot!8=8i{)j}_Lf7+qfinllQL9AiBTV5
zh*f4w%m7reh(p4-qZ6S6W$`3V@(&R6oH<M*3Dl>P6uD%I66ID)r~HZAz(RW0A!!s}
zgZ9|}hYW#Z?64q3df$t3Q^Y2XJ;1PsTtQSR`6Mm;f~@W>Bpy4E076QJaOlsi=<unF
zTbU|b8^omvjKtCZA;WzpDQFUtSs}QZ97VRKa4s)&0f~5H&!hwu#l&C&G?OY_sZJ+i
z@G^HkN^*?a1DeaoVX{By6Xw};MpkThd&KD<0yo<Iez&ibeCnp9)o5fEe2}u8k{!{g
z0z<6UtJr>^+9g~Ty}tIFxWzdhzsj4qJ)py-N<`f^msSd2V2JmP!aa%UHUQnJsw(!@
z5W4qdG<u7tSO|yq&jIMKb61eX+W#TL;(7d)4DH(jIo=8Kr!6*VOONyv70rEi9uOW+
z_y9D!&HP7|HD4#R8|dhfj*7}CLr9X~K>m_`ugF8*Hpcp>mm}H69_3Pm`$e}QanMSg
z8bn!nAY=St8#79?RmcVZ$#z&q`jwd<Dbx2D0k{vyg9_$|K0%lJbCo(;r35iyJ;6^&
zgMwYj)K9=eTtEaw89Ce5mLG239)Qbhu~t+icJ%Ccjw(zdvlAwlXuPdF$TA7?Y}K2U
zbQ<CMW~IJasc%+5eX~;EtSr4*sjTlR;ldlM)pN(Y9Vr?z?QTQckOf(*9G;iT0RTFL
z?jWxKjxmH~l@LOH1~=cGo=M^6`t~}NIkjXWU{>H>Dsq<z-Of?7==-{I_l~u}^_|AL
zcN$8eQ}tHinc~~pmm9@{tb}r#u(S>Caq4@Io!@(W^A$fSHL9UTtbO(V?&7w^Kk;p}
z(dl$L$Nj$iZ>Q7A{<quhb-(HMj}LptM<<=$(Kns$QLlgW4d`s6@nugWw(d8bjoZo&
z?hAQRoBoeKK<i9Mg00g;4*dLCrlc4m6lf_Ec_#Xt;A8XuXf!SZK&Yp(bq&!N2Qq8C
zF{j5PMG4deg%kw?qz>SMeMTXGvB$T}0^cAMsJ~(v3A`BD9s$F-;<!r4-1iY@C~)aK
z<U({F<6yk66W70NH5%`Tyj4lakJfM`$+`GEMA9cvRZ<El=|rE2fjMpHRG1^_?27|H
zA__d>MuIfy=&B8K5X^;p)k+adwbN*PPiVGtxt6mj(Ig9l9J|uHO)9j+Vl~dJ>6U!)
zGMlCU0C0GZ00h4DWmnNUe$fuq4x8ZVFO8Lk6EQeOZ4IFPRTI-M@F}7HA1BBU5oIkN
z`Wv^gnErPUPfmIn`hVO#s_Fkuo<II*e+y=KI*_DzgncAP;hU+L7I%UM;M?}+&ka$k
zaq%fMslV-Gl2jeE8oHbVJT$@q%7nTW6`H_Fib&nAW;Ry>TI(m}Rx3)zYK}jJG#<F%
z_)z|dr?=5)gg=3%lK?}3C;wKRjMGY*HYAGzzeUhjUc4|2W%pZ+pOJzt%X86&7z&Fo
zs%2CYOJN`fE#q}49kh?9n45G=n1L5Mv&{L`ttcy%%^`AME}I*37)*wQNAYx+kMWe4
zGNlD7&6&><NPm+98@#E$ELK1D;ecr<tsCSc$dIZW_cir)<qn1v2YdvYe`n6$Su+Do
zwYv(Ul>MDTpe&XbD+89SY+7q^Rkp_IVlAyo5Cz2n@sB^^g?V9a(#jC1^|B1897}d`
zGvJ&0k7gwxr88)vFUH(N%~BO2@(u>dUtg@9c)t(Ba9;{z`=a>1b^6{nf!M^4DZ~;F
z8!nlKkYg26Ax`EFW}Vh+%f&9v*IKYQP4uSpmNYo1zkX5V=W+z7+A<1Ayk}JoETyR8
zDTS}j(ijO*UG}zgn)1}^Z({#Vk$0uZO0s>Ml`z=s<)fqWy=;+$ctuj}uE;s^<8t8*
z8YN{7G8gbQ8U3IMK7Vfi@rP9|KS3?<`LpA~?Gv3O;8-PkQ(U|f-6<H<%VluaBRy4s
zm69Mkkjo=eA<KAs%Y?`Z{!vVek^(h3vL@>hDN?TzMY7jr6QZ;QX(XAIinO7$Mm4dd
zXca69Q4W1QB2f`uDV@mP7(X_#$X*j{nPOzXmynH2shW0Vr|roJNN$CmmWpKOr|Pk0
zVYN#1q<m%Ulg{FH);#&F0Cd?|(!xy{JJf_4(_v{+327y<DB^G8>s8@?HpgQ7)UN(E
zD*Qi9{(jK>&n9SoY_5SrZ#5N52fKitr$SxGpr>(&pj`JA4OFo6e!Mdi@2v0w;!p5f
zM0h;icm&XI;6=Q26XZ`Vjv%I-(3j?YVS75jurr*iCXGVDTp@q{+%T8ca^7XBWSb{T
z(JI0LYYU8hGK7B1CDSPh)C|f(fRlg1slTY44Y_bZuFTOx-GBRjqT|=L`1+b&U!*p)
z#e!NAd3B-8;#6udKGDhM#mG}cRyCr7C^f!IOot_{#w@mjP!Vv;0N6CS(U3NtW5fjm
zkT)q%hEg2*XewDB4ip>@GdE&ln@kWzjRLO_QB3_K?`~N8=<w)O1$Cr8wprA`)^({q
z|C#8-Y^9U>Shy-5IQGFP3RK)gu`=5J!(37;tE~?=Z@~~+L8;>CggRzmt8w}6`u)w_
z>DApp8N|jwl_OK&L5hDD?9HWw$vB9Lgh)Hq+<pE(egK4yVSs;^mpZM+X)xEJs9DT+
z<0kA_lS2fi(35e%ZHNbgf-vhR48<4_bxg$ER;$%m*^@`F;qhVbwYKXpR+v5x?vV$s
zZ&(3&l(TB_YrSlDa4gt04m|V;v_Lm5Af+qwx|7<vv1y_6`STxtSX8zxscihYm00ru
zQ8M8!QsrrV)vvNNLYu~=oB2Po5&bC(HZC=gf``FPd$cVM$1g#?!3-Js{8?YrmE8X%
zg0)WSC&OK?dB?Eq{{OIllD_}xbvh@<_5IH-p7P_LTK8m2eH1&Xv|P)|mj7pL77dz}
zD#Wo?5eNU#tlZ>14!nwu-KRpjCe7HvR%hLYj-M*)yn|uGq!t}CfHuQR2?B+uT_72X
z6&5vBrGyLVTE3MX6^3DHbE&3^BBLzq?9$pvFcw=ny3#UlaUClbi>;W_ywyoMVno3f
z_!9(z1P2`S1za=H7Qq>SKVtypDEg-nr!oL78u--P?Aboc>Aw|xcTFC!<o>^V*z08I
zf49@=*7ScDPdWWJaSSt55{4mb$E4DVYgyCE9nwlwPD-%_OIH|6R8`9vc+1NzeHtxp
zMazpUMAG5GM5Z6uM<%OrJHUGar2Vb5uUB5CTt-6xL*$bOahwqhd<K1_bWj>4|E9cD
zK7W>x_I1t;MgT=TqJcEimM4Tx3w+zw$2eV897tbGAOkOy<{)#-rbt=K{eYQ}&!zM9
zOYlM-G@4CQso8w_@}(L;QH9j-7XZ%9BZxJ)Y5{U-(Kp4>^{{j`JY9r+aaeaXSSx(`
z3fKl>UA&$pi@E@i-u)|5fNjk1x^uiLHK;@pUfJ*$txW7;m#t8+Bsrk*!c=G_M|Mhl
zORBV<Y1@z?`FBncE$804t6zNo)k?R5M_>Zkk7!;nD$rcyHPW<3xzM?!m}D-hQ#ujF
z9u36}6!>S9FQq1CA;m;S%kUv%X)MltQtjHB+BNVd6SpL(R2a}?E#$F+fmk@`B=U-_
zM3=@Isi=wSQEsUqs~eI!namu*-y@1zvI3K-JKiaA=FDc7MxV5DRi#Q?y&i{Sdvk-V
zD`XiK$zrX<DKZTN>Yxku;_Qa&rwHXz?(dWFTQo!dLXMxHhU3iM<T<?o0&*QlVcVkp
zl}@UXZ&rPGOb#9=mVjk<0$UB8n}U|)J?GlTU^#4A-0^gI*}wt_rNdO}(*Ql3Bk0MX
zC`((G#T`$Vmn|=Vu%u;9=huj0;#Fyv)43DM(z?}>+NEtSUupZ$V+DNAbxwbDWITD<
zo5I#AHx>s$$%82%m)%Z<v7ul#NcCEg%<K2(AFoc|UEE%uo?Teqbu@wRt;Brhk@x;L
zXq0`gzg$B;8N}jVg69>7UKZ>rJ(^OEvS^xm8=^pRJ(sGI1aH|%FKh?Sbgh(Y=T`c%
zs2{1=G;xi5Sd|6sFXHoynl`aMETPScck(DrS^+bX3Ypj)n>SqCa!D*~yB`Yzia*M9
z7{BJYu<==5ufg1{R{d0cmg|2*;w4#ohAN%lYKq_`_kX>^qm2J=uXoZrto6UUc*^y^
z3(`ntb;9b#KhX*o<m#%`!@E=u8zspXuW8KabP1IwyJ8hh5ypb1o%*Z!a`oz|L|{#G
zKFp*-lj$v$F@`$78p~I^oHYJR!;2&FGQ_j`&t)2^3d1exYw^*(XtSsKp4ZQ=*}wFB
z>K<mYt*y|<^mJx>Sqlcso(lY*g^rGeNQsZuxCCAr|0C=F-Rqv5bZY*;i>K24Z?RQt
zNIY}MR{B7@ingRtcymL1loA-|5V|cG@d=^EAo2c{G6n7yOA3WL{fui}$ilCk@zcl`
zrzi)&5dVXcC}achuYDz-?f*L+DptJrj3z`D!HCI1Gen1MAX)Xl_9KQ;HKhTpimqF2
zT^8CO*3Z*EE7SiW4m=#JWDmO3{_`Yj|8sa)pZ|9AJQn@0Ozm@w;yZ<4H5=H34G<q`
z6}w>s3zne)K%QN%G3hKCijSH(D3AqV5EsK;cu&8MDxl^*i=ImKe-q>X3i`j}eun;c
zPx^<o{J)cD7xX_?4-OHBmX0u8du@XMwG;aS%PO7LCpM{RK|h?pOv^I!4f1sEA0^g<
zeU*BotzC-ttAo=uEN}x*46Z6VMGT#W;VGRaH-s<@q4=G2Mc`DWfl-ytDBYDx@QO!P
z2(Q3iHZ-|~yd<U2@}xt03}<%cA@Hw%%h2d1a|@DwadvVdl|F15inAQ|=LSk6b;0I<
zeb;!n?5p2s8uIx$rut_{iHg9he>3D##Ptu4JOmGrdZ*Wy;?0CGeuel0q4!De#mmd<
zv-FGW%k$)g%t!TsA!^c7`Dg(4-$jhyh%ah3sdP_NB^)rt!2onSosQNbPvNKdH$yW2
zM+%q(bQ;VBEEa`22OISDxp*t>j+hdzwgBvD<do(7Uy6+z2>?s@|4HxUB+LJgj%xnD
zlV=0|FA+mWaoFg@S9AW&w0(lE*!sR^CQfhj---}fs=uZkmsx+;TEBla$A~u%K-0%e
z{`UcLcOuJVnkj;-SjARBsvJ%w5EcH3zoO97e}!exp*O`c#gI0-wK21(<r(y`Ctde-
zG_q9aW+vL2MtnhmDzi|r>mjb#X&7P?SAV<hqfZ<KGC|XV*4>D4GBvNHdp_Q9E*!^s
zLUqztPh)niO3J8_cC0ND^$Imt5)Jo&vLgn@j#$ckY*qB!i0KVf7fcUw1~LoH%(Hgm
zUpHzS_PGZ>Fyu+Ug6#U5;7oBk6qN`wm4h>pl`~f6CTNa<VnyfwP6mI8y^AvNflMdo
zPCZKyZ_AKWtufhq+wC5%(hZqJF58z|$*4E$#^FhU>_G_iaIlO^$rWaqFZ!sS7GM?(
zObP%i%s~kcs=)r%8CBejmQnt#Xh>rZj42FwCV@AiS~gKJ0Rx%aZGu30x9i{tQyA(f
zKLsQyF_~Y3EG=Z0%gyy_;`GFPcMXP{U9<Wc=PP=a>wol0>L8KpXo8mA{~sS8W$nL?
zkLvgzJ9*a8|16CWToza<Lq*ncmCiJ{%yYWBkiCFlt#^)C?CP8z#rC3feC1qond4Dr
z;{8lC1S>LU8DxtG6?yf>uGC7tmawz$2944M?Ul2-$KiTq^glib>>&PM@8~ca|F3)4
zuj&6To-Ao!81%1Nq`x)8`z?#<_n3kFN&<I3p8rukH`Z!|c%}Lqlj4{dJVrRbI)>j<
zJ|*;j^Pqp$vzY$(I!B#s{@3H<<J$grC(rt!{Yo+-JtFyBkb|ij{ahEo(-6=CNp|;v
z{px6bj~UIc8bUsjn{5gybEx*DQT(dT%T^}$(PH^!c73Itzc`lPBL?t$+^Bu=W`=>6
zG)c)6@d=7ptZaHAHhaN$eQuwU09(4LmpSmM>eWY75Jkso9Fuk^qY^dSQ^YBDS+k@V
zb14kb0PG8TwqFK|P(A?rult?eesTM&#W-A+adcUf!|jJQe4KcO&o_wSP9hiTwIeic
z)<n@sAEg$@)XAUqKYs>s31e=dKgI9ODefH%2lm?)57VHW9!cF>YEpACf;OOZn}mS0
zuf)x>g%FS{2Yy^F+~aCN9_z@C>qd4g+E1BQ)cZH>8O-FmQ6Jitf}~1|f79*Q3A@uh
zXf_x3Q=4YlMi===lCtNjq+@IxGBGGug7=5XWV1>ue|wP%F!-{{{M4~F%Ub>`#o83@
zKzE9q3Fl#_>oDTa5OpLWd$S2$K6R%^0b7|uTUA%0)mFV6)y`q`BgFR1wSj{%MU34}
z@U(dOHQ~8rEJ8GUDpHH1i#Rf&7nM6ouKkj#3$ZR$_eWfW6Paf3ap2{f%~!47thB^g
z+U{7C$~Rn4xjM>c$haL*Hs7CoNZF;;sx&%<pUz0&MwFs}pG~0eBbh-i*ZvfK5{yrm
zblkY8-Iq$xs&q>o4J`A@_YZ;KNTYnmR8hzBe{hH>>`*j%BZQC@oAv_M>D~xApW&He
zeu&NxW$y!jUVtZ}xI;~O#c5OphXnq-au?Ei!Lm-Q)PeHI!|9je0L#+RfMc2ZS{`o2
z*|y-AAZWFtkI<>lAtju+#2<jWv+E^*56b{g5cK)v_ey~CHUdu{H#mK`)3RLpG_-oy
z-kf}DpTfYxBcFKWDPDzSE|Xt#P38tyFx{EqfORHv725f%!&gg|ei6(bk)w+Z@-d|3
zQ;sC5iTL5}?)u~P&HMlTXMPs6US!Qy*|KJDx8H6+7BzbHe)}yxc5LrOZTonJ0>s!g
zCBu><ie<}}eB1+XQ#Bdl90z0NL~bRgB}^w$7pHSRu`{`+pjkFUM*RbB5gMcl6(oaA
zH0bu9L!S)WuR6!W!%p|4;~sb6;j0nyyraJBzD6GEyWVl{<Op`5cQ|ajQ%_cg-n0$F
zupM#iw;6{VyCL!9PbPg9di}2Rw%0$hI+dEg^g@Z={sZysURN62Ql<ldQWv)c<m@Nr
zPLM(U)F<gE2mN#8!}%?8N#JSqXTgUoAyj9pRISvjY<Z5Sh(tV9A^k2}gGH{37`vNL
z#3sb|RGsYGY^@Q*ene5GR`%^W0&&5f-)%hkT?LWfapd^t6D~d^-g&^X`bf{b%F^np
z0M9a7I?udXv-eMJz_H;|V*eAUh#o3(kAtK-U~NmFrSbnd+4!%WlTID~VJA=KjG*1v
zTYCK$$92+$a4^ofl3m&Lm)Q@QMl&JhWbhh|du!SenTu2fBr#q{(S?#R%PQ$DUuLkK
zqdzj1(Q>np^hn}<EVus1-@2_(d2`bd-B`1X(wfc`m@AY_<8cWgR|M#89-2587YZHz
zIt2KMpGx#!ujjfPU@86Y=JG%H>iB=Vc~+(WyJrCUGGapxprNe90(7042Rt(#aH%n(
z<^r2PCG>yuq)*nfg#Pz>{eD*dKkgjW^nVvmhW_t1=~L}?wSBLF?WTTuQmgdk$)DEA
z`1D1jdD=L))7BC?Z6%9Sox16{KIQ!1*xEm~|6ixy&FcTU$HynN|MyOwif$Pt-z_vT
zMOSm)5Y3Mu_CfOk^9iCA8zF@Si`xM%48RZp^AmCa<ptP*G(;9;c}V!A)r_f*&rpRq
zsn*ks(4;?$6SGSwB23<Z+A`ETRbmsL%dAXS*ujiZYjK#a3RTl~y&Fb$s^vFXGMV-Y
ztC76D)E&0f5$PMSLICL?C?$vUvKS~!@vK^Gn+n~`0b04Q8GqMb$xuqfD|s{j6}&w+
zq7MZ+tvDkb06Ht&8XG?(-aBO(coBFZN$!&!+uR~;JgCepmhTYAC&@hFfFnACeuavr
zXi`}@_}wW}i3$)><r6Ry5)i8KW;qb6^rGwS1&mNl=&9$)Sj^DBrX)mEW{g;-mFpL3
z<!b5tFY=Vh{~ITLwVq}7Kiytd{y!1LYx#c%&mYe!wQD)+t(4X8D-aK#GQsPTBS*~-
zzQCs%{a+*LtMx3s|IgC@Ubok&<G=3YS%dyRelCuh4Ln&^jwMsSL2U5KVM;dCAwBhu
z`m&yK`o9ImzkZh8{~sM6XXO8*!(MIwwUcK<`oE>rt_xLeUp=v}6TH?5Uh4#}f29Pk
zPfhicr-c7+p7hmv7W4o9$>B*h|NBwDcT)5JT|C94db8B7mD1alv-}<AkopRQhteFe
z+t1UM^smmdwxv94^)7kV`joX4DU0*1CCxY00G^MM#cV4T%gT!P0O(4$K&vMJU!aw;
zqE4vTTdc<CjWUDlSrlYi|0x4$L^*O>g`8J!?ul}cm!uH)kdHXpEJJw$*Un_!*fW^_
zT(^<F_o;W&R`TqpCR3tY>dm9>txV%z!xoG8SQ6ilJ;N<#^{(Dvn{6;_Dos9U^V@8$
z^lOTKixA^wuOD|umiIQ*tsK=@br0`>pOML;CeAMmsZ{mi)Wf1MB$R`QA<C2yp*R7V
zn3;&8z(wpjJ}F%UBSKxNT$7NYXO2+T#?luADxJEC@|97u5|_29X`l^d>?lX<y+Ho^
zdpm|~Z5GzvlL0#8iYz(9p;XT{TaNY!2hhjA8!}yh8CHp6>?lAA=uT0qLRSd&3g9LL
zPLs<6@J#6TqK&W(0{&jk$MYlIYMpALT~4%D#P|cC|5~5$uHIr2k9b|FXf4@qLrJXa
zILk+uqbD`5SObIBVg#F#<Hr(|ld#**j@Bl4T+>^N-tK`942jLDkPXDs6k`HVq;xA3
zBt<P(pwY6Ip6I5;--2Flr+?KY;*$Qb1EA=#^!Q8>?L}Q(O_jFhQG5?vA=T+20@6>O
z%Zxb`qZtCHXYVcmRQg?Mh9I!v9?eA|fp3DsgVZK^1e%o0tG+N)6llBDN;LDs-Q9Jk
zt5{Pt=ppgs<ZDg%8e(s`k|G!Tst^HGq@oR4PDJl~A3$>qIeLKeR=zVJ-y6^rtd^2U
zoISyII+PV1fU;DP7|258;?W#H;6{v-sk9Lhv=ux|PyilOSPa<!4#pB#fF4YwuB7WN
z`RNwvIRBaG(Ii9xo8S>|6N<+;P=TX+-BI^-_vGa0`0#l28oJOM_WL8)?+p<e_D3g2
z!`{)+(P6J0-jCaIO4=~QDi1;;S+sRuKE`ik4Cz;W=WVzDDvuKqP%G|H2~wyPXsbza
z#H5s7WY)6TT0Ehee6|P9uWk)N0WZ8rX1e9b18_)Y=;dROOCxn@#B$gKPoJOMW%sU@
zydFzE87ursxnC7!`Sz5Kn@cN?&mwD*xW>$`bzChMEee{_g(dD-LdKeSvsTj?^=;CN
ztsT}^J6S)emsD*O@m!py3RWU*@3V6&o>H5l=Y_Ym6~Z$^-^_y4SX^K9e|b1;FGr2R
z^?m0Tgu8knYOJkqj=nI=wHBks-dg|m#o=#iIi4*BFYx4p<1s~J$dNT8GV<SsSicdv
zD=^LsqlX&D72NXKk5|y)B%V4d{fGvj$!Ua|TeMQIc$Z;0G(RCC)d-Xhc)KbMSOM|G
zRLAJHLOtYRzD_;pNpJeqE0*jKkPhJR$k#egV(%AQQ&!!?Pq}pkUesH6CtG)WTktt-
zpdzaj^_MFqU;5Q1S2BxiXjb+TSZDzE$a{GGVH>-H>y-OD3`0t0$aa>x(UT9%og@y%
zAk%&A0L-MlT*{e|J-zLM9@8Kdnm`^3{z_!VYHde`3=EHh0+iI#ov9HAh|v2ty8+tY
z=B*40$~?Eb)Ec**?;*WxZJzCUy@(<Y8hgM2ACy_Qpsr%qS>*W^j{_WxH>T2}m1{&t
zgigV&nxIo@vT}ojj4w@TIAR<;Opr{=qwHxQwT+Oq%?h|OL-xS4;Q}_xR&!>gih8py
zV+3a278u=>Pj6L2=fwiqMqSv<fww}_X;!#(o|o#iXsb}HEZ9(meO0?#8KhCQyGzZD
zpBJ~S_wci3xC@r&x$@j+8G-R>AA2IL_>X!`wi5z!S^WQ#lYTb;WB2H|j{mrer(*uc
zfbePw4_{{EMaFzW@5RkxL9as&a+$IW!C9D@PIM~ChGo;;I$vRt?y_ix->#ck(1cdz
z^AN=x>+)KriKB+Egp_dN5`O^h&aNc{l_>6Yztf9(#{h6QbP|+x(z(%OIS%O<@oQPR
zI2l_ep;}S_6eI<F-Yc8ofs5(C_AT9z4J@PoNBwO4-;<+WucrUIcrw=xX<4i!1aOw5
z+u~J<4CqS?JcVO)9r^yP@|6?tvhN0sQUcM-5M3B?G8GM`o4+IXC`bXS5LNGO;LKna
z)e~@6VN45T*7YRTQYK|OUnz}hIeD#_R#m2DX524GxVd_=*{9y$%bvybe>*wgm(c%y
zubZd;M>YN5$y4Wl-(vpvk`Anv1735dN6iDD>1eQGF8D>&>wNG}kq<tzBJ1UZ&j5LZ
zyzrS8Hp>ma3|O5Xe(U++E7Fa}$`Oz3%<#_U=k~=J<g<Iq$|AokhkT}LHjjLzEb<u`
zg_-0l<dM&SDaa+i<xKK_O*#3m`jpB498w;IFvRWzx%bYmWVrqzV2S*H+|TNNdY%5!
zVJ-jf;>qfN((7I(!VU#VPej)LA;Tq!Y_f2-qS#*|9cJ5HLqJ>^#HKQ0roq(&#k@u%
z)BRt`aPg(bN_r$CCk>%{Pe!A+c#6}^EZe+YP(d>UM+*uT3W>*02~Ml8@RnA2eUWRe
z)vmPSuk1#au6szlw;63#={n~i$I@5TrgA7ICnAex)w+=BfI&H+%v?m<DwXH}ybr#I
z*pDdEpYs~pjEtS_`9d><*gk&(*^g*mHhj=rq-1Vd(@|N6o$2K=C3eZWDLSs}yv4yi
zTi8mz_yQC#>0K!%6!ZC+4;f4EgWM<8IQSF%77>mX^m{43nY6BFB;e>1Pikg9Y=Cq?
z#sY&lK-9ur%dVw$Hi49zz3*hY7}o$mUV6wXA;ke7f#%;?`|oV<cd@(Evk8BXC{i~k
z%1Z2=VuH7s@l!O$jMMqL^<{~5D|0xusf8Zkb>#bIS1!OYS+*6%h0~BA9b1zvraL>C
z(jYGN+i@Ns=5H3X$<xQDia3ToaSBiAnC0sgAX2xJFP6flN^Qm{cUy+w3z2+L|9ac#
zUu<NUu9w&z?yf5;^YJ@D1~a{}zig*NOFI(~FIImf)$F$$QKF^o!_f!_m|MHaym{Pq
zIq?zAGJWgi<F>AoUne!JY}jkG`W5LVDxUvC78<8oO8gb=0+-o;^t*?d^Z#Mzu+IOy
zlc)OmziLu{t4iMBxUy~el54NU`UHWlwRT`t?SNX3?db=!k4f5bVLy~uvj6W!+EHOY
zB%YCGWD$&*ETp{@#PhHHh@n)?_*TJL1w9&HC#f%d)}#MJ<>*n74J@Po$KB%${qG;1
z)bxKR&!f`+NB1PE*}xaT1|G>xslwW){g75kq`s1Ja6==PCuKp^>HnkM|MgCebN7Eo
zoqkRKck%3u{wuk!J?jn;hlb)`XKQap@M~h9A;USU&5$dA$7=Hy^ur0vG!K2BJRt9y
zk`eZeU-Q04+<QdZ9vZ>O=lj*c=^7Te0VoDn6~!WkPQ&n&P7@s)3_~b>CtVSER%u`~
z3OJskbXO|DD;`-Pyo^q3O)k8a6IDp@4Etz|ya5<Np9y{{XX4s?xL_{yWjmP?$UB3f
zO6i5=G40;~>;XM6zz_#y1YE0#3=x5+p*X;Ce{P^OQW`l2?1z*H&WyZ$^;>085<ez{
z@hg@1Bk7EId3k-7esO(yp1hz@aLPU~q}8k9>^T7Y?;^%;#22*)6b56X6m)<LY}M^_
zI$8lZg`eWz486rc^eF{Q0y+)m0v3zH(3i<sps&xiTWNR1lz_AaVAUjyiu_-q<GKRC
z68?YKJ?dro|8eK2=Ks5RHs${kF%mbiJ(C2|iVm<=QnM<tU=|Al1Jx55r=T`4`a;i+
zTM95(7VyMzoOKX$p?0F8&0CG0e*yGdPqneGP9udfwQi$+w(wMx|2B#TuuT7d($C6&
zy_0So|79o7+VbCGDzakafVIsbx9j4+0%hEmm;aLS?9A)`s}mMhUyOV}fK~jQb`Th2
z9ll#a{~yqBLdd=2l3;|Z-t(3{%jo}Mx106<?{{kd|D8M;s;<|)rPdud8kPR`5e(jx
z6lx^|9{g$YGJBx8y!13;91M}vBmPITT4REJRB1+*D`=pQ8=c8I?_jv(L}%LAh4+$a
zYYjqNx$33_SU0o^;Wd+M5tae?GX_wChkqLKmw{%;ob&nfQ*Wd%^jSjxJrw$6K1CbF
z09#D|yC;W7M_K*v;bDFMyOYPJhcFCTqUbu0m%gTok4+T|gi+JoWCuQi>n25^k6oB{
z1~V<|k7q*oO(3+t1$Pq}ABS<s<rNqhBA+|}%z)s^Gw6$VoS5s}zs&?(@cFZhxATB~
zA3&cGKoO5<062{h7!e9OE%0qyGU@mxI3OInm_P<zC`YmE<pY{wfx16n#tEHE$I_SJ
zg^w8r&8Df;Y`%Q?QVpP}LTc;_02iF7HVO8z3@;xi%!h@Wr5MLJg&d8w3yJx)@^N!R
z-`>(`*>F}L%a=E`>nrX2#Xh`d0FUUqYc;VWpWUTSxiJo|<BY2-Z{G>m^y+b(Zw>V4
z>vWr}$_|`uOHQPgT}V<kWh^2X$u@v`0W<Ea+6eV~Od0<f^T`jYd|4~2`3dVz#3i@l
zAN+I7yjSxJHuYBW2R4;f@&kUbTdM5;yF1atZgIH?;*;@PG(-MEu_M6+$C<s!iyH<A
zsOAk@uCK|prry74&me85j(X}t+d76<Y58xuoxz*f2&|+h&1SZ?nM@5s5fdbXaXGnu
ztB+1dXv&{EMTn3c$ZPc}8zIOeivA(ayZMRJU!Ae|T-1f~>gBV?eRh_cKr<i7$Ktso
zRE6Qsm4B(ibE=Q=+m<&E;1s(rb00?7M{LeGn!W@t3+7%|RCj*C*m0qw%=4W1u=eI}
zFRtI8f4n+<cX4}tdUo-0B@k~4S$;Ot2wVcw3z+Iq6>!^x)mm}zn*ndJnVZ9fEHXya
zm%MDnkyZm!iqFek^<&Xy`w<l4L;%TX6{DSS9y04aC`c4wLl$fzPm)q?S)4tNHn_ab
zA66{cssya4rRsJ6NX1?)g?ZfXALi?2Cpex@1bsfqM&DRrRuzEXSDV%am8y=i^QyCa
zls=xJ05Nt=$q=PuL<mIs2g(H1Fd-w`qT=tFPt^x*a#d6taru}HoZMhbh6`l$$q5n*
z`@`K`dfjk<Ifni@^5Ogzxg_w44=SlSYZcVWwizOdr4fHckg4)nU^<3Nb!h1dS#T_p
zsnPBx6tM~My$S%cRk9#QDiGBwAhT7{ASr?#UJFY#Qhl9xnx3}pAZiBYrkI)mw*^$q
zK->zhW?(Kx)>0whi9;HpU{)k9q@=A>WAg0yJtfoZ-Wp-#d)n@^;LEk#dPd=y+;CKx
zquqv8Qm2ZN6I}N7x?z?oo>r3;QC~B2E7fjlX3Gw<%b9&?hswv6p5#T<%ICkT2wjR5
zyACQ9>pOQ8Ov<#kn;=pJ&4$D$<N0kU2;CV87^e`YP@%NQHdLLf?!jeot}5-g(%t47
zW0>?-Ug6%i6z3Q2zS0YhlG3YOd(<ZAWzQ1(k7>jq$HCYrtJksuS?2$Dc$BgK>vj9R
zI{wQ}o|OHEr!&#(%Y$MEsCODAwDMmm6(d!6T}zR#)8-?0znaYkj)Py3%N-XwBTA-P
zg_^$~a$ML1FP7WaytE1xEXB+0)nF-~o-ROvf}7+OeAaafsm#$a4@=L^`dw`05|x;q
zlw>d|9l~+J5P<gFwz8chzKf{?NY0Hh{+jH{Y?WCzDMiA(U?d8i-CUgBC1;t!!-H;J
zdq~FF`xUAiI&dTN#m7AX{}RnBU&=jjH^I!T4IqI(2hep<$QhV*Q<$7|prxx`BzJYv
zXhvTEqJTvdF~BE~gMb9itQ*$_ri(Jd08`g|8XUKK@&b-HqJU3O(k__583IFu0wLYZ
z5aq}NoPb&PrRtK^i-FZU`K`h!zWCU#kI4q?_YnKK!|%mxnXS0bu!k;2Bjj?nuTGEv
z2jIt;)_`uS+xt&h)hapwS0qqpO4r9I;0nbDjfJ9CUc(<zU+c^V?e^k3fwtUKsXO+R
zsz)1bBxqLPVzWeOT+d`sJzC|J@1)$9Pt9nb>9a)s3yJ4pMx#)WnPKFO(He%p%i=#B
zc5?oIz1seFH%|$j2#I$dulsju-IoP+N@6-?tJVg@k1b3ZBfBryA~j?6OQ<xvDX{M=
zLQc?};^1@!u`h76`Etd&@Y9C?CbhNMjtz1Ex?m5SYnu&aRy0H|j2KFllUYO4@T9~d
z#>AxMSV~k}XvkP$phX=mVB$sFIo0d9GaL0RJ&n3=sh8Dzm!86G|7xYqmY!w&f0MZH
z=2_<d**VF^fA1dF@t=0{{PCQkx|f)ORS4tz7iH^D7(%^7D60wYU+Y<o{;wAI-8{?a
zfA2UO|Gg)Q*Ytk}&l>dq(WAQ8Y#_@99w~(Sf{9)~yjUd{t_{PAJ@u~n>paWp|AxU|
zD%}5edKvoPJwB=F|8AZQ>Hl`3y4Ux@b=3Cf9<}{BM^leYwsbUgG!6Ou9Mk<}!PXtI
zq7T6Xq~7WEWiI@Bfvzs+F<aHMRz_?$K0A(zQ(norMMgNUP%@>xtOLex6fpj&xl;Y?
z>RBTHZ4~$4JWJ%iqi!!3|F6@p?f-W26f^HkRR2ea-Cr#74KnVk^&Rl0%Hn1-t0rzL
z_RpFnTHyU^-r4&NE1>=u@#X<&`k2Z8K0xkH#2-=UsX+UC;F9k%c?%j6#_-TbfD<sL
zFyPu=4TOklyE8xn00G0n*hi@@wpJTmalrqrNBpm``uXX;R#kfC)+kYcIab5XX52zf
z8@8S<Y#mHk3yp1U;Cg7RrvyrmLMm-T+1HAdg|xP40SYKo!8C4>Ty0C=UN84kDd3A|
z{y7t*`snzjK1<Gj8c#Mm0xrA%JwEAW&wt0A`uw+(XHj;Jwbl0Pl8}<1gNjrwjDDNW
z#ZVL?{Hqn9!QzOHD%xZ!!srVAT1G3*=V7sJr*7bG9$H46g<bIp^uB|>m>qg~t=B8{
zP6x2eYkR{)ubhnmrNWMwfJgb5MI6#G;woZLQ&wx{%&4Cy25e{lSEK*y<$W^GGWvg%
zi~rv39@qE3J9$d3Z+4T-sid_Hvp7AHjJuqQ?mlbNSIn}$#H>tDz1a(%CG>v=ee7)-
z0b-f`&*5R#{<C}1tLgtvp4H<&{1l@^9RcF68UbP%4W2E;foBo|VsR&*e-H@y6}nTD
z9rh!|i4d<oT%T779r11Z+d5Rl4njpdal8k;gPwcDhoWviTY>ADJt_IGH9`Iqj{`!{
zHrrSt|8<TJv-;n|lcPHS^G=>Ua1A*}G+=_tskH|W6BK}9gnbVOV-Q03US|GiXiCna
zP-@%&n;_o@;@G6fA`Zp}fFd7qJVSDKTJK@tHTFP&#*!6*7a>I>{0VuAdH=`DmI{kQ
z0$EdZ3519O9|x$_Xr14Fyyb+V#vV8$(<uqSPiMEl!<02zW6ay~U)B9aYxp~D%YV&_
z$+#{4F+bTXXeWS%(7lgBAk!i=zHPCGu<>nc2=5!;w)iw`eEa`5_P|e&ViGZMd49nf
zEp1TSXkib*wkk)-uZ_lcA1>dXw}$X{<Tq5Z7efbCijA9#)AM&1$;+wNc>nX&#m#NQ
z-iP0|`1to7(XQ0~XLuakqxr`~EN$^meB(Bj?f>3UKkNU|JL%N>e;3aP2V+F#VPXKf
zonGhc`@^%&;o*7z`@^H}PA|G=-Paf0UhlYb+&w!!K05!tdw9`E2@%;dOBfA(>^k>o
z&QjmR8;XOm)9duQPUp4L>o`?gY>mTl&CTnle(I-ww)p(t00030|Fl2I-T<Bg03qKo
Aga7~l

literal 0
HcmV?d00001

diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.gitignore b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.gitignore
new file mode 100644
index 0000000..bd628ad
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.gitignore
@@ -0,0 +1,3 @@
+*.tgz
+charts/*
+requirements.lock
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.helmignore b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.helmignore
new file mode 100644
index 0000000..8842b30
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/.helmignore
@@ -0,0 +1,27 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+
+BUILD.bazel
+Chart.template.yaml
+README.template.md
+OWNERS
+cert-manager*.tgz
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/Chart.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/Chart.yaml
new file mode 100644
index 0000000..3b5a2d1
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+name: cert-manager
+# The version and appVersion fields are set automatically by the release tool
+version: v0.1.0
+appVersion: v0.1.0
+kubeVersion: ">= 1.22.0-0"
+description: A Helm chart for cert-manager
+home: https://github.com/cert-manager/cert-manager
+icon: https://raw.githubusercontent.com/cert-manager/cert-manager/d53c0b9270f8cd90d908460d69502694e1838f5f/logo/logo-small.png
+keywords:
+  - cert-manager
+  - kube-lego
+  - letsencrypt
+  - tls
+sources:
+  - https://github.com/cert-manager/cert-manager
+maintainers:
+  - name: cert-manager-maintainers
+    email: cert-manager-maintainers@googlegroups.com
+    url: https://cert-manager.io
+annotations:
+  artifacthub.io/license: Apache-2.0
+  artifacthub.io/prerelease: "{{IS_PRERELEASE}}"
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/README.template.md b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/README.template.md
new file mode 100644
index 0000000..3ac5d4e
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/README.template.md
@@ -0,0 +1,1818 @@
+# cert-manager
+
+cert-manager is a Kubernetes addon to automate the management and issuance of
+TLS certificates from various issuing sources.
+
+It will ensure certificates are valid and up to date periodically, and attempt
+to renew certificates at an appropriate time before expiry.
+
+## Prerequisites
+
+- Kubernetes 1.22+
+
+## Installing the Chart
+
+Full installation instructions, including details on how to configure extra
+functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/).
+
+Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources.
+This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
+
+```bash
+$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/{{RELEASE_VERSION}}/cert-manager.crds.yaml
+```
+
+To install the chart with the release name `my-release`:
+
+```console
+## Add the Jetstack Helm repository
+$ helm repo add jetstack https://charts.jetstack.io
+
+## Install the cert-manager helm chart
+$ helm install my-release --namespace cert-manager --version {{RELEASE_VERSION}} jetstack/cert-manager
+```
+
+In order to begin issuing certificates, you will need to set up a ClusterIssuer
+or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
+
+More information on the different types of issuers and how to configure them
+can be found in [our documentation](https://cert-manager.io/docs/configuration/).
+
+For information on how to configure cert-manager to automatically provision
+Certificates for Ingress resources, take a look at the
+[Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/).
+
+> **Tip**: List all releases using `helm list`
+
+## Upgrading the Chart
+
+Special considerations may be required when upgrading the Helm chart, and these
+are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/).
+
+**Please check here before performing upgrades!**
+
+## Uninstalling the Chart
+
+To uninstall/delete the `my-release` deployment:
+
+```console
+$ helm delete my-release
+```
+
+The command removes all the Kubernetes components associated with the chart and deletes the release.
+
+If you want to completely uninstall cert-manager from your cluster, you will also need to
+delete the previously installed CustomResourceDefinition resources:
+
+```console
+$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/{{RELEASE_VERSION}}/cert-manager.crds.yaml
+```
+
+## Configuration
+<!-- AUTO-GENERATED -->
+
+### Global
+
+#### **global.imagePullSecrets** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Reference to one or more secrets to be used when pulling images  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/  
+  
+For example:
+
+```yaml
+imagePullSecrets:
+  - name: "image-pull-secret"
+```
+#### **global.commonLabels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Labels to apply to all resources  
+Please note that this does not add labels to the resources created dynamically by the controllers. For these resources, you have to add the labels in the template in the cert-manager custom resource: eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress  
+   ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress  
+eg. secretTemplate in CertificateSpec  
+   ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+#### **global.revisionHistoryLimit** ~ `number`
+
+The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10)
+
+#### **global.priorityClassName** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Optional priority class to be used for the cert-manager pods
+#### **global.rbac.create** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Create required ClusterRoles and ClusterRoleBindings for cert-manager
+#### **global.rbac.aggregateClusterRoles** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+#### **global.podSecurityPolicy.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Create PodSecurityPolicy for cert-manager  
+  
+NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25
+#### **global.podSecurityPolicy.useAppArmor** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Configure the PodSecurityPolicy to use AppArmor
+#### **global.logLevel** ~ `number`
+> Default value:
+> ```yaml
+> 2
+> ```
+
+Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
+#### **global.leaderElection.namespace** ~ `string`
+> Default value:
+> ```yaml
+> kube-system
+> ```
+
+Override the namespace used for the leader election lease
+#### **global.leaderElection.leaseDuration** ~ `string`
+
+The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate.
+
+#### **global.leaderElection.renewDeadline** ~ `string`
+
+The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration.
+
+#### **global.leaderElection.retryPeriod** ~ `string`
+
+The duration the clients should wait between attempting acquisition and renewal of a leadership.
+
+#### **installCRDs** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Install the cert-manager CRDs, it is recommended to not use Helm to manage the CRDs
+### Controller
+
+#### **replicaCount** ~ `number`
+> Default value:
+> ```yaml
+> 1
+> ```
+
+Number of replicas of the cert-manager controller to run.  
+  
+The default is 1, but in production you should set this to 2 or 3 to provide high availability.  
+  
+If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`.  
+  
+Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time.
+#### **strategy** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Deployment update strategy for the cert-manager controller deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy  
+  
+For example:
+
+```yaml
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+```
+#### **podDisruptionBudget.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Enable or disable the PodDisruptionBudget resource  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
+Pod is currently running.
+#### **podDisruptionBudget.minAvailable** ~ `number`
+
+Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+Cannot be used if `maxUnavailable` is set.
+
+#### **podDisruptionBudget.maxUnavailable** ~ `number`
+
+Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+Cannot be used if `minAvailable` is set.
+
+#### **featureGates** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Comma separated list of feature gates that should be enabled on the controller pod.
+#### **maxConcurrentChallenges** ~ `number`
+> Default value:
+> ```yaml
+> 60
+> ```
+
+The maximum number of challenges that can be scheduled as 'processing' at once
+#### **image.registry** ~ `string`
+
+The container registry to pull the manager image from
+
+#### **image.repository** ~ `string`
+> Default value:
+> ```yaml
+> quay.io/jetstack/cert-manager-controller
+> ```
+
+The container image for the cert-manager controller
+
+#### **image.tag** ~ `string`
+
+Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.
+
+#### **image.digest** ~ `string`
+
+Setting a digest will override any tag
+
+#### **image.pullPolicy** ~ `string`
+> Default value:
+> ```yaml
+> IfNotPresent
+> ```
+
+Kubernetes imagePullPolicy on Deployment.
+#### **clusterResourceNamespace** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart.
+#### **namespace** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+This namespace allows you to define where the services will be installed into if not set then they will use the namespace of the release. This is helpful when installing cert manager as a chart dependency (sub chart)
+#### **serviceAccount.create** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Specifies whether a service account should be created
+#### **serviceAccount.name** ~ `string`
+
+The name of the service account to use.  
+If not set and create is true, a name is generated using the fullname template
+
+#### **serviceAccount.annotations** ~ `object`
+
+Optional additional annotations to add to the controller's ServiceAccount
+
+#### **serviceAccount.labels** ~ `object`
+
+Optional additional labels to add to the controller's ServiceAccount
+
+#### **serviceAccount.automountServiceAccountToken** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Automount API credentials for a Service Account.
+#### **automountServiceAccountToken** ~ `bool`
+
+Automounting API credentials for a particular pod
+
+#### **enableCertificateOwnerRef** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
+#### **config** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Used to configure options for the controller pod.  
+This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.  
+Flags will override options that are set here.  
+  
+For example:
+
+```yaml
+config:
+  apiVersion: controller.config.cert-manager.io/v1alpha1
+  kind: ControllerConfiguration
+  logging:
+    verbosity: 2
+    format: text
+  leaderElectionConfig:
+    namespace: kube-system
+  kubernetesAPIQPS: 9000
+  kubernetesAPIBurst: 9000
+  numberOfConcurrentWorkers: 200
+  featureGates:
+    AdditionalCertificateOutputFormats: true
+    DisallowInsecureCSRUsageDefinition: true
+    ExperimentalCertificateSigningRequestControllers: true
+    ExperimentalGatewayAPISupport: true
+    LiteralCertificateSubject: true
+    SecretsFilteredCaching: true
+    ServerSideApply: true
+    StableCertificateRequestName: true
+    UseCertificateRequestBasicConstraints: true
+    ValidateCAA: true
+  metricsTLSConfig:
+    dynamic:
+      secretNamespace: "cert-manager"
+      secretName: "cert-manager-metrics-ca"
+      dnsNames:
+      - cert-manager-metrics
+      - cert-manager-metrics.cert-manager
+      - cert-manager-metrics.cert-manager.svc
+```
+#### **dns01RecursiveNameservers** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Comma separated string with host and port of the recursive nameservers cert-manager should query
+#### **dns01RecursiveNameserversOnly** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
+#### **extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional command line flags to pass to cert-manager controller binary. To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help  
+  
+Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver  
+  
+For example:
+
+```yaml
+extraArgs:
+  - --controllers=*,-certificaterequests-approver
+```
+#### **extraEnv** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional environment variables to pass to cert-manager controller binary.
+#### **resources** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Resources to provide to the cert-manager controller pod  
+  
+For example:
+
+```yaml
+requests:
+  cpu: 10m
+  memory: 32Mi
+```
+
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+#### **securityContext** ~ `object`
+> Default value:
+> ```yaml
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
+> ```
+
+Pod Security Context  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **containerSecurityContext** ~ `object`
+> Default value:
+> ```yaml
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>     - ALL
+> readOnlyRootFilesystem: true
+> ```
+
+Container Security Context to be set on the controller component container  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **volumes** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volumes to add to the cert-manager controller pod.
+#### **volumeMounts** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volume mounts to add to the cert-manager controller container.
+#### **deploymentAnnotations** ~ `object`
+
+Optional additional annotations to add to the controller Deployment
+
+#### **podAnnotations** ~ `object`
+
+Optional additional annotations to add to the controller Pods
+
+#### **podLabels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Optional additional labels to add to the controller Pods
+#### **serviceAnnotations** ~ `object`
+
+Optional annotations to add to the controller Service
+
+#### **serviceLabels** ~ `object`
+
+Optional additional labels to add to the controller Service
+
+#### **podDnsPolicy** ~ `string`
+
+Pod DNS policy  
+ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+
+#### **podDnsConfig** ~ `object`
+
+Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified.  
+ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
+
+#### **nodeSelector** ~ `object`
+> Default value:
+> ```yaml
+> kubernetes.io/os: linux
+> ```
+
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/  
+  
+This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+
+#### **ingressShim.defaultIssuerName** ~ `string`
+
+Optional default issuer to use for ingress resources
+
+#### **ingressShim.defaultIssuerKind** ~ `string`
+
+Optional default issuer kind to use for ingress resources
+
+#### **ingressShim.defaultIssuerGroup** ~ `string`
+
+Optional default issuer group to use for ingress resources
+
+#### **http_proxy** ~ `string`
+
+Configures the HTTP_PROXY environment variable for where a HTTP proxy is required
+
+#### **https_proxy** ~ `string`
+
+Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required
+
+#### **no_proxy** ~ `string`
+
+Configures the NO_PROXY environment variable for where a HTTP proxy is required, but certain domains should be excluded
+
+#### **affinity** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core  
+  
+For example:
+
+```yaml
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+```
+#### **tolerations** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core  
+  
+For example:
+
+```yaml
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+```
+#### **topologySpreadConstraints** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core  
+  
+For example:
+
+```yaml
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+```
+#### **livenessProbe** ~ `object`
+> Default value:
+> ```yaml
+> enabled: true
+> failureThreshold: 8
+> initialDelaySeconds: 10
+> periodSeconds: 10
+> successThreshold: 1
+> timeoutSeconds: 15
+> ```
+
+LivenessProbe settings for the controller container of the controller Pod.  
+  
+Enabled by default, because we want to enable the clock-skew liveness probe that restarts the controller in case of a skew between the system clock and the monotonic clock. LivenessProbe durations and thresholds are based on those used for the Kubernetes controller-manager. See: https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
+
+#### **enableServiceLinks** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.
+### Prometheus
+
+#### **prometheus.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Enable Prometheus monitoring for the cert-manager controller to use with the. Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or  
+`prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment  
+resources. Additionally, a service is created which can be used together with your own ServiceMonitor (managed outside of this Helm chart). Otherwise, a ServiceMonitor/ PodMonitor is created.
+#### **prometheus.servicemonitor.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Create a ServiceMonitor to add cert-manager to Prometheus
+#### **prometheus.servicemonitor.prometheusInstance** ~ `string`
+> Default value:
+> ```yaml
+> default
+> ```
+
+Specifies the `prometheus` label on the created ServiceMonitor, this is used when different Prometheus instances have label selectors matching different ServiceMonitors.
+#### **prometheus.servicemonitor.targetPort** ~ `number`
+> Default value:
+> ```yaml
+> 9402
+> ```
+
+The target port to set on the ServiceMonitor, should match the port that cert-manager controller is listening on for metrics
+#### **prometheus.servicemonitor.path** ~ `string`
+> Default value:
+> ```yaml
+> /metrics
+> ```
+
+The path to scrape for metrics
+#### **prometheus.servicemonitor.interval** ~ `string`
+> Default value:
+> ```yaml
+> 60s
+> ```
+
+The interval to scrape metrics
+#### **prometheus.servicemonitor.scrapeTimeout** ~ `string`
+> Default value:
+> ```yaml
+> 30s
+> ```
+
+The timeout before a metrics scrape fails
+#### **prometheus.servicemonitor.labels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Additional labels to add to the ServiceMonitor
+#### **prometheus.servicemonitor.annotations** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Additional annotations to add to the ServiceMonitor
+#### **prometheus.servicemonitor.honorLabels** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Keep labels from scraped data, overriding server-side labels.
+#### **prometheus.servicemonitor.endpointAdditionalProperties** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.  
+  
+For example:
+
+```yaml
+endpointAdditionalProperties:
+ relabelings:
+ - action: replace
+   sourceLabels:
+   - __meta_kubernetes_pod_node_name
+   targetLabel: instance
+```
+
+
+
+#### **prometheus.podmonitor.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Create a PodMonitor to add cert-manager to Prometheus
+#### **prometheus.podmonitor.prometheusInstance** ~ `string`
+> Default value:
+> ```yaml
+> default
+> ```
+
+Specifies the `prometheus` label on the created PodMonitor, this is used when different Prometheus instances have label selectors matching different PodMonitor.
+#### **prometheus.podmonitor.path** ~ `string`
+> Default value:
+> ```yaml
+> /metrics
+> ```
+
+The path to scrape for metrics
+#### **prometheus.podmonitor.interval** ~ `string`
+> Default value:
+> ```yaml
+> 60s
+> ```
+
+The interval to scrape metrics
+#### **prometheus.podmonitor.scrapeTimeout** ~ `string`
+> Default value:
+> ```yaml
+> 30s
+> ```
+
+The timeout before a metrics scrape fails
+#### **prometheus.podmonitor.labels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Additional labels to add to the PodMonitor
+#### **prometheus.podmonitor.annotations** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Additional annotations to add to the PodMonitor
+#### **prometheus.podmonitor.honorLabels** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Keep labels from scraped data, overriding server-side labels.
+#### **prometheus.podmonitor.endpointAdditionalProperties** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc.  
+  
+For example:
+
+```yaml
+endpointAdditionalProperties:
+ relabelings:
+ - action: replace
+   sourceLabels:
+   - __meta_kubernetes_pod_node_name
+   targetLabel: instance
+```
+
+
+
+### Webhook
+
+#### **webhook.replicaCount** ~ `number`
+> Default value:
+> ```yaml
+> 1
+> ```
+
+Number of replicas of the cert-manager webhook to run.  
+  
+The default is 1, but in production you should set this to 2 or 3 to provide high availability.  
+  
+If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`.
+#### **webhook.timeoutSeconds** ~ `number`
+> Default value:
+> ```yaml
+> 30
+> ```
+
+Seconds the API server should wait for the webhook to respond before treating the call as a failure.  
+Value must be between 1 and 30 seconds. See:  
+https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/  
+  
+We set the default to the maximum value of 30 seconds. Here's why: Users sometimes report that the connection between the K8S API server and the cert-manager webhook server times out. If *this* timeout is reached, the error message will be "context deadline exceeded", which doesn't help the user diagnose what phase of the HTTPS connection timed out. For example, it could be during DNS resolution, TCP connection, TLS negotiation, HTTP negotiation, or slow HTTP response from the webhook server. So by setting this timeout to its maximum value the underlying timeout error message has more chance of being returned to the end user.
+#### **webhook.config** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Used to configure options for the webhook pod.  
+This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.  
+Flags will override options that are set here.  
+  
+For example:
+
+```yaml
+apiVersion: webhook.config.cert-manager.io/v1alpha1
+kind: WebhookConfiguration
+# The port that the webhook should listen on for requests.
+# In GKE private clusters, by default kubernetes apiservers are allowed to
+# talk to the cluster nodes only on 443 and 10250. so configuring
+# securePort: 10250, will work out of the box without needing to add firewall
+# rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
+# This should be uncommented and set as a default by the chart once we graduate
+# the apiVersion of WebhookConfiguration past v1alpha1.
+securePort: 10250
+```
+#### **webhook.strategy** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Deployment update strategy for the cert-manager webhook deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy  
+  
+For example:
+
+```yaml
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+```
+#### **webhook.securityContext** ~ `object`
+> Default value:
+> ```yaml
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
+> ```
+
+Pod Security Context to be set on the webhook component Pod  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **webhook.containerSecurityContext** ~ `object`
+> Default value:
+> ```yaml
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>     - ALL
+> readOnlyRootFilesystem: true
+> ```
+
+Container Security Context to be set on the webhook component container  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **webhook.podDisruptionBudget.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Enable or disable the PodDisruptionBudget resource  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
+Pod is currently running.
+#### **webhook.podDisruptionBudget.minAvailable** ~ `number`
+
+Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+Cannot be used if `maxUnavailable` is set.
+
+#### **webhook.podDisruptionBudget.maxUnavailable** ~ `number`
+
+Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+Cannot be used if `minAvailable` is set.
+
+#### **webhook.deploymentAnnotations** ~ `object`
+
+Optional additional annotations to add to the webhook Deployment
+
+#### **webhook.podAnnotations** ~ `object`
+
+Optional additional annotations to add to the webhook Pods
+
+#### **webhook.serviceAnnotations** ~ `object`
+
+Optional additional annotations to add to the webhook Service
+
+#### **webhook.mutatingWebhookConfigurationAnnotations** ~ `object`
+
+Optional additional annotations to add to the webhook MutatingWebhookConfiguration
+
+#### **webhook.validatingWebhookConfigurationAnnotations** ~ `object`
+
+Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
+
+#### **webhook.validatingWebhookConfiguration.namespaceSelector** ~ `object`
+> Default value:
+> ```yaml
+> matchExpressions:
+>   - key: cert-manager.io/disable-validation
+>     operator: NotIn
+>     values:
+>       - "true"
+> ```
+
+Configure spec.namespaceSelector for validating webhooks.
+
+#### **webhook.mutatingWebhookConfiguration.namespaceSelector** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Configure spec.namespaceSelector for mutating webhooks.
+
+#### **webhook.extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional command line flags to pass to cert-manager webhook binary. To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
+#### **webhook.featureGates** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Comma separated list of feature gates that should be enabled on the webhook pod.
+#### **webhook.resources** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Resources to provide to the cert-manager webhook pod  
+  
+For example:
+
+```yaml
+requests:
+  cpu: 10m
+  memory: 32Mi
+```
+
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+#### **webhook.livenessProbe** ~ `object`
+> Default value:
+> ```yaml
+> failureThreshold: 3
+> initialDelaySeconds: 60
+> periodSeconds: 10
+> successThreshold: 1
+> timeoutSeconds: 1
+> ```
+
+Liveness probe values  
+ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+#### **webhook.readinessProbe** ~ `object`
+> Default value:
+> ```yaml
+> failureThreshold: 3
+> initialDelaySeconds: 5
+> periodSeconds: 5
+> successThreshold: 1
+> timeoutSeconds: 1
+> ```
+
+Readiness probe values  
+ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+
+#### **webhook.nodeSelector** ~ `object`
+> Default value:
+> ```yaml
+> kubernetes.io/os: linux
+> ```
+
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/  
+  
+This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+
+#### **webhook.affinity** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core  
+  
+For example:
+
+```yaml
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+```
+#### **webhook.tolerations** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core  
+  
+For example:
+
+```yaml
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+```
+#### **webhook.topologySpreadConstraints** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core  
+  
+For example:
+
+```yaml
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+```
+#### **webhook.podLabels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Optional additional labels to add to the Webhook Pods
+#### **webhook.serviceLabels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Optional additional labels to add to the Webhook Service
+#### **webhook.image.registry** ~ `string`
+
+The container registry to pull the webhook image from
+
+#### **webhook.image.repository** ~ `string`
+> Default value:
+> ```yaml
+> quay.io/jetstack/cert-manager-webhook
+> ```
+
+The container image for the cert-manager webhook
+
+#### **webhook.image.tag** ~ `string`
+
+Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.
+
+#### **webhook.image.digest** ~ `string`
+
+Setting a digest will override any tag
+
+#### **webhook.image.pullPolicy** ~ `string`
+> Default value:
+> ```yaml
+> IfNotPresent
+> ```
+
+Kubernetes imagePullPolicy on Deployment.
+#### **webhook.serviceAccount.create** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Specifies whether a service account should be created
+#### **webhook.serviceAccount.name** ~ `string`
+
+The name of the service account to use.  
+If not set and create is true, a name is generated using the fullname template
+
+#### **webhook.serviceAccount.annotations** ~ `object`
+
+Optional additional annotations to add to the controller's ServiceAccount
+
+#### **webhook.serviceAccount.labels** ~ `object`
+
+Optional additional labels to add to the webhook's ServiceAccount
+
+#### **webhook.serviceAccount.automountServiceAccountToken** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Automount API credentials for a Service Account.
+#### **webhook.automountServiceAccountToken** ~ `bool`
+
+Automounting API credentials for a particular pod
+
+#### **webhook.securePort** ~ `number`
+> Default value:
+> ```yaml
+> 10250
+> ```
+
+The port that the webhook should listen on for requests. In GKE private clusters, by default kubernetes apiservers are allowed to talk to the cluster nodes only on 443 and 10250. so configuring securePort: 10250, will work out of the box without needing to add firewall rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
+#### **webhook.hostNetwork** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Specifies if the webhook should be started in hostNetwork mode.  
+  
+Required for use in some managed kubernetes clusters (such as AWS EKS) with custom. CNI (such as calico), because control-plane managed by AWS cannot communicate with pods' IP CIDR and admission webhooks are not working  
+  
+Since the default port for the webhook conflicts with kubelet on the host network, `webhook.securePort` should be changed to an available port if running in hostNetwork mode.
+#### **webhook.serviceType** ~ `string`
+> Default value:
+> ```yaml
+> ClusterIP
+> ```
+
+Specifies how the service should be handled. Useful if you want to expose the webhook to outside of the cluster. In some cases, the control plane cannot reach internal services.
+#### **webhook.loadBalancerIP** ~ `string`
+
+Specify the load balancer IP for the created service
+
+#### **webhook.url** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Overrides the mutating webhook and validating webhook so they reach the webhook service using the `url` field instead of a service.
+#### **webhook.networkPolicy.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Create network policies for the webhooks
+#### **webhook.networkPolicy.ingress** ~ `array`
+> Default value:
+> ```yaml
+> - from:
+>     - ipBlock:
+>         cidr: 0.0.0.0/0
+> ```
+
+Ingress rule for the webhook network policy, by default will allow all inbound traffic
+
+#### **webhook.networkPolicy.egress** ~ `array`
+> Default value:
+> ```yaml
+> - ports:
+>     - port: 80
+>       protocol: TCP
+>     - port: 443
+>       protocol: TCP
+>     - port: 53
+>       protocol: TCP
+>     - port: 53
+>       protocol: UDP
+>     - port: 6443
+>       protocol: TCP
+>   to:
+>     - ipBlock:
+>         cidr: 0.0.0.0/0
+> ```
+
+Egress rule for the webhook network policy, by default will allow all outbound traffic traffic to ports 80 and 443, as well as DNS ports
+
+#### **webhook.volumes** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volumes to add to the cert-manager controller pod.
+#### **webhook.volumeMounts** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volume mounts to add to the cert-manager controller container.
+#### **webhook.enableServiceLinks** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.
+### CA Injector
+
+#### **cainjector.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Create the CA Injector deployment
+#### **cainjector.replicaCount** ~ `number`
+> Default value:
+> ```yaml
+> 1
+> ```
+
+Number of replicas of the cert-manager cainjector to run.  
+  
+The default is 1, but in production you should set this to 2 or 3 to provide high availability.  
+  
+If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`.  
+  
+Note: cert-manager uses leader election to ensure that there can only be a single instance active at a time.
+#### **cainjector.config** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Used to configure options for the cainjector pod.  
+This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file.  
+Flags will override options that are set here.  
+  
+For example:
+
+```yaml
+apiVersion: cainjector.config.cert-manager.io/v1alpha1
+kind: CAInjectorConfiguration
+logging:
+ verbosity: 2
+ format: text
+leaderElectionConfig:
+ namespace: kube-system
+```
+#### **cainjector.strategy** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Deployment update strategy for the cert-manager cainjector deployment. See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy  
+  
+For example:
+
+```yaml
+strategy:
+  type: RollingUpdate
+  rollingUpdate:
+    maxSurge: 0
+    maxUnavailable: 1
+```
+#### **cainjector.securityContext** ~ `object`
+> Default value:
+> ```yaml
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
+> ```
+
+Pod Security Context to be set on the cainjector component Pod  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **cainjector.containerSecurityContext** ~ `object`
+> Default value:
+> ```yaml
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>     - ALL
+> readOnlyRootFilesystem: true
+> ```
+
+Container Security Context to be set on the cainjector component container  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **cainjector.podDisruptionBudget.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+Enable or disable the PodDisruptionBudget resource  
+  
+This prevents downtime during voluntary disruptions such as during a Node upgrade. For example, the PodDisruptionBudget will block `kubectl drain` if it is used on the Node where the only remaining cert-manager  
+Pod is currently running.
+#### **cainjector.podDisruptionBudget.minAvailable** ~ `number`
+
+Configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+Cannot be used if `maxUnavailable` is set.
+
+#### **cainjector.podDisruptionBudget.maxUnavailable** ~ `number`
+
+Configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).  
+Cannot be used if `minAvailable` is set.
+
+#### **cainjector.deploymentAnnotations** ~ `object`
+
+Optional additional annotations to add to the cainjector Deployment
+
+#### **cainjector.podAnnotations** ~ `object`
+
+Optional additional annotations to add to the cainjector Pods
+
+#### **cainjector.extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional command line flags to pass to cert-manager cainjector binary. To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
+#### **cainjector.featureGates** ~ `string`
+> Default value:
+> ```yaml
+> ""
+> ```
+
+Comma separated list of feature gates that should be enabled on the cainjector pod.
+#### **cainjector.resources** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Resources to provide to the cert-manager cainjector pod  
+  
+For example:
+
+```yaml
+requests:
+  cpu: 10m
+  memory: 32Mi
+```
+
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+#### **cainjector.nodeSelector** ~ `object`
+> Default value:
+> ```yaml
+> kubernetes.io/os: linux
+> ```
+
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/  
+  
+This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+
+#### **cainjector.affinity** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core  
+  
+For example:
+
+```yaml
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+```
+#### **cainjector.tolerations** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core  
+  
+For example:
+
+```yaml
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+```
+#### **cainjector.topologySpreadConstraints** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core  
+  
+For example:
+
+```yaml
+topologySpreadConstraints:
+- maxSkew: 2
+  topologyKey: topology.kubernetes.io/zone
+  whenUnsatisfiable: ScheduleAnyway
+  labelSelector:
+    matchLabels:
+      app.kubernetes.io/instance: cert-manager
+      app.kubernetes.io/component: controller
+```
+#### **cainjector.podLabels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Optional additional labels to add to the CA Injector Pods
+#### **cainjector.image.registry** ~ `string`
+
+The container registry to pull the cainjector image from
+
+#### **cainjector.image.repository** ~ `string`
+> Default value:
+> ```yaml
+> quay.io/jetstack/cert-manager-cainjector
+> ```
+
+The container image for the cert-manager cainjector
+
+#### **cainjector.image.tag** ~ `string`
+
+Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.
+
+#### **cainjector.image.digest** ~ `string`
+
+Setting a digest will override any tag
+
+#### **cainjector.image.pullPolicy** ~ `string`
+> Default value:
+> ```yaml
+> IfNotPresent
+> ```
+
+Kubernetes imagePullPolicy on Deployment.
+#### **cainjector.serviceAccount.create** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Specifies whether a service account should be created
+#### **cainjector.serviceAccount.name** ~ `string`
+
+The name of the service account to use.  
+If not set and create is true, a name is generated using the fullname template
+
+#### **cainjector.serviceAccount.annotations** ~ `object`
+
+Optional additional annotations to add to the controller's ServiceAccount
+
+#### **cainjector.serviceAccount.labels** ~ `object`
+
+Optional additional labels to add to the cainjector's ServiceAccount
+
+#### **cainjector.serviceAccount.automountServiceAccountToken** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Automount API credentials for a Service Account.
+#### **cainjector.automountServiceAccountToken** ~ `bool`
+
+Automounting API credentials for a particular pod
+
+#### **cainjector.volumes** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volumes to add to the cert-manager controller pod.
+#### **cainjector.volumeMounts** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volume mounts to add to the cert-manager controller container.
+#### **cainjector.enableServiceLinks** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.
+### ACME Solver
+
+#### **acmesolver.image.registry** ~ `string`
+
+The container registry to pull the acmesolver image from
+
+#### **acmesolver.image.repository** ~ `string`
+> Default value:
+> ```yaml
+> quay.io/jetstack/cert-manager-acmesolver
+> ```
+
+The container image for the cert-manager acmesolver
+
+#### **acmesolver.image.tag** ~ `string`
+
+Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.
+
+#### **acmesolver.image.digest** ~ `string`
+
+Setting a digest will override any tag
+
+#### **acmesolver.image.pullPolicy** ~ `string`
+> Default value:
+> ```yaml
+> IfNotPresent
+> ```
+
+Kubernetes imagePullPolicy on Deployment.
+### Startup API Check
+
+
+This startupapicheck is a Helm post-install hook that waits for the webhook endpoints to become available. The check is implemented using a Kubernetes Job - if you are injecting mesh sidecar proxies into cert-manager pods, you probably want to ensure that they are not injected into this Job's pod. Otherwise the installation may time out due to the Job never being completed because the sidecar proxy does not exit. See https://github.com/cert-manager/cert-manager/pull/4414 for context.
+#### **startupapicheck.enabled** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Enables the startup api check
+#### **startupapicheck.securityContext** ~ `object`
+> Default value:
+> ```yaml
+> runAsNonRoot: true
+> seccompProfile:
+>   type: RuntimeDefault
+> ```
+
+Pod Security Context to be set on the startupapicheck component Pod  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **startupapicheck.containerSecurityContext** ~ `object`
+> Default value:
+> ```yaml
+> allowPrivilegeEscalation: false
+> capabilities:
+>   drop:
+>     - ALL
+> readOnlyRootFilesystem: true
+> ```
+
+Container Security Context to be set on the controller component container  
+ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+
+#### **startupapicheck.timeout** ~ `string`
+> Default value:
+> ```yaml
+> 1m
+> ```
+
+Timeout for 'kubectl check api' command
+#### **startupapicheck.backoffLimit** ~ `number`
+> Default value:
+> ```yaml
+> 4
+> ```
+
+Job backoffLimit
+#### **startupapicheck.jobAnnotations** ~ `object`
+> Default value:
+> ```yaml
+> helm.sh/hook: post-install
+> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+> helm.sh/hook-weight: "1"
+> ```
+
+Optional additional annotations to add to the startupapicheck Job
+
+#### **startupapicheck.podAnnotations** ~ `object`
+
+Optional additional annotations to add to the startupapicheck Pods
+
+#### **startupapicheck.extraArgs** ~ `array`
+> Default value:
+> ```yaml
+> - -v
+> ```
+
+Additional command line flags to pass to startupapicheck binary. To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help  
+  
+We enable verbose logging by default so that if startupapicheck fails, users can know what exactly caused the failure. Verbose logs include details of the webhook URL, IP address and TCP connect errors for example.
+
+#### **startupapicheck.resources** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Resources to provide to the cert-manager controller pod  
+  
+For example:
+
+```yaml
+requests:
+  cpu: 10m
+  memory: 32Mi
+```
+
+ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+#### **startupapicheck.nodeSelector** ~ `object`
+> Default value:
+> ```yaml
+> kubernetes.io/os: linux
+> ```
+
+The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with matching labels. See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/  
+  
+This default ensures that Pods are only scheduled to Linux nodes. It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+
+#### **startupapicheck.affinity** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core  
+  
+For example:
+
+```yaml
+affinity:
+  nodeAffinity:
+   requiredDuringSchedulingIgnoredDuringExecution:
+     nodeSelectorTerms:
+     - matchExpressions:
+       - key: foo.bar.com/role
+         operator: In
+         values:
+         - master
+```
+#### **startupapicheck.tolerations** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core  
+  
+For example:
+
+```yaml
+tolerations:
+- key: foo.bar.com/role
+  operator: Equal
+  value: master
+  effect: NoSchedule
+```
+#### **startupapicheck.podLabels** ~ `object`
+> Default value:
+> ```yaml
+> {}
+> ```
+
+Optional additional labels to add to the startupapicheck Pods
+#### **startupapicheck.image.registry** ~ `string`
+
+The container registry to pull the startupapicheck image from
+
+#### **startupapicheck.image.repository** ~ `string`
+> Default value:
+> ```yaml
+> quay.io/jetstack/cert-manager-startupapicheck
+> ```
+
+The container image for the cert-manager startupapicheck
+
+#### **startupapicheck.image.tag** ~ `string`
+
+Override the image tag to deploy by setting this variable. If no value is set, the chart's appVersion will be used.
+
+#### **startupapicheck.image.digest** ~ `string`
+
+Setting a digest will override any tag
+
+#### **startupapicheck.image.pullPolicy** ~ `string`
+> Default value:
+> ```yaml
+> IfNotPresent
+> ```
+
+Kubernetes imagePullPolicy on Deployment.
+#### **startupapicheck.rbac.annotations** ~ `object`
+> Default value:
+> ```yaml
+> helm.sh/hook: post-install
+> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+> helm.sh/hook-weight: "-5"
+> ```
+
+annotations for the startup API Check job RBAC and PSP resources
+
+#### **startupapicheck.automountServiceAccountToken** ~ `bool`
+
+Automounting API credentials for a particular pod
+
+#### **startupapicheck.serviceAccount.create** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Specifies whether a service account should be created
+#### **startupapicheck.serviceAccount.name** ~ `string`
+
+The name of the service account to use.  
+If not set and create is true, a name is generated using the fullname template
+
+#### **startupapicheck.serviceAccount.annotations** ~ `object`
+> Default value:
+> ```yaml
+> helm.sh/hook: post-install
+> helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+> helm.sh/hook-weight: "-5"
+> ```
+
+Optional additional annotations to add to the Job's ServiceAccount
+
+#### **startupapicheck.serviceAccount.automountServiceAccountToken** ~ `bool`
+> Default value:
+> ```yaml
+> true
+> ```
+
+Automount API credentials for a Service Account.
+
+#### **startupapicheck.serviceAccount.labels** ~ `object`
+
+Optional additional labels to add to the startupapicheck's ServiceAccount
+
+#### **startupapicheck.volumes** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volumes to add to the cert-manager controller pod.
+#### **startupapicheck.volumeMounts** ~ `array`
+> Default value:
+> ```yaml
+> []
+> ```
+
+Additional volume mounts to add to the cert-manager controller container.
+#### **startupapicheck.enableServiceLinks** ~ `bool`
+> Default value:
+> ```yaml
+> false
+> ```
+
+enableServiceLinks indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links.
+
+<!-- /AUTO-GENERATED -->
+### Default Security Contexts
+
+The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies.
+
+Default pod-level securityContext:
+```yaml
+runAsNonRoot: true
+seccompProfile:
+  type: RuntimeDefault
+```
+
+Default containerSecurityContext:
+```yaml
+allowPrivilegeEscalation: false
+capabilities:
+  drop:
+  - ALL
+```
+
+### Assigning Values
+
+Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
+
+Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
+
+```console
+$ helm install my-release -f values.yaml .
+```
+> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
+
+## Contributing
+
+This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/signkey_annotation.txt b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/signkey_annotation.txt
new file mode 100644
index 0000000..13f5c8c
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/signkey_annotation.txt
@@ -0,0 +1,2 @@
+fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E
+url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/NOTES.txt b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/NOTES.txt
new file mode 100644
index 0000000..1025354
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/NOTES.txt
@@ -0,0 +1,15 @@
+cert-manager {{ .Chart.AppVersion }} has been deployed successfully!
+
+In order to begin issuing certificates, you will need to set up a ClusterIssuer
+or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
+
+More information on the different types of issuers and how to configure them
+can be found in our documentation:
+
+https://cert-manager.io/docs/configuration/
+
+For information on how to configure cert-manager to automatically provision
+Certificates for Ingress resources, take a look at the `ingress-shim`
+documentation:
+
+https://cert-manager.io/docs/usage/ingress/
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/_helpers.tpl b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/_helpers.tpl
new file mode 100644
index 0000000..067fe6a
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/_helpers.tpl
@@ -0,0 +1,188 @@
+{{/* vim: set filetype=mustache: */}}
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "cert-manager.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+*/}}
+{{- define "cert-manager.fullname" -}}
+{{- if .Values.fullnameOverride -}}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- $name := default .Chart.Name .Values.nameOverride -}}
+{{- if contains $name .Release.Name -}}
+{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
+{{- else -}}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cert-manager.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create -}}
+    {{ default (include "cert-manager.fullname" .) .Values.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Webhook templates
+*/}}
+
+{{/*
+Expand the name of the chart.
+Manually fix the 'app' and 'name' labels to 'webhook' to maintain
+compatibility with the v0.9 deployment selector.
+*/}}
+{{- define "webhook.name" -}}
+{{- printf "webhook" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "webhook.fullname" -}}
+{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 55 | trimSuffix "-" -}}
+{{- printf "%s-webhook" $trimmedName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{- define "webhook.caRef" -}}
+{{- template "cert-manager.namespace" }}/{{ template "webhook.fullname" . }}-ca
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "webhook.serviceAccountName" -}}
+{{- if .Values.webhook.serviceAccount.create -}}
+    {{ default (include "webhook.fullname" .) .Values.webhook.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.webhook.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+cainjector templates
+*/}}
+
+{{/*
+Expand the name of the chart.
+Manually fix the 'app' and 'name' labels to 'cainjector' to maintain
+compatibility with the v0.9 deployment selector.
+*/}}
+{{- define "cainjector.name" -}}
+{{- printf "cainjector" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "cainjector.fullname" -}}
+{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
+{{- printf "%s-cainjector" $trimmedName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "cainjector.serviceAccountName" -}}
+{{- if .Values.cainjector.serviceAccount.create -}}
+    {{ default (include "cainjector.fullname" .) .Values.cainjector.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.cainjector.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+startupapicheck templates
+*/}}
+
+{{/*
+Expand the name of the chart.
+Manually fix the 'app' and 'name' labels to 'startupapicheck' to maintain
+compatibility with the v0.9 deployment selector.
+*/}}
+{{- define "startupapicheck.name" -}}
+{{- printf "startupapicheck" -}}
+{{- end -}}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "startupapicheck.fullname" -}}
+{{- $trimmedName := printf "%s" (include "cert-manager.fullname" .) | trunc 52 | trimSuffix "-" -}}
+{{- printf "%s-startupapicheck" $trimmedName | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "startupapicheck.serviceAccountName" -}}
+{{- if .Values.startupapicheck.serviceAccount.create -}}
+    {{ default (include "startupapicheck.fullname" .) .Values.startupapicheck.serviceAccount.name }}
+{{- else -}}
+    {{ default "default" .Values.startupapicheck.serviceAccount.name }}
+{{- end -}}
+{{- end -}}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "chartName" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
+{{- end -}}
+
+{{/*
+Labels that should be added on each resource
+*/}}
+{{- define "labels" -}}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- if eq (default "helm" .Values.creator) "helm" }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+helm.sh/chart: {{ include "chartName" . }}
+{{- end -}}
+{{- if .Values.global.commonLabels}}
+{{ toYaml .Values.global.commonLabels }}
+{{- end }}
+{{- end -}}
+
+{{/*
+Namespace for all resources to be installed into
+If not defined in values file then the helm release namespace is used
+By default this is not set so the helm release namespace will be used
+
+This gets around an problem within helm discussed here
+https://github.com/helm/helm/issues/5358
+*/}}
+{{- define "cert-manager.namespace" -}}
+    {{ .Values.namespace | default .Release.Namespace }}
+{{- end -}}
+
+{{/*
+Util function for generating the image URL based on the provided options.
+IMPORTANT: This function is standarized across all charts in the cert-manager GH organization.
+Any changes to this function should also be made in cert-manager, trust-manager, approver-policy, ...
+See https://github.com/cert-manager/cert-manager/issues/6329 for a list of linked PRs.
+*/}}
+{{- define "image" -}}
+{{- $defaultTag := index . 1 -}}
+{{- with index . 0 -}}
+{{- if .registry -}}{{ printf "%s/%s" .registry .repository }}{{- else -}}{{- .repository -}}{{- end -}}
+{{- if .digest -}}{{ printf "@%s" .digest }}{{- else -}}{{ printf ":%s" (default $defaultTag .tag) }}{{- end -}}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-config.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-config.yaml
new file mode 100644
index 0000000..82399cc
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-config.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.cainjector.config -}}
+{{- $_ := .Values.cainjector.config.apiVersion | required ".Values.cainjector.config.apiVersion must be set !" -}}
+{{- $_ := .Values.cainjector.config.kind | required ".Values.cainjector.config.kind must be set !" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- .Values.cainjector.config | toYaml | nindent 4 }}
+{{- end -}}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-deployment.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-deployment.yaml
new file mode 100644
index 0000000..34fce65
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-deployment.yaml
@@ -0,0 +1,124 @@
+{{- if .Values.cainjector.enabled }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.cainjector.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.cainjector.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "cainjector.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "cainjector"
+  {{- with .Values.cainjector.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "cainjector.name" . }}
+        app.kubernetes.io/name: {{ include "cainjector.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: "cainjector"
+        {{- include "labels" . | nindent 8 }}
+        {{- with .Values.cainjector.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.cainjector.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ template "cainjector.serviceAccountName" . }}
+      {{- if hasKey .Values.cainjector "automountServiceAccountToken" }}
+      automountServiceAccountToken: {{ .Values.cainjector.automountServiceAccountToken }}
+      {{- end }}
+      enableServiceLinks: {{ .Values.cainjector.enableServiceLinks }}
+      {{- with .Values.global.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.cainjector.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-cainjector
+          image: {{ printf "%s/%s:%s" .Values.global.azure.images.certManagerCainjector.registry .Values.global.azure.images.certManagerCainjector.image .Values.global.azure.images.certManagerCainjector.tag }}
+          imagePullPolicy: {{ .Values.cainjector.image.pullPolicy }}
+          args:
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
+          - --v={{ .Values.global.logLevel }}
+          {{- end }}
+          {{- with .Values.global.leaderElection }}
+          - --leader-election-namespace={{ .namespace }}
+          {{- if .leaseDuration }}
+          - --leader-election-lease-duration={{ .leaseDuration }}
+          {{- end }}
+          {{- if .renewDeadline }}
+          - --leader-election-renew-deadline={{ .renewDeadline }}
+          {{- end }}
+          {{- if .retryPeriod }}
+          - --leader-election-retry-period={{ .retryPeriod }}
+          {{- end }}
+          {{- end }}
+          {{- with .Values.cainjector.featureGates}}
+          - --feature-gates={{ . }}
+          {{- end}}
+          {{- with .Values.cainjector.extraArgs }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with .Values.cainjector.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cainjector.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.cainjector.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.cainjector.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cainjector.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cainjector.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with  .Values.cainjector.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.cainjector.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml
new file mode 100644
index 0000000..6a7d609
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-poddisruptionbudget.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.cainjector.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "cainjector.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "cainjector.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "cainjector"
+
+  {{- if not (or (hasKey .Values.cainjector.podDisruptionBudget "minAvailable") (hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.cainjector.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.cainjector.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.cainjector.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml
new file mode 100644
index 0000000..b75b9eb
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrole.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.cainjector.enabled }}
+{{- if .Values.global.podSecurityPolicy.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cainjector.fullname" . }}-psp
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "cainjector.fullname" . }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml
new file mode 100644
index 0000000..e2bfa26
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp-clusterrolebinding.yaml
@@ -0,0 +1,22 @@
+{{- if .Values.cainjector.enabled }}
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cainjector.fullname" . }}-psp
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cainjector.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cainjector.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp.yaml
new file mode 100644
index 0000000..24f01da
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-psp.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.cainjector.enabled }}
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "cainjector.fullname" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-rbac.yaml
new file mode 100644
index 0000000..2aa59ee
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-rbac.yaml
@@ -0,0 +1,103 @@
+{{- if .Values.cainjector.enabled }}
+{{- if .Values.global.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cainjector.fullname" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["get", "create", "update", "patch"]
+  - apiGroups: ["admissionregistration.k8s.io"]
+    resources: ["validatingwebhookconfigurations", "mutatingwebhookconfigurations"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["apiregistration.k8s.io"]
+    resources: ["apiservices"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+  - apiGroups: ["apiextensions.k8s.io"]
+    resources: ["customresourcedefinitions"]
+    verbs: ["get", "list", "watch", "update", "patch"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cainjector.fullname" . }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cainjector.fullname" . }}
+subjects:
+  - name: {{ template "cainjector.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+---
+# leader election rules
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cainjector.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  # Used for leader election by the controller
+  # cert-manager-cainjector-leader-election is used by the CertificateBased injector controller
+  #   see cmd/cainjector/start.go#L113
+  # cert-manager-cainjector-leader-election-core is used by the SecretBased injector controller
+  #   see cmd/cainjector/start.go#L137
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    resourceNames: ["cert-manager-cainjector-leader-election", "cert-manager-cainjector-leader-election-core"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create"]
+
+---
+
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cainjector.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cainjector.fullname" . }}:leaderelection
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cainjector.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-serviceaccount.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-serviceaccount.yaml
new file mode 100644
index 0000000..fedc731
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/cainjector-serviceaccount.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.cainjector.enabled }}
+{{- if .Values.cainjector.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.cainjector.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ template "cainjector.serviceAccountName" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  {{- with .Values.cainjector.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app: {{ include "cainjector.name" . }}
+    app.kubernetes.io/name: {{ include "cainjector.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cainjector"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.cainjector.serviceAccount.labels }}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/controller-config.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/controller-config.yaml
new file mode 100644
index 0000000..25f62ef
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/controller-config.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.config -}}
+{{- $_ := .Values.config.apiVersion | required ".Values.config.apiVersion must be set !" -}}
+{{- $_ := .Values.config.kind | required ".Values.config.kind must be set !" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- .Values.config | toYaml | nindent 4 }}
+{{- end -}}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/deployment.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/deployment.yaml
new file mode 100644
index 0000000..103de8a
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/deployment.yaml
@@ -0,0 +1,223 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ template "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "controller"
+  {{- with .Values.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ template "cert-manager.name" . }}
+        app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: "controller"
+        {{- include "labels" . | nindent 8 }}
+        {{- with .Values.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if and .Values.prometheus.enabled (not .Values.prometheus.servicemonitor.enabled) }}
+      {{- if not .Values.podAnnotations }}
+      annotations:
+      {{- end }}
+        prometheus.io/path: "/metrics"
+        prometheus.io/scrape: 'true'
+        prometheus.io/port: '9402'
+      {{- end }}
+    spec:
+      serviceAccountName: {{ template "cert-manager.serviceAccountName" . }}
+      {{- if hasKey .Values "automountServiceAccountToken" }}
+      automountServiceAccountToken: {{ .Values.automountServiceAccountToken }}
+      {{- end }}
+      enableServiceLinks: {{ .Values.enableServiceLinks }}
+      {{- with .Values.global.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.volumes .Values.config}}
+      volumes:
+        {{- if .Values.config }} 
+        - name: config 
+          configMap: 
+            name: {{ include "cert-manager.fullname" . }} 
+        {{- end }}
+        {{ with .Values.volumes }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-controller
+          image: {{ printf "%s/%s:%s" .Values.global.azure.images.certManager.registry .Values.global.azure.images.certManager.image .Values.global.azure.images.certManager.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          args:
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
+          - --v={{ .Values.global.logLevel }}
+          {{- end }}
+          {{- if .Values.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
+          {{- $config := default .Values.config "" }}
+          {{- if .Values.clusterResourceNamespace }}
+          - --cluster-resource-namespace={{ .Values.clusterResourceNamespace }}
+          {{- else }}
+          - --cluster-resource-namespace=$(POD_NAMESPACE)
+          {{- end }}
+          {{- with .Values.global.leaderElection }}
+          - --leader-election-namespace={{ .namespace }}
+          {{- if .leaseDuration }}
+          - --leader-election-lease-duration={{ .leaseDuration }}
+          {{- end }}
+          {{- if .renewDeadline }}
+          - --leader-election-renew-deadline={{ .renewDeadline }}
+          {{- end }}
+          {{- if .retryPeriod }}
+          - --leader-election-retry-period={{ .retryPeriod }}
+          {{- end }}
+          {{- end }}
+          - --acme-http01-solver-image={{ printf "%s/%s:%s" .Values.global.azure.images.certManagerAcmesolver.registry .Values.global.azure.images.certManagerAcmesolver.image .Values.global.azure.images.certManagerAcmesolver.tag }}
+          {{- with .Values.extraArgs }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.ingressShim }}
+          {{- if .defaultIssuerName }}
+          - --default-issuer-name={{ .defaultIssuerName }}
+          {{- end }}
+          {{- if .defaultIssuerKind }}
+          - --default-issuer-kind={{ .defaultIssuerKind }}
+          {{- end }}
+          {{- if .defaultIssuerGroup }}
+          - --default-issuer-group={{ .defaultIssuerGroup }}
+          {{- end }}
+          {{- end }}
+          {{- if .Values.featureGates }}
+          - --feature-gates={{ .Values.featureGates }}
+          {{- end }}
+          {{- if .Values.maxConcurrentChallenges }}
+          - --max-concurrent-challenges={{ .Values.maxConcurrentChallenges }}
+          {{- end }}
+          {{- if .Values.enableCertificateOwnerRef }}
+          - --enable-certificate-owner-ref=true
+          {{- end }}
+          {{- if .Values.dns01RecursiveNameserversOnly }}
+          - --dns01-recursive-nameservers-only=true
+          {{- end }}
+          {{- with .Values.dns01RecursiveNameservers }}
+          - --dns01-recursive-nameservers={{ . }}
+          {{- end }}
+          ports:
+          - containerPort: 9402
+            name: http-metrics
+            protocol: TCP
+          - containerPort: 9403
+            name: http-healthz
+            protocol: TCP
+          {{- with .Values.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if or .Values.config .Values.volumeMounts }}
+          volumeMounts:
+            {{- if .Values.config}} 
+            - name: config 
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- with .Values.volumeMounts }} 
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with .Values.extraEnv }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.http_proxy }}
+          - name: HTTP_PROXY
+            value: {{ . }}
+          {{- end }}
+          {{- with .Values.https_proxy }}
+          - name: HTTPS_PROXY
+            value: {{ . }}
+          {{- end }}
+          {{- with .Values.no_proxy }}
+          - name: NO_PROXY
+            value: {{ . }}
+          {{- end }}
+          {{- with .Values.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+
+          {{- with .Values.livenessProbe }}
+          {{- if .enabled }}
+          # LivenessProbe settings are based on those used for the Kubernetes
+          # controller-manager. See:
+          # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
+          livenessProbe:
+            httpGet:
+              port: http-healthz
+              path: /livez
+              scheme: HTTP
+            initialDelaySeconds: {{ .initialDelaySeconds }}
+            periodSeconds: {{ .periodSeconds }}
+            timeoutSeconds: {{ .timeoutSeconds }}
+            successThreshold: {{ .successThreshold }}
+            failureThreshold: {{ .failureThreshold }}
+          {{- end }}
+          {{- end }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with  .Values.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.podDnsPolicy }}
+      dnsPolicy: {{ . }}
+      {{- end }}
+      {{- with .Values.podDnsConfig }}
+      dnsConfig:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-egress.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-egress.yaml
new file mode 100644
index 0000000..0971200
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-egress.yaml
@@ -0,0 +1,23 @@
+{{- if .Values.webhook.networkPolicy.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "webhook.fullname" . }}-allow-egress
+  namespace: {{ include "cert-manager.namespace" . }}
+spec:
+  egress:
+    {{- with .Values.webhook.networkPolicy.egress }}
+      {{- toYaml . | nindent 2 }}
+    {{- end }}
+  podSelector:
+    matchLabels:
+      app: {{ include "webhook.name" . }}
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
+      {{- with .Values.webhook.podLabels }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  policyTypes:
+  - Egress
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-webhooks.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-webhooks.yaml
new file mode 100644
index 0000000..9281856
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/networkpolicy-webhooks.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.webhook.networkPolicy.enabled }}
+
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: {{ template "webhook.fullname" . }}-allow-ingress
+  namespace: {{ include "cert-manager.namespace" . }}
+spec:
+  ingress:
+    {{- with .Values.webhook.networkPolicy.ingress }}
+      {{- toYaml . | nindent 2 }}
+    {{- end }}
+  podSelector:
+    matchLabels:
+      app: {{ include "webhook.name" . }}
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
+      {{- with .Values.webhook.podLabels }}
+      {{- toYaml . | nindent 6 }}
+      {{- end }}
+  policyTypes:
+  - Ingress
+
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/poddisruptionbudget.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/poddisruptionbudget.yaml
new file mode 100644
index 0000000..ae71eed
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/poddisruptionbudget.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "controller"
+
+  {{- if not (or (hasKey .Values.podDisruptionBudget "minAvailable") (hasKey .Values.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/podmonitor.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/podmonitor.yaml
new file mode 100644
index 0000000..1adc060
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/podmonitor.yaml
@@ -0,0 +1,50 @@
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.podmonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: PodMonitor
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespace: {{ .Values.prometheus.podmonitor.namespace }}
+{{- else }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    prometheus: {{ .Values.prometheus.podmonitor.prometheusInstance }}
+    {{- with .Values.prometheus.podmonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- if .Values.prometheus.podmonitor.annotations }}
+  annotations:
+    {{- with .Values.prometheus.podmonitor.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
+spec:
+  jobLabel: {{ template "cert-manager.fullname" . }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "controller"
+{{- if .Values.prometheus.podmonitor.namespace }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "cert-manager.namespace" . }}
+{{- end }}
+  podMetricsEndpoints:
+    - port: http-metrics
+      path: {{ .Values.prometheus.podmonitor.path }}
+      interval: {{ .Values.prometheus.podmonitor.interval }}
+      scrapeTimeout: {{ .Values.prometheus.podmonitor.scrapeTimeout }}
+      honorLabels: {{ .Values.prometheus.podmonitor.honorLabels }}
+      {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
+      {{- toYaml . | nindent 4 }}
+      {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrole.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrole.yaml
new file mode 100644
index 0000000..1d40a02
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrole.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-psp
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "cert-manager.fullname" . }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrolebinding.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrolebinding.yaml
new file mode 100644
index 0000000..4f09b6b
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-psp
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp.yaml
new file mode 100644
index 0000000..9e99f5c
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/psp.yaml
@@ -0,0 +1,49 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/rbac.yaml
new file mode 100644
index 0000000..94b0950
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/rbac.yaml
@@ -0,0 +1,565 @@
+{{- if .Values.global.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "cert-manager.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    resourceNames: ["cert-manager-controller"]
+    verbs: ["get", "update", "patch"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["create"]
+
+---
+
+# grant cert-manager permission to manage the leaderelection configmap in the
+# leader election namespace
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "cert-manager.fullname" . }}:leaderelection
+  namespace: {{ .Values.global.leaderElection.namespace }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "cert-manager.fullname" . }}:leaderelection
+subjects:
+  - apiGroup: ""
+    kind: ServiceAccount
+    name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+
+---
+
+# Issuer controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-issuers
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "issuers/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+---
+
+# ClusterIssuer controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "clusterissuers/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+
+# Certificates controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-certificates
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificates/status", "certificaterequests", "certificaterequests/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates/finalizers", "certificaterequests/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders"]
+    verbs: ["create", "delete", "get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch", "create", "update", "delete", "patch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+
+# Orders controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-orders
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "orders/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders", "challenges"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers", "issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["create", "delete"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["orders/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+
+# Challenges controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-challenges
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  # Use to update challenge resource status
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "challenges/status"]
+    verbs: ["update", "patch"]
+  # Used to watch challenge resources
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges"]
+    verbs: ["get", "list", "watch"]
+  # Used to watch challenges, issuer and clusterissuer resources
+  - apiGroups: ["cert-manager.io"]
+    resources: ["issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  # Need to be able to retrieve ACME account private key to complete challenges
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+  # Used to create events
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+  # HTTP01 rules
+  - apiGroups: [""]
+    resources: ["pods", "services"]
+    verbs: ["get", "list", "watch", "create", "delete"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  - apiGroups: [ "gateway.networking.k8s.io" ]
+    resources: [ "httproutes" ]
+    verbs: ["get", "list", "watch", "create", "delete", "update"]
+  # We require the ability to specify a custom hostname when we are creating
+  # new ingress resources.
+  # See: https://github.com/openshift/origin/blob/21f191775636f9acadb44fa42beeb4f75b255532/pkg/route/apiserver/admission/ingress_admission.go#L84-L148
+  - apiGroups: ["route.openshift.io"]
+    resources: ["routes/custom-host"]
+    verbs: ["create"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges/finalizers"]
+    verbs: ["update"]
+  # DNS01 rules (duplicated above)
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "list", "watch"]
+
+---
+
+# ingress-shim controller role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests"]
+    verbs: ["create", "update", "delete"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers", "clusterissuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses"]
+    verbs: ["get", "list", "watch"]
+  # We require these rules to support users with the OwnerReferencesPermissionEnforcement
+  # admission controller enabled:
+  # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement
+  - apiGroups: ["networking.k8s.io"]
+    resources: ["ingresses/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways", "httproutes"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways/finalizers", "httproutes/finalizers"]
+    verbs: ["update"]
+  - apiGroups: [""]
+    resources: ["events"]
+    verbs: ["create", "patch"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-issuers
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-issuers
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-clusterissuers
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-certificates
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-certificates
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-orders
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-orders
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-challenges
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-challenges
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-ingress-shim
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+{{- if .Values.global.rbac.aggregateClusterRoles }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-cluster-view
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["clusterissuers"]
+    verbs: ["get", "list", "watch"]
+
+{{- end }}
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-view
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    {{- if .Values.global.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-cluster-reader: "true"
+    {{- end }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers"]
+    verbs: ["get", "list", "watch"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "orders"]
+    verbs: ["get", "list", "watch"]
+
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-edit
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    {{- if .Values.global.rbac.aggregateClusterRoles }}
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    {{- end }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates", "certificaterequests", "issuers"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates/status"]
+    verbs: ["update"]
+  - apiGroups: ["acme.cert-manager.io"]
+    resources: ["challenges", "orders"]
+    verbs: ["create", "delete", "deletecollection", "patch", "update"]
+
+---
+
+# Permission to approve CertificateRequests referencing cert-manager.io Issuers and ClusterIssuers
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cert-manager"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["signers"]
+    verbs: ["approve"]
+    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cert-manager"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-approve:cert-manager-io
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+
+---
+
+# Permission to:
+# - Update and sign CertificatSigningeRequests referencing cert-manager.io Issuers and ClusterIssuers
+# - Perform SubjectAccessReviews to test whether users are able to reference Namespaced Issuers
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cert-manager"
+    {{- include "labels" . | nindent 4 }}
+rules:
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests"]
+    verbs: ["get", "list", "watch", "update"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["certificatesigningrequests/status"]
+    verbs: ["update", "patch"]
+  - apiGroups: ["certificates.k8s.io"]
+    resources: ["signers"]
+    resourceNames: ["issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*"]
+    verbs: ["sign"]
+  - apiGroups: ["authorization.k8s.io"]
+    resources: ["subjectaccessreviews"]
+    verbs: ["create"]
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "cert-manager"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "cert-manager.fullname" . }}-controller-certificatesigningrequests
+subjects:
+  - name: {{ template "cert-manager.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+    kind: ServiceAccount
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/service.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/service.yaml
new file mode 100644
index 0000000..3d5df90
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/service.yaml
@@ -0,0 +1,31 @@
+{{- if and .Values.prometheus.enabled (not .Values.prometheus.podmonitor.enabled) }}
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- with .Values.serviceAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.serviceLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: ClusterIP
+  ports:
+  - protocol: TCP
+    port: 9402
+    name: tcp-prometheus-servicemonitor
+    targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
+  selector:
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/serviceaccount.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/serviceaccount.yaml
new file mode 100644
index 0000000..87fc00e
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/serviceaccount.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+automountServiceAccountToken: {{ .Values.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ template "cert-manager.serviceAccountName" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.serviceAccount.labels }}
+      {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/servicemonitor.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/servicemonitor.yaml
new file mode 100644
index 0000000..b638860
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/servicemonitor.yaml
@@ -0,0 +1,50 @@
+{{- if and .Values.prometheus.enabled (and .Values.prometheus.podmonitor.enabled .Values.prometheus.servicemonitor.enabled) }}
+{{- fail "Either .Values.prometheus.podmonitor.enabled or .Values.prometheus.servicemonitor.enabled can be enabled at a time, but not both." }}
+{{- else if and .Values.prometheus.enabled .Values.prometheus.servicemonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ template "cert-manager.fullname" . }}
+{{- if .Values.prometheus.servicemonitor.namespace }}
+  namespace: {{ .Values.prometheus.servicemonitor.namespace }}
+{{- else }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+  labels:
+    app: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/name: {{ include "cert-manager.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "controller"
+    {{- include "labels" . | nindent 4 }}
+    prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }}
+    {{- with .Values.prometheus.servicemonitor.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- if .Values.prometheus.servicemonitor.annotations }}
+  annotations:
+    {{- with .Values.prometheus.servicemonitor.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
+spec:
+  jobLabel: {{ template "cert-manager.fullname" . }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ template "cert-manager.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "controller"
+{{- if .Values.prometheus.servicemonitor.namespace }}
+  namespaceSelector:
+    matchNames:
+      - {{ include "cert-manager.namespace" . }}
+{{- end }}
+  endpoints:
+  - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }}
+    path: {{ .Values.prometheus.servicemonitor.path }}
+    interval: {{ .Values.prometheus.servicemonitor.interval }}
+    scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }}
+    honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }}
+    {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-job.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-job.yaml
new file mode 100644
index 0000000..301e122
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-job.yaml
@@ -0,0 +1,87 @@
+{{- if .Values.startupapicheck.enabled }}
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "startupapicheck.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.startupapicheck.jobAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  backoffLimit: {{ .Values.startupapicheck.backoffLimit }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "startupapicheck.name" . }}
+        app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: "startupapicheck"
+        {{- include "labels" . | nindent 8 }}
+        {{- with .Values.startupapicheck.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.startupapicheck.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      restartPolicy: OnFailure
+      serviceAccountName: {{ template "startupapicheck.serviceAccountName" . }}
+      {{- if hasKey .Values.startupapicheck "automountServiceAccountToken" }}
+      automountServiceAccountToken: {{ .Values.startupapicheck.automountServiceAccountToken }}
+      {{- end }}
+      enableServiceLinks: {{ .Values.startupapicheck.enableServiceLinks }}
+      {{- with .Values.global.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.startupapicheck.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-startupapicheck
+          image: {{ printf "%s/%s:%s" .Values.global.azure.images.certManagerStartupapicheck.registry .Values.global.azure.images.certManagerStartupapicheck.image .Values.global.azure.images.certManagerStartupapicheck.tag }}
+          imagePullPolicy: {{ .Values.startupapicheck.image.pullPolicy }}
+          args:
+          - check
+          - api
+          - --wait={{ .Values.startupapicheck.timeout }}
+          {{- with .Values.startupapicheck.extraArgs }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          {{- with .Values.startupapicheck.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.startupapicheck.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.startupapicheck.volumeMounts }}
+          volumeMounts:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+      {{- with .Values.startupapicheck.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.startupapicheck.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.startupapicheck.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.startupapicheck.volumes }}
+      volumes:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml
new file mode 100644
index 0000000..dacd4be
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrole.yaml
@@ -0,0 +1,24 @@
+{{- if .Values.startupapicheck.enabled }}
+{{- if .Values.global.podSecurityPolicy.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "startupapicheck.fullname" . }}-psp
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "startupapicheck.fullname" . }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml
new file mode 100644
index 0000000..54d5a42
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp-clusterrolebinding.yaml
@@ -0,0 +1,26 @@
+{{- if .Values.startupapicheck.enabled }}
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "startupapicheck.fullname" . }}-psp
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "startupapicheck.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "startupapicheck.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp.yaml
new file mode 100644
index 0000000..f09d60d
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-psp.yaml
@@ -0,0 +1,51 @@
+{{- if .Values.startupapicheck.enabled }}
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "startupapicheck.fullname" . }}
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
+    {{- with .Values.startupapicheck.rbac.annotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'projected'
+  - 'secret'
+  hostNetwork: false
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-rbac.yaml
new file mode 100644
index 0000000..606e725
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-rbac.yaml
@@ -0,0 +1,48 @@
+{{- if .Values.startupapicheck.enabled }}
+{{- if .Values.global.rbac.create }}
+# create certificate role
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "startupapicheck.fullname" . }}:create-cert
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+rules:
+  - apiGroups: ["cert-manager.io"]
+    resources: ["certificates"]
+    verbs: ["create"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "startupapicheck.fullname" . }}:create-cert
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.startupapicheck.rbac.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "startupapicheck.fullname" . }}:create-cert
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "startupapicheck.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml
new file mode 100644
index 0000000..8c41760
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/startupapicheck-serviceaccount.yaml
@@ -0,0 +1,27 @@
+{{- if .Values.startupapicheck.enabled }}
+{{- if .Values.startupapicheck.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.startupapicheck.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ template "startupapicheck.serviceAccountName" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  {{- with .Values.startupapicheck.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/name: {{ include "startupapicheck.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "startupapicheck"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.startupapicheck.serviceAccount.labels }}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-config.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-config.yaml
new file mode 100644
index 0000000..8f3ce20
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-config.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.webhook.config -}}
+{{- $_ := .Values.webhook.config.apiVersion | required ".Values.webhook.config.apiVersion must be set !" -}}
+{{- $_ := .Values.webhook.config.kind | required ".Values.webhook.config.kind must be set !" -}}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "webhook.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+data:
+  config.yaml: |
+    {{- .Values.webhook.config | toYaml | nindent 4 }}
+{{- end -}}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-deployment.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-deployment.yaml
new file mode 100644
index 0000000..606667f
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-deployment.yaml
@@ -0,0 +1,192 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "webhook.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+  {{- with .Values.webhook.deploymentAnnotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  replicas: {{ .Values.webhook.replicaCount }}
+  {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+  {{- if not (has (quote .Values.global.revisionHistoryLimit) (list "" (quote ""))) }}
+  revisionHistoryLimit: {{ .Values.global.revisionHistoryLimit }}
+  {{- end }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
+  {{- with .Values.webhook.strategy }}
+  strategy:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  template:
+    metadata:
+      labels:
+        app: {{ include "webhook.name" . }}
+        app.kubernetes.io/name: {{ include "webhook.name" . }}
+        app.kubernetes.io/instance: {{ .Release.Name }}
+        app.kubernetes.io/component: "webhook"
+        {{- include "labels" . | nindent 8 }}
+        {{- with .Values.webhook.podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+      {{- with .Values.webhook.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+    spec:
+      serviceAccountName: {{ template "webhook.serviceAccountName" . }}
+      {{- if hasKey .Values.webhook "automountServiceAccountToken" }}
+      automountServiceAccountToken: {{ .Values.webhook.automountServiceAccountToken }}
+      {{- end }}
+      enableServiceLinks: {{ .Values.webhook.enableServiceLinks }}
+      {{- with .Values.global.priorityClassName }}
+      priorityClassName: {{ . | quote }}
+      {{- end }}
+      {{- with .Values.webhook.securityContext }}
+      securityContext:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if .Values.webhook.hostNetwork }}
+      hostNetwork: true
+      {{- end }}
+      {{- if .Values.webhook.hostNetwork }}
+      dnsPolicy: ClusterFirstWithHostNet
+      {{- end }}
+      containers:
+        - name: {{ .Chart.Name }}-webhook
+          image: {{ printf "%s/%s:%s" .Values.global.azure.images.certManagerWebhook.registry .Values.global.azure.images.certManagerWebhook.image .Values.global.azure.images.certManagerWebhook.tag }}
+          imagePullPolicy: {{ .Values.webhook.image.pullPolicy }}
+          args:
+          {{- /* The if statement below is equivalent to {{- if $value }} but will also return true for 0. */ -}}
+          {{- if not (has (quote .Values.global.logLevel) (list "" (quote ""))) }}
+          - --v={{ .Values.global.logLevel }}
+          {{- end }}
+          {{- if .Values.webhook.config }}
+          - --config=/var/cert-manager/config/config.yaml
+          {{- end }}
+          {{- $config := default .Values.webhook.config "" }}
+          {{ if not $config.securePort -}}
+          - --secure-port={{ .Values.webhook.securePort }}
+          {{- end }}
+          {{- if .Values.webhook.featureGates }}
+          - --feature-gates={{ .Values.webhook.featureGates }}
+          {{- end }}
+          {{- $tlsConfig := default $config.tlsConfig "" }}
+          {{ if or (not $config.tlsConfig) (and (not $tlsConfig.dynamic) (not $tlsConfig.filesystem) ) -}}
+          - --dynamic-serving-ca-secret-namespace=$(POD_NAMESPACE)
+          - --dynamic-serving-ca-secret-name={{ template "webhook.fullname" . }}-ca
+          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}
+          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE)
+          - --dynamic-serving-dns-names={{ template "webhook.fullname" . }}.$(POD_NAMESPACE).svc
+          {{ if .Values.webhook.url.host }}
+          - --dynamic-serving-dns-names={{ .Values.webhook.url.host }}
+          {{- end }}
+          {{- end }}
+          {{- with .Values.webhook.extraArgs }}
+          {{- toYaml . | nindent 10 }}
+          {{- end }}
+          ports:
+          - name: https
+            protocol: TCP
+            {{- if $config.securePort }}
+            containerPort: {{ $config.securePort }}
+            {{- else if .Values.webhook.securePort }}
+            containerPort: {{ .Values.webhook.securePort }}
+            {{- else }}
+            containerPort: 6443
+            {{- end }}
+          - name: healthcheck
+            protocol: TCP
+            {{- if $config.healthzPort }}
+            containerPort: {{ $config.healthzPort }}
+            {{- else }}
+            containerPort: 6080
+            {{- end }}
+          livenessProbe:
+            httpGet:
+              path: /livez
+              {{- if $config.healthzPort }}
+              port: {{ $config.healthzPort }}
+              {{- else }}
+              port: 6080
+              {{- end }}
+              scheme: HTTP
+            initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.webhook.livenessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.webhook.livenessProbe.successThreshold }}
+            failureThreshold: {{ .Values.webhook.livenessProbe.failureThreshold }}
+          readinessProbe:
+            httpGet:
+              path: /healthz
+              {{- if $config.healthzPort }}
+              port: {{ $config.healthzPort }}
+              {{- else }}
+              port: 6080
+              {{- end }}
+              scheme: HTTP
+            initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }}
+            periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }}
+            timeoutSeconds: {{ .Values.webhook.readinessProbe.timeoutSeconds }}
+            successThreshold: {{ .Values.webhook.readinessProbe.successThreshold }}
+            failureThreshold: {{ .Values.webhook.readinessProbe.failureThreshold }}
+          {{- with .Values.webhook.containerSecurityContext }}
+          securityContext:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          env:
+          - name: POD_NAMESPACE
+            valueFrom:
+              fieldRef:
+                fieldPath: metadata.namespace
+          {{- with .Values.webhook.resources }}
+          resources:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- if or .Values.webhook.config .Values.webhook.volumeMounts }}
+          volumeMounts:
+            {{- if .Values.webhook.config }}
+            - name: config
+              mountPath: /var/cert-manager/config
+            {{- end }}
+            {{- if .Values.webhook.volumeMounts }}
+            {{- toYaml .Values.webhook.volumeMounts | nindent 12 }}
+            {{- end }}
+          {{- end }}
+      {{- with .Values.webhook.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhook.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.webhook.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with  .Values.webhook.topologySpreadConstraints }}
+      topologySpreadConstraints:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- if or .Values.webhook.config .Values.webhook.volumes }}
+      volumes:
+        {{- if .Values.webhook.config }}
+        - name: config
+          configMap:
+            name: {{ include "webhook.fullname" . }}
+        {{- end }}
+        {{- if .Values.webhook.volumes }}
+        {{- toYaml .Values.webhook.volumes | nindent 8 }}
+        {{- end }}
+      {{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-mutating-webhook.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-mutating-webhook.yaml
new file mode 100644
index 0000000..9ea2977
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-mutating-webhook.yaml
@@ -0,0 +1,48 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "webhook.fullname" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote }}
+    {{- with .Values.webhook.mutatingWebhookConfigurationAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+webhooks:
+  - name: webhook.cert-manager.io
+    {{- with .Values.webhook.mutatingWebhookConfiguration.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    rules:
+      - apiGroups:
+          - "cert-manager.io"
+        apiVersions:
+          - "v1"
+        operations:
+          - CREATE
+        resources:
+          - "certificaterequests"
+    admissionReviewVersions: ["v1"]
+    # This webhook only accepts v1 cert-manager resources.
+    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
+    # this webhook (after the resources have been converted to v1).
+    matchPolicy: Equivalent
+    timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
+    failurePolicy: Fail
+    # Only include 'sideEffects' field in Kubernetes 1.12+
+    sideEffects: None
+    clientConfig:
+      {{- if .Values.webhook.url.host }}
+      url: https://{{ .Values.webhook.url.host }}/mutate
+      {{- else }}
+      service:
+        name: {{ template "webhook.fullname" . }}
+        namespace: {{ include "cert-manager.namespace" . }}
+        path: /mutate
+      {{- end }}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml
new file mode 100644
index 0000000..ab2a481
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-poddisruptionbudget.yaml
@@ -0,0 +1,29 @@
+{{- if .Values.webhook.podDisruptionBudget.enabled }}
+apiVersion: policy/v1
+kind: PodDisruptionBudget
+metadata:
+  name: {{ include "webhook.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: {{ include "webhook.name" . }}
+      app.kubernetes.io/instance: {{ .Release.Name }}
+      app.kubernetes.io/component: "webhook"
+
+  {{- if not (or (hasKey .Values.webhook.podDisruptionBudget "minAvailable") (hasKey .Values.webhook.podDisruptionBudget "maxUnavailable")) }}
+  minAvailable: 1 # Default value because minAvailable and maxUnavailable are not set
+  {{- end }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "minAvailable" }}
+  minAvailable: {{ .Values.webhook.podDisruptionBudget.minAvailable }}
+  {{- end }}
+  {{- if hasKey .Values.webhook.podDisruptionBudget "maxUnavailable" }}
+  maxUnavailable: {{ .Values.webhook.podDisruptionBudget.maxUnavailable }}
+  {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrole.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrole.yaml
new file mode 100644
index 0000000..f6fa4c5
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrole.yaml
@@ -0,0 +1,18 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: {{ template "webhook.fullname" . }}-psp
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+rules:
+- apiGroups: ['policy']
+  resources: ['podsecuritypolicies']
+  verbs:     ['use']
+  resourceNames:
+  - {{ template "webhook.fullname" . }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml
new file mode 100644
index 0000000..858df8f
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp-clusterrolebinding.yaml
@@ -0,0 +1,20 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "webhook.fullname" . }}-psp
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "webhook.fullname" . }}-psp
+subjects:
+  - kind: ServiceAccount
+    name: {{ template "webhook.serviceAccountName" . }}
+    namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp.yaml
new file mode 100644
index 0000000..4d5d959
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-psp.yaml
@@ -0,0 +1,54 @@
+{{- if .Values.global.podSecurityPolicy.enabled }}
+apiVersion: policy/v1beta1
+kind: PodSecurityPolicy
+metadata:
+  name: {{ template "webhook.fullname" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+  annotations:
+    seccomp.security.alpha.kubernetes.io/allowedProfileNames: 'docker/default'
+    seccomp.security.alpha.kubernetes.io/defaultProfileName:  'docker/default'
+    {{- if .Values.global.podSecurityPolicy.useAppArmor }}
+    apparmor.security.beta.kubernetes.io/allowedProfileNames: 'runtime/default'
+    apparmor.security.beta.kubernetes.io/defaultProfileName:  'runtime/default'
+    {{- end }}
+spec:
+  privileged: false
+  allowPrivilegeEscalation: false
+  allowedCapabilities: []  # default set of capabilities are implicitly allowed
+  volumes:
+  - 'configMap'
+  - 'emptyDir'
+  - 'projected'
+  - 'secret'
+  - 'downwardAPI'
+  hostNetwork: {{ .Values.webhook.hostNetwork }}
+  {{- if .Values.webhook.hostNetwork }}
+  hostPorts:
+  - max: {{ .Values.webhook.securePort }}
+    min: {{ .Values.webhook.securePort }}
+  {{- end }}
+  hostIPC: false
+  hostPID: false
+  runAsUser:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  seLinux:
+    rule: 'RunAsAny'
+  supplementalGroups:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+  fsGroup:
+    rule: 'MustRunAs'
+    ranges:
+    - min: 1000
+      max: 1000
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-rbac.yaml
new file mode 100644
index 0000000..b075ffd
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-rbac.yaml
@@ -0,0 +1,83 @@
+{{- if .Values.global.rbac.create }}
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ template "webhook.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+rules:
+- apiGroups: [""]
+  resources: ["secrets"]
+  resourceNames:
+  - '{{ template "webhook.fullname" . }}-ca'
+  verbs: ["get", "list", "watch", "update"]
+# It's not possible to grant CREATE permission on a single resourceName.
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["create"]
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "webhook.fullname" . }}:dynamic-serving
+  namespace: {{ include "cert-manager.namespace" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ template "webhook.fullname" . }}:dynamic-serving
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: {{ template "webhook.serviceAccountName" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "webhook.fullname" . }}:subjectaccessreviews
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+rules:
+- apiGroups: ["authorization.k8s.io"]
+  resources: ["subjectaccessreviews"]
+  verbs: ["create"]
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "webhook.fullname" . }}:subjectaccessreviews
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ template "webhook.fullname" . }}:subjectaccessreviews
+subjects:
+- apiGroup: ""
+  kind: ServiceAccount
+  name: {{ template "webhook.serviceAccountName" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-service.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-service.yaml
new file mode 100644
index 0000000..5f93950
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-service.yaml
@@ -0,0 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ template "webhook.fullname" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+{{- with .Values.webhook.serviceAnnotations }}
+  annotations:
+{{ toYaml . | indent 4 }}
+{{- end }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.webhook.serviceLabels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  type: {{ .Values.webhook.serviceType }}
+  {{- with .Values.webhook.loadBalancerIP }}
+  loadBalancerIP: {{ . }}
+  {{- end }}
+  ports:
+  - name: https
+    port: 443
+    protocol: TCP
+    targetPort: "https"
+  selector:
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-serviceaccount.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-serviceaccount.yaml
new file mode 100644
index 0000000..dff5c06
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-serviceaccount.yaml
@@ -0,0 +1,25 @@
+{{- if .Values.webhook.serviceAccount.create }}
+apiVersion: v1
+kind: ServiceAccount
+automountServiceAccountToken: {{ .Values.webhook.serviceAccount.automountServiceAccountToken }}
+metadata:
+  name: {{ template "webhook.serviceAccountName" . }}
+  namespace: {{ include "cert-manager.namespace" . }}
+  {{- with .Values.webhook.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+    {{- with .Values.webhook.serviceAccount.labels }}
+      {{ toYaml . | nindent 4 }}
+    {{- end }}
+{{- with .Values.global.imagePullSecrets }}
+imagePullSecrets:
+  {{- toYaml . | nindent 2 }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-validating-webhook.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-validating-webhook.yaml
new file mode 100644
index 0000000..76235fd
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/templates/webhook-validating-webhook.yaml
@@ -0,0 +1,49 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ include "webhook.fullname" . }}
+  labels:
+    app: {{ include "webhook.name" . }}
+    app.kubernetes.io/name: {{ include "webhook.name" . }}
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/component: "webhook"
+    {{- include "labels" . | nindent 4 }}
+  annotations:
+    cert-manager.io/inject-ca-from-secret: {{ printf "%s/%s-ca" (include "cert-manager.namespace" .) (include "webhook.fullname" .) | quote}}
+    {{- with .Values.webhook.validatingWebhookConfigurationAnnotations }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+webhooks:
+  - name: webhook.cert-manager.io
+    {{- with .Values.webhook.validatingWebhookConfiguration.namespaceSelector }}
+    namespaceSelector:
+      {{- toYaml . | nindent 6 }}
+    {{- end }}
+    rules:
+      - apiGroups:
+          - "cert-manager.io"
+          - "acme.cert-manager.io"
+        apiVersions:
+          - "v1"
+        operations:
+          - CREATE
+          - UPDATE
+        resources:
+          - "*/*"
+    admissionReviewVersions: ["v1"]
+    # This webhook only accepts v1 cert-manager resources.
+    # Equivalent matchPolicy ensures that non-v1 resource requests are sent to
+    # this webhook (after the resources have been converted to v1).
+    matchPolicy: Equivalent
+    timeoutSeconds: {{ .Values.webhook.timeoutSeconds }}
+    failurePolicy: Fail
+    sideEffects: None
+    clientConfig:
+      {{- if .Values.webhook.url.host }}
+      url: https://{{ .Values.webhook.url.host }}/validate
+      {{- else }}
+      service:
+        name: {{ template "webhook.fullname" . }}
+        namespace: {{ include "cert-manager.namespace" . }}
+        path: /validate
+      {{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/values.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/values.yaml
new file mode 100644
index 0000000..885ae02
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/cert-manager/values.yaml
@@ -0,0 +1,1284 @@
+# +docs:section=Global
+
+# Default values for cert-manager.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+global:
+  # Reference to one or more secrets to be used when pulling images
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
+  #
+  # For example:
+  #  imagePullSecrets:
+  #    - name: "image-pull-secret"
+  imagePullSecrets: []
+
+  # Labels to apply to all resources
+  # Please note that this does not add labels to the resources created dynamically by the controllers.
+  # For these resources, you have to add the labels in the template in the cert-manager custom resource:
+  # eg. podTemplate/ ingressTemplate in ACMEChallengeSolverHTTP01Ingress
+  #    ref: https://cert-manager.io/docs/reference/api-docs/#acme.cert-manager.io/v1.ACMEChallengeSolverHTTP01Ingress
+  # eg. secretTemplate in CertificateSpec
+  #    ref: https://cert-manager.io/docs/reference/api-docs/#cert-manager.io/v1.CertificateSpec
+  commonLabels: {}
+
+  # The number of old ReplicaSets to retain to allow rollback (If not set, default Kubernetes value is set to 10)
+  # +docs:property
+  # revisionHistoryLimit: 1
+
+  # Optional priority class to be used for the cert-manager pods
+  priorityClassName: ""
+
+  rbac:
+    # Create required ClusterRoles and ClusterRoleBindings for cert-manager
+    create: true
+    # Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles
+    aggregateClusterRoles: true
+
+  podSecurityPolicy:
+    # Create PodSecurityPolicy for cert-manager
+    #
+    # NOTE: PodSecurityPolicy was deprecated in Kubernetes 1.21 and removed in 1.25
+    enabled: false
+    # Configure the PodSecurityPolicy to use AppArmor
+    useAppArmor: true
+
+  # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
+  logLevel: 2
+
+  leaderElection:
+    # Override the namespace used for the leader election lease
+    namespace: "kube-system"
+
+    # The duration that non-leader candidates will wait after observing a
+    # leadership renewal until attempting to acquire leadership of a led but
+    # unrenewed leader slot. This is effectively the maximum duration that a
+    # leader can be stopped before it is replaced by another candidate.
+    # +docs:property
+    # leaseDuration: 60s
+
+    # The interval between attempts by the acting master to renew a leadership
+    # slot before it stops leading. This must be less than or equal to the
+    # lease duration.
+    # +docs:property
+    # renewDeadline: 40s
+
+    # The duration the clients should wait between attempting acquisition and
+    # renewal of a leadership.
+    # +docs:property
+    # retryPeriod: 15s
+
+# Install the cert-manager CRDs, it is recommended to not use Helm to manage
+# the CRDs
+installCRDs: false
+
+# +docs:section=Controller
+
+# Number of replicas of the cert-manager controller to run.
+#
+# The default is 1, but in production you should set this to 2 or 3 to provide high
+# availability.
+#
+# If `replicas > 1` you should also consider setting `podDisruptionBudget.enabled=true`.
+#
+# Note: cert-manager uses leader election to ensure that there can
+# only be a single instance active at a time.
+replicaCount: 1
+
+# Deployment update strategy for the cert-manager controller deployment.
+# See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+#
+# For example:
+#  strategy:
+#    type: RollingUpdate
+#    rollingUpdate:
+#      maxSurge: 0
+#      maxUnavailable: 1
+strategy: {}
+
+podDisruptionBudget:
+  # Enable or disable the PodDisruptionBudget resource
+  #
+  # This prevents downtime during voluntary disruptions such as during a Node upgrade.
+  # For example, the PodDisruptionBudget will block `kubectl drain`
+  # if it is used on the Node where the only remaining cert-manager
+  # Pod is currently running.
+  enabled: false
+
+  # Configures the minimum available pods for disruptions. Can either be set to
+  # an integer (e.g. 1) or a percentage value (e.g. 25%).
+  # Cannot be used if `maxUnavailable` is set.
+  # +docs:property
+  # minAvailable: 1
+
+  # Configures the maximum unavailable pods for disruptions. Can either be set to
+  # an integer (e.g. 1) or a percentage value (e.g. 25%).
+  # Cannot be used if `minAvailable` is set.
+  # +docs:property
+  # maxUnavailable: 1
+
+# Comma separated list of feature gates that should be enabled on the
+# controller pod.
+featureGates: ""
+
+# The maximum number of challenges that can be scheduled as 'processing' at once
+maxConcurrentChallenges: 60
+
+image:
+  # The container registry to pull the manager image from
+  # +docs:property
+  # registry: quay.io
+
+  # The container image for the cert-manager controller
+  # +docs:property
+  repository: quay.io/jetstack/cert-manager-controller
+
+  # Override the image tag to deploy by setting this variable.
+  # If no value is set, the chart's appVersion will be used.
+  # +docs:property
+  # tag: vX.Y.Z
+
+  # Setting a digest will override any tag
+  # +docs:property
+  # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+  # Kubernetes imagePullPolicy on Deployment.
+  pullPolicy: IfNotPresent
+
+# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
+# resources. By default, the same namespace as cert-manager is deployed within is
+# used. This namespace will not be automatically created by the Helm chart.
+clusterResourceNamespace: ""
+
+# This namespace allows you to define where the services will be installed into
+# if not set then they will use the namespace of the release
+# This is helpful when installing cert manager as a chart dependency (sub chart)
+namespace: ""
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  # +docs:property
+  # name: ""
+
+  # Optional additional annotations to add to the controller's ServiceAccount
+  # +docs:property
+  # annotations: {}
+
+  # Optional additional labels to add to the controller's ServiceAccount
+  # +docs:property
+  # labels: {}
+
+  # Automount API credentials for a Service Account.
+  automountServiceAccountToken: true
+
+# Automounting API credentials for a particular pod
+# +docs:property
+# automountServiceAccountToken: true
+
+# When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
+enableCertificateOwnerRef: false
+
+# Used to configure options for the controller pod.
+# This allows setting options that'd usually be provided via flags.
+# An APIVersion and Kind must be specified in your values.yaml file.
+# Flags will override options that are set here.
+#
+# For example:
+#  config:
+#    apiVersion: controller.config.cert-manager.io/v1alpha1
+#    kind: ControllerConfiguration
+#    logging:
+#      verbosity: 2
+#      format: text
+#    leaderElectionConfig:
+#      namespace: kube-system
+#    kubernetesAPIQPS: 9000
+#    kubernetesAPIBurst: 9000
+#    numberOfConcurrentWorkers: 200
+#    featureGates:
+#      AdditionalCertificateOutputFormats: true
+#      DisallowInsecureCSRUsageDefinition: true
+#      ExperimentalCertificateSigningRequestControllers: true
+#      ExperimentalGatewayAPISupport: true
+#      LiteralCertificateSubject: true
+#      SecretsFilteredCaching: true
+#      ServerSideApply: true
+#      StableCertificateRequestName: true
+#      UseCertificateRequestBasicConstraints: true
+#      ValidateCAA: true
+#    metricsTLSConfig:
+#      dynamic:
+#        secretNamespace: "cert-manager"
+#        secretName: "cert-manager-metrics-ca"
+#        dnsNames:
+#        - cert-manager-metrics
+#        - cert-manager-metrics.cert-manager
+#        - cert-manager-metrics.cert-manager.svc
+config: {}
+
+# Setting Nameservers for DNS01 Self Check
+# See: https://cert-manager.io/docs/configuration/acme/dns01/#setting-nameservers-for-dns01-self-check
+
+# Comma separated string with host and port of the recursive nameservers cert-manager should query
+dns01RecursiveNameservers: ""
+
+# Forces cert-manager to only use the recursive nameservers for verification.
+# Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers
+dns01RecursiveNameserversOnly: false
+
+# Additional command line flags to pass to cert-manager controller binary.
+# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
+#
+# Use this flag to enable or disable arbitrary controllers, for example, disable the CertificiateRequests approver
+#
+# For example:
+#  extraArgs:
+#    - --controllers=*,-certificaterequests-approver
+extraArgs: []
+
+# Additional environment variables to pass to cert-manager controller binary.
+extraEnv: []
+# - name: SOME_VAR
+#   value: 'some value'
+
+# Resources to provide to the cert-manager controller pod
+#
+# For example:
+#  requests:
+#    cpu: 10m
+#    memory: 32Mi
+#
+# ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+resources: {}
+
+# Pod Security Context
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+# +docs:property
+securityContext:
+  runAsNonRoot: true
+  seccompProfile:
+    type: RuntimeDefault
+
+# Container Security Context to be set on the controller component container
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+# +docs:property
+containerSecurityContext:
+  allowPrivilegeEscalation: false
+  capabilities:
+    drop:
+    - ALL
+  readOnlyRootFilesystem: true
+
+# Additional volumes to add to the cert-manager controller pod.
+volumes: []
+
+# Additional volume mounts to add to the cert-manager controller container.
+volumeMounts: []
+
+# Optional additional annotations to add to the controller Deployment
+# +docs:property
+# deploymentAnnotations: {}
+
+# Optional additional annotations to add to the controller Pods
+# +docs:property
+# podAnnotations: {}
+
+# Optional additional labels to add to the controller Pods
+podLabels: {}
+
+# Optional annotations to add to the controller Service
+# +docs:property
+# serviceAnnotations: {}
+
+# Optional additional labels to add to the controller Service
+# +docs:property
+# serviceLabels: {}
+
+# Optional DNS settings, useful if you have a public and private DNS zone for
+# the same domain on Route 53. What follows is an example of ensuring
+# cert-manager can access an ingress or DNS TXT records at all times.
+# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
+# the cluster to work.
+
+# Pod DNS policy
+# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
+# +docs:property
+# podDnsPolicy: "None"
+
+# Pod DNS config, podDnsConfig field is optional and it can work with any podDnsPolicy
+# settings. However, when a Pod's dnsPolicy is set to "None", the dnsConfig field has to be specified.
+# ref: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
+# +docs:property
+# podDnsConfig:
+#   nameservers:
+#     - "1.1.1.1"
+#     - "8.8.8.8"
+
+# The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
+# matching labels.
+# See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+#
+# This default ensures that Pods are only scheduled to Linux nodes.
+# It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+# +docs:property
+nodeSelector:
+  kubernetes.io/os: linux
+
+# +docs:ignore
+ingressShim: {}
+
+  # Optional default issuer to use for ingress resources
+  # +docs:property=ingressShim.defaultIssuerName
+  # defaultIssuerName: ""
+
+  # Optional default issuer kind to use for ingress resources
+  # +docs:property=ingressShim.defaultIssuerKind
+  # defaultIssuerKind: ""
+
+  # Optional default issuer group to use for ingress resources
+  # +docs:property=ingressShim.defaultIssuerGroup
+  # defaultIssuerGroup: ""
+
+# Use these variables to configure the HTTP_PROXY environment variables
+
+# Configures the HTTP_PROXY environment variable for where a HTTP proxy is required
+# +docs:property
+# http_proxy: "http://proxy:8080"
+
+# Configures the HTTPS_PROXY environment variable for where a HTTP proxy is required
+# +docs:property
+# https_proxy: "https://proxy:8080"
+
+# Configures the NO_PROXY environment variable for where a HTTP proxy is required,
+# but certain domains should be excluded
+# +docs:property
+# no_proxy: 127.0.0.1,localhost
+
+
+# A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
+#
+# For example:
+#   affinity:
+#     nodeAffinity:
+#      requiredDuringSchedulingIgnoredDuringExecution:
+#        nodeSelectorTerms:
+#        - matchExpressions:
+#          - key: foo.bar.com/role
+#            operator: In
+#            values:
+#            - master
+affinity: {}
+
+# A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
+#
+# For example:
+#   tolerations:
+#   - key: foo.bar.com/role
+#     operator: Equal
+#     value: master
+#     effect: NoSchedule
+tolerations: []
+
+# A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
+#
+# For example:
+#   topologySpreadConstraints:
+#   - maxSkew: 2
+#     topologyKey: topology.kubernetes.io/zone
+#     whenUnsatisfiable: ScheduleAnyway
+#     labelSelector:
+#       matchLabels:
+#         app.kubernetes.io/instance: cert-manager
+#         app.kubernetes.io/component: controller
+topologySpreadConstraints: []
+
+# LivenessProbe settings for the controller container of the controller Pod.
+#
+# Enabled by default, because we want to enable the clock-skew liveness probe that
+# restarts the controller in case of a skew between the system clock and the monotonic clock.
+# LivenessProbe durations and thresholds are based on those used for the Kubernetes
+# controller-manager. See:
+# https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245
+# +docs:property
+livenessProbe:
+  enabled: true
+  initialDelaySeconds: 10
+  periodSeconds: 10
+  timeoutSeconds: 15
+  successThreshold: 1
+  failureThreshold: 8
+
+# enableServiceLinks indicates whether information about services should be
+# injected into pod's environment variables, matching the syntax of Docker
+# links.
+enableServiceLinks: false
+
+# +docs:section=Prometheus
+
+prometheus:
+  # Enable Prometheus monitoring for the cert-manager controller to use with the
+  # Prometheus Operator. If this option is enabled without enabling `prometheus.servicemonitor.enabled` or
+  # `prometheus.podmonitor.enabled`, 'prometheus.io' annotations are added to the cert-manager Deployment
+  # resources. Additionally, a service is created which can be used together
+  # with your own ServiceMonitor (managed outside of this Helm chart).
+  # Otherwise, a ServiceMonitor/ PodMonitor is created.
+  enabled: true
+  servicemonitor:
+    # Create a ServiceMonitor to add cert-manager to Prometheus
+    enabled: false
+
+    # Specifies the `prometheus` label on the created ServiceMonitor, this is
+    # used when different Prometheus instances have label selectors matching
+    # different ServiceMonitors.
+    prometheusInstance: default
+
+    # The target port to set on the ServiceMonitor, should match the port that
+    # cert-manager controller is listening on for metrics
+    targetPort: 9402
+
+    # The path to scrape for metrics
+    path: /metrics
+
+    # The interval to scrape metrics
+    interval: 60s
+
+    # The timeout before a metrics scrape fails
+    scrapeTimeout: 30s
+
+    # Additional labels to add to the ServiceMonitor
+    labels: {}
+
+    # Additional annotations to add to the ServiceMonitor
+    annotations: {}
+
+    # Keep labels from scraped data, overriding server-side labels.
+    honorLabels: false
+
+    # EndpointAdditionalProperties allows setting additional properties on the
+    # endpoint such as relabelings, metricRelabelings etc.
+    #
+    # For example:
+    #  endpointAdditionalProperties:
+    #   relabelings:
+    #   - action: replace
+    #     sourceLabels:
+    #     - __meta_kubernetes_pod_node_name
+    #     targetLabel: instance
+    #
+    # +docs:property
+    endpointAdditionalProperties: {}
+
+  # Note: Enabling both PodMonitor and ServiceMonitor is mutually exclusive, enabling both will result in a error.
+  podmonitor:
+    # Create a PodMonitor to add cert-manager to Prometheus
+    enabled: false
+
+    # Specifies the `prometheus` label on the created PodMonitor, this is
+    # used when different Prometheus instances have label selectors matching
+    # different PodMonitor.
+    prometheusInstance: default
+
+    # The path to scrape for metrics
+    path: /metrics
+
+    # The interval to scrape metrics
+    interval: 60s
+
+    # The timeout before a metrics scrape fails
+    scrapeTimeout: 30s
+
+    # Additional labels to add to the PodMonitor
+    labels: {}
+
+    # Additional annotations to add to the PodMonitor
+    annotations: {}
+
+    # Keep labels from scraped data, overriding server-side labels.
+    honorLabels: false
+
+    # EndpointAdditionalProperties allows setting additional properties on the
+    # endpoint such as relabelings, metricRelabelings etc.
+    #
+    # For example:
+    #  endpointAdditionalProperties:
+    #   relabelings:
+    #   - action: replace
+    #     sourceLabels:
+    #     - __meta_kubernetes_pod_node_name
+    #     targetLabel: instance
+    #
+    # +docs:property
+    endpointAdditionalProperties: {}
+
+# +docs:section=Webhook
+
+webhook:
+  # Number of replicas of the cert-manager webhook to run.
+  #
+  # The default is 1, but in production you should set this to 2 or 3 to provide high
+  # availability.
+  #
+  # If `replicas > 1` you should also consider setting `webhook.podDisruptionBudget.enabled=true`.
+  replicaCount: 1
+
+  # Seconds the API server should wait for the webhook to respond before treating the call as a failure.
+  # Value must be between 1 and 30 seconds. See:
+  # https://kubernetes.io/docs/reference/kubernetes-api/extend-resources/validating-webhook-configuration-v1/
+  #
+  # We set the default to the maximum value of 30 seconds. Here's why:
+  # Users sometimes report that the connection between the K8S API server and
+  # the cert-manager webhook server times out.
+  # If *this* timeout is reached, the error message will be "context deadline exceeded",
+  # which doesn't help the user diagnose what phase of the HTTPS connection timed out.
+  # For example, it could be during DNS resolution, TCP connection, TLS
+  # negotiation, HTTP negotiation, or slow HTTP response from the webhook
+  # server.
+  # So by setting this timeout to its maximum value the underlying timeout error
+  # message has more chance of being returned to the end user.
+  timeoutSeconds: 30
+
+  # Used to configure options for the webhook pod.
+  # This allows setting options that'd usually be provided via flags.
+  # An APIVersion and Kind must be specified in your values.yaml file.
+  # Flags will override options that are set here.
+  #
+  # For example:
+  #  apiVersion: webhook.config.cert-manager.io/v1alpha1
+  #  kind: WebhookConfiguration
+  #  # The port that the webhook should listen on for requests.
+  #  # In GKE private clusters, by default kubernetes apiservers are allowed to
+  #  # talk to the cluster nodes only on 443 and 10250. so configuring
+  #  # securePort: 10250, will work out of the box without needing to add firewall
+  #  # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers < 1000.
+  #  # This should be uncommented and set as a default by the chart once we graduate
+  #  # the apiVersion of WebhookConfiguration past v1alpha1.
+  #  securePort: 10250
+  config: {}
+
+  # Deployment update strategy for the cert-manager webhook deployment.
+  # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  #
+  # For example:
+  #  strategy:
+  #    type: RollingUpdate
+  #    rollingUpdate:
+  #      maxSurge: 0
+  #      maxUnavailable: 1
+  strategy: {}
+
+  # Pod Security Context to be set on the webhook component Pod
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  # +docs:property
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Container Security Context to be set on the webhook component container
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  # +docs:property
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+
+  podDisruptionBudget:
+    # Enable or disable the PodDisruptionBudget resource
+    #
+    # This prevents downtime during voluntary disruptions such as during a Node upgrade.
+    # For example, the PodDisruptionBudget will block `kubectl drain`
+    # if it is used on the Node where the only remaining cert-manager
+    # Pod is currently running.
+    enabled: false
+
+    # Configures the minimum available pods for disruptions. Can either be set to
+    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # Cannot be used if `maxUnavailable` is set.
+    # +docs:property
+    # minAvailable: 1
+
+    # Configures the maximum unavailable pods for disruptions. Can either be set to
+    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # Cannot be used if `minAvailable` is set.
+    # +docs:property
+    # maxUnavailable: 1
+
+  # Optional additional annotations to add to the webhook Deployment
+  # +docs:property
+  # deploymentAnnotations: {}
+
+  # Optional additional annotations to add to the webhook Pods
+  # +docs:property
+  # podAnnotations: {}
+
+  # Optional additional annotations to add to the webhook Service
+  # +docs:property
+  # serviceAnnotations: {}
+
+  # Optional additional annotations to add to the webhook MutatingWebhookConfiguration
+  # +docs:property
+  # mutatingWebhookConfigurationAnnotations: {}
+
+  # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
+  # +docs:property
+  # validatingWebhookConfigurationAnnotations: {}
+
+  validatingWebhookConfiguration:
+    # Configure spec.namespaceSelector for validating webhooks.
+    # +docs:property
+    namespaceSelector:
+      matchExpressions:
+        - key: "cert-manager.io/disable-validation"
+          operator: "NotIn"
+          values:
+            - "true"
+
+  mutatingWebhookConfiguration:
+    # Configure spec.namespaceSelector for mutating webhooks.
+    # +docs:property
+    namespaceSelector: {}
+    #  matchLabels:
+    #    key: value
+    #  matchExpressions:
+    #    - key: kubernetes.io/metadata.name
+    #      operator: NotIn
+    #      values:
+    #        - kube-system
+
+
+  # Additional command line flags to pass to cert-manager webhook binary.
+  # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
+  extraArgs: []
+  # Path to a file containing a WebhookConfiguration object used to configure the webhook
+  # - --config=<path-to-config-file>
+
+  # Comma separated list of feature gates that should be enabled on the
+  # webhook pod.
+  featureGates: ""
+
+  # Resources to provide to the cert-manager webhook pod
+  #
+  # For example:
+  #  requests:
+  #    cpu: 10m
+  #    memory: 32Mi
+  #
+  # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  resources: {}
+
+  # Liveness probe values
+  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+  #
+  # +docs:property
+  livenessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 60
+    periodSeconds: 10
+    successThreshold: 1
+    timeoutSeconds: 1
+
+  # Readiness probe values
+  # ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
+  #
+  # +docs:property
+  readinessProbe:
+    failureThreshold: 3
+    initialDelaySeconds: 5
+    periodSeconds: 5
+    successThreshold: 1
+    timeoutSeconds: 1
+
+  # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
+  # matching labels.
+  # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+  #
+  # This default ensures that Pods are only scheduled to Linux nodes.
+  # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+  # +docs:property
+  nodeSelector:
+    kubernetes.io/os: linux
+
+  # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
+  #
+  # For example:
+  #   affinity:
+  #     nodeAffinity:
+  #      requiredDuringSchedulingIgnoredDuringExecution:
+  #        nodeSelectorTerms:
+  #        - matchExpressions:
+  #          - key: foo.bar.com/role
+  #            operator: In
+  #            values:
+  #            - master
+  affinity: {}
+
+  # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
+  #
+  # For example:
+  #   tolerations:
+  #   - key: foo.bar.com/role
+  #     operator: Equal
+  #     value: master
+  #     effect: NoSchedule
+  tolerations: []
+
+  # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
+  #
+  # For example:
+  #   topologySpreadConstraints:
+  #   - maxSkew: 2
+  #     topologyKey: topology.kubernetes.io/zone
+  #     whenUnsatisfiable: ScheduleAnyway
+  #     labelSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/instance: cert-manager
+  #         app.kubernetes.io/component: controller
+  topologySpreadConstraints: []
+
+  # Optional additional labels to add to the Webhook Pods
+  podLabels: {}
+
+  # Optional additional labels to add to the Webhook Service
+  serviceLabels: {}
+
+  image:
+    # The container registry to pull the webhook image from
+    # +docs:property
+    # registry: quay.io
+
+    # The container image for the cert-manager webhook
+    # +docs:property
+    repository: quay.io/jetstack/cert-manager-webhook
+
+    # Override the image tag to deploy by setting this variable.
+    # If no value is set, the chart's appVersion will be used.
+    # +docs:property
+    # tag: vX.Y.Z
+
+    # Setting a digest will override any tag
+    # +docs:property
+    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+    # Kubernetes imagePullPolicy on Deployment.
+    pullPolicy: IfNotPresent
+
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    # +docs:property
+    # name: ""
+
+    # Optional additional annotations to add to the controller's ServiceAccount
+    # +docs:property
+    # annotations: {}
+
+    # Optional additional labels to add to the webhook's ServiceAccount
+    # +docs:property
+    # labels: {}
+
+    # Automount API credentials for a Service Account.
+    automountServiceAccountToken: true
+
+  # Automounting API credentials for a particular pod
+  # +docs:property
+  # automountServiceAccountToken: true
+
+  # The port that the webhook should listen on for requests.
+  # In GKE private clusters, by default kubernetes apiservers are allowed to
+  # talk to the cluster nodes only on 443 and 10250. so configuring
+  # securePort: 10250, will work out of the box without needing to add firewall
+  # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
+  securePort: 10250
+
+  # Specifies if the webhook should be started in hostNetwork mode.
+  #
+  # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
+  # CNI (such as calico), because control-plane managed by AWS cannot communicate
+  # with pods' IP CIDR and admission webhooks are not working
+  #
+  # Since the default port for the webhook conflicts with kubelet on the host
+  # network, `webhook.securePort` should be changed to an available port if
+  # running in hostNetwork mode.
+  hostNetwork: false
+
+  # Specifies how the service should be handled. Useful if you want to expose the
+  # webhook to outside of the cluster. In some cases, the control plane cannot
+  # reach internal services.
+  serviceType: ClusterIP
+
+  # Specify the load balancer IP for the created service
+  # +docs:property
+  # loadBalancerIP: "10.10.10.10"
+
+  # Overrides the mutating webhook and validating webhook so they reach the webhook
+  # service using the `url` field instead of a service.
+  url: {}
+    # host:
+
+  # Enables default network policies for webhooks.
+  networkPolicy:
+    # Create network policies for the webhooks
+    enabled: false
+
+    # Ingress rule for the webhook network policy, by default will allow all
+    # inbound traffic
+    # +docs:property
+    ingress:
+    - from:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+
+    # Egress rule for the webhook network policy, by default will allow all
+    # outbound traffic traffic to ports 80 and 443, as well as DNS ports
+    # +docs:property
+    egress:
+    - ports:
+      - port: 80
+        protocol: TCP
+      - port: 443
+        protocol: TCP
+      - port: 53
+        protocol: TCP
+      - port: 53
+        protocol: UDP
+      # On OpenShift and OKD, the Kubernetes API server listens on
+      # port 6443.
+      - port: 6443
+        protocol: TCP
+      to:
+      - ipBlock:
+          cidr: 0.0.0.0/0
+
+  # Additional volumes to add to the cert-manager controller pod.
+  volumes: []
+
+  # Additional volume mounts to add to the cert-manager controller container.
+  volumeMounts: []
+
+  # enableServiceLinks indicates whether information about services should be
+  # injected into pod's environment variables, matching the syntax of Docker
+  # links.
+  enableServiceLinks: false
+
+# +docs:section=CA Injector
+
+cainjector:
+  # Create the CA Injector deployment
+  enabled: true
+
+  # Number of replicas of the cert-manager cainjector to run.
+  #
+  # The default is 1, but in production you should set this to 2 or 3 to provide high
+  # availability.
+  #
+  # If `replicas > 1` you should also consider setting `cainjector.podDisruptionBudget.enabled=true`.
+  #
+  # Note: cert-manager uses leader election to ensure that there can
+  # only be a single instance active at a time.
+  replicaCount: 1
+
+  # Used to configure options for the cainjector pod.
+  # This allows setting options that'd usually be provided via flags.
+  # An APIVersion and Kind must be specified in your values.yaml file.
+  # Flags will override options that are set here.
+  #
+  # For example:
+  #  apiVersion: cainjector.config.cert-manager.io/v1alpha1
+  #  kind: CAInjectorConfiguration
+  #  logging:
+  #   verbosity: 2
+  #   format: text
+  #  leaderElectionConfig:
+  #   namespace: kube-system
+  config: {}
+
+  # Deployment update strategy for the cert-manager cainjector deployment.
+  # See https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  #
+  # For example:
+  #  strategy:
+  #    type: RollingUpdate
+  #    rollingUpdate:
+  #      maxSurge: 0
+  #      maxUnavailable: 1
+  strategy: {}
+
+  # Pod Security Context to be set on the cainjector component Pod
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  # +docs:property
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Container Security Context to be set on the cainjector component container
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  # +docs:property
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+
+  podDisruptionBudget:
+    # Enable or disable the PodDisruptionBudget resource
+    #
+    # This prevents downtime during voluntary disruptions such as during a Node upgrade.
+    # For example, the PodDisruptionBudget will block `kubectl drain`
+    # if it is used on the Node where the only remaining cert-manager
+    # Pod is currently running.
+    enabled: false
+
+    # Configures the minimum available pods for disruptions. Can either be set to
+    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # Cannot be used if `maxUnavailable` is set.
+    # +docs:property
+    # minAvailable: 1
+
+    # Configures the maximum unavailable pods for disruptions. Can either be set to
+    # an integer (e.g. 1) or a percentage value (e.g. 25%).
+    # Cannot be used if `minAvailable` is set.
+    # +docs:property
+    # maxUnavailable: 1
+
+  # Optional additional annotations to add to the cainjector Deployment
+  # +docs:property
+  # deploymentAnnotations: {}
+
+  # Optional additional annotations to add to the cainjector Pods
+  # +docs:property
+  # podAnnotations: {}
+
+  # Additional command line flags to pass to cert-manager cainjector binary.
+  # To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
+  extraArgs: []
+  # Enable profiling for cainjector
+  # - --enable-profiling=true
+
+  # Comma separated list of feature gates that should be enabled on the
+  # cainjector pod.
+  featureGates: ""
+
+  # Resources to provide to the cert-manager cainjector pod
+  #
+  # For example:
+  #  requests:
+  #    cpu: 10m
+  #    memory: 32Mi
+  #
+  # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  resources: {}
+
+
+  # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
+  # matching labels.
+  # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+  #
+  # This default ensures that Pods are only scheduled to Linux nodes.
+  # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+  # +docs:property
+  nodeSelector:
+    kubernetes.io/os: linux
+
+  # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
+  #
+  # For example:
+  #   affinity:
+  #     nodeAffinity:
+  #      requiredDuringSchedulingIgnoredDuringExecution:
+  #        nodeSelectorTerms:
+  #        - matchExpressions:
+  #          - key: foo.bar.com/role
+  #            operator: In
+  #            values:
+  #            - master
+  affinity: {}
+
+  # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
+  #
+  # For example:
+  #   tolerations:
+  #   - key: foo.bar.com/role
+  #     operator: Equal
+  #     value: master
+  #     effect: NoSchedule
+  tolerations: []
+
+  # A list of Kubernetes TopologySpreadConstraints, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core
+  #
+  # For example:
+  #   topologySpreadConstraints:
+  #   - maxSkew: 2
+  #     topologyKey: topology.kubernetes.io/zone
+  #     whenUnsatisfiable: ScheduleAnyway
+  #     labelSelector:
+  #       matchLabels:
+  #         app.kubernetes.io/instance: cert-manager
+  #         app.kubernetes.io/component: controller
+  topologySpreadConstraints: []
+
+  # Optional additional labels to add to the CA Injector Pods
+  podLabels: {}
+
+  image:
+    # The container registry to pull the cainjector image from
+    # +docs:property
+    # registry: quay.io
+
+    # The container image for the cert-manager cainjector
+    # +docs:property
+    repository: quay.io/jetstack/cert-manager-cainjector
+
+    # Override the image tag to deploy by setting this variable.
+    # If no value is set, the chart's appVersion will be used.
+    # +docs:property
+    # tag: vX.Y.Z
+
+    # Setting a digest will override any tag
+    # +docs:property
+    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+    # Kubernetes imagePullPolicy on Deployment.
+    pullPolicy: IfNotPresent
+
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    # +docs:property
+    # name: ""
+
+    # Optional additional annotations to add to the controller's ServiceAccount
+    # +docs:property
+    # annotations: {}
+
+    # Optional additional labels to add to the cainjector's ServiceAccount
+    # +docs:property
+    # labels: {}
+
+    # Automount API credentials for a Service Account.
+    automountServiceAccountToken: true
+
+  # Automounting API credentials for a particular pod
+  # +docs:property
+  # automountServiceAccountToken: true
+
+  # Additional volumes to add to the cert-manager controller pod.
+  volumes: []
+
+  # Additional volume mounts to add to the cert-manager controller container.
+  volumeMounts: []
+
+  # enableServiceLinks indicates whether information about services should be
+  # injected into pod's environment variables, matching the syntax of Docker
+  # links.
+  enableServiceLinks: false
+
+# +docs:section=ACME Solver
+
+acmesolver:
+  image:
+    # The container registry to pull the acmesolver image from
+    # +docs:property
+    # registry: quay.io
+
+    # The container image for the cert-manager acmesolver
+    # +docs:property
+    repository: quay.io/jetstack/cert-manager-acmesolver
+
+    # Override the image tag to deploy by setting this variable.
+    # If no value is set, the chart's appVersion will be used.
+    # +docs:property
+    # tag: vX.Y.Z
+
+    # Setting a digest will override any tag
+    # +docs:property
+    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+    # Kubernetes imagePullPolicy on Deployment.
+    pullPolicy: IfNotPresent
+
+# +docs:section=Startup API Check
+# This startupapicheck is a Helm post-install hook that waits for the webhook
+# endpoints to become available.
+# The check is implemented using a Kubernetes Job - if you are injecting mesh
+# sidecar proxies into cert-manager pods, you probably want to ensure that they
+# are not injected into this Job's pod. Otherwise the installation may time out
+# due to the Job never being completed because the sidecar proxy does not exit.
+# See https://github.com/cert-manager/cert-manager/pull/4414 for context.
+
+startupapicheck:
+  # Enables the startup api check
+  enabled: true
+
+  # Pod Security Context to be set on the startupapicheck component Pod
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  # +docs:property
+  securityContext:
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+
+  # Container Security Context to be set on the controller component container
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+  # +docs:property
+  containerSecurityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    readOnlyRootFilesystem: true
+
+  # Timeout for 'kubectl check api' command
+  timeout: 1m
+
+  # Job backoffLimit
+  backoffLimit: 4
+
+  # Optional additional annotations to add to the startupapicheck Job
+  # +docs:property
+  jobAnnotations:
+    helm.sh/hook: post-install
+    helm.sh/hook-weight: "1"
+    helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
+  # Optional additional annotations to add to the startupapicheck Pods
+  # +docs:property
+  # podAnnotations: {}
+
+  # Additional command line flags to pass to startupapicheck binary.
+  # To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
+  #
+  # We enable verbose logging by default so that if startupapicheck fails, users
+  # can know what exactly caused the failure. Verbose logs include details of
+  # the webhook URL, IP address and TCP connect errors for example.
+  # +docs:property
+  extraArgs:
+  - -v
+
+  # Resources to provide to the cert-manager controller pod
+  #
+  # For example:
+  #  requests:
+  #    cpu: 10m
+  #    memory: 32Mi
+  #
+  # ref: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+  resources: {}
+
+
+  # The nodeSelector on Pods tells Kubernetes to schedule Pods on the nodes with
+  # matching labels.
+  # See https://kubernetes.io/docs/concepts/scheduling-eviction/assign-pod-node/
+  #
+  # This default ensures that Pods are only scheduled to Linux nodes.
+  # It prevents Pods being scheduled to Windows nodes in a mixed OS cluster.
+  # +docs:property
+  nodeSelector:
+    kubernetes.io/os: linux
+
+  # A Kubernetes Affinity, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core
+  #
+  # For example:
+  #   affinity:
+  #     nodeAffinity:
+  #      requiredDuringSchedulingIgnoredDuringExecution:
+  #        nodeSelectorTerms:
+  #        - matchExpressions:
+  #          - key: foo.bar.com/role
+  #            operator: In
+  #            values:
+  #            - master
+  affinity: {}
+
+  # A list of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core
+  #
+  # For example:
+  #   tolerations:
+  #   - key: foo.bar.com/role
+  #     operator: Equal
+  #     value: master
+  #     effect: NoSchedule
+  tolerations: []
+
+  # Optional additional labels to add to the startupapicheck Pods
+  podLabels: {}
+
+  image:
+    # The container registry to pull the startupapicheck image from
+    # +docs:property
+    # registry: quay.io
+
+    # The container image for the cert-manager startupapicheck
+    # +docs:property
+    repository: quay.io/jetstack/cert-manager-startupapicheck
+
+    # Override the image tag to deploy by setting this variable.
+    # If no value is set, the chart's appVersion will be used.
+    # +docs:property
+    # tag: vX.Y.Z
+
+    # Setting a digest will override any tag
+    # +docs:property
+    # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
+
+    # Kubernetes imagePullPolicy on Deployment.
+    pullPolicy: IfNotPresent
+
+  rbac:
+    # annotations for the startup API Check job RBAC and PSP resources
+    # +docs:property
+    annotations:
+      helm.sh/hook: post-install
+      helm.sh/hook-weight: "-5"
+      helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
+  # Automounting API credentials for a particular pod
+  # +docs:property
+  # automountServiceAccountToken: true
+
+  serviceAccount:
+    # Specifies whether a service account should be created
+    create: true
+
+    # The name of the service account to use.
+    # If not set and create is true, a name is generated using the fullname template
+    # +docs:property
+    # name: ""
+
+    # Optional additional annotations to add to the Job's ServiceAccount
+    # +docs:property
+    annotations:
+      helm.sh/hook: post-install
+      helm.sh/hook-weight: "-5"
+      helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
+
+    # Automount API credentials for a Service Account.
+    # +docs:property
+    automountServiceAccountToken: true
+
+    # Optional additional labels to add to the startupapicheck's ServiceAccount
+    # +docs:property
+    # labels: {}
+
+  # Additional volumes to add to the cert-manager controller pod.
+  volumes: []
+
+  # Additional volume mounts to add to the cert-manager controller container.
+  volumeMounts: []
+
+  # enableServiceLinks indicates whether information about services should be
+  # injected into pod's environment variables, matching the syntax of Docker
+  # links.
+  enableServiceLinks: false
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator-0.2.3.tgz b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator-0.2.3.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..2384dae1133fe0501844427cb35909f10325bf2e
GIT binary patch
literal 2726
zcmV;X3R(3ZiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PGuKbKADApY<zn-rIHCn-$q{oSyF92fws$FSj(w#o2nh-L6MV
zu+5bsHIho|rTOpgNJ_FK+p*(h?zU%qs1=C>0T2KI5dCmVRMHkHN}`24IGGZu{TWHv
zi|2zN2!ejEXMckrX#NJ>Ab8Q~^$)xKqvN1^^dji=I=%i22%eFKm5?b-<cr|RYc-ks
zivUUKk0=!tJcOIBN7A(XGw{3qp%<fyBu%w_HGuyjOCT~@0%IZJ`)q`gqekU%l3)mR
zee(1y#SloEG8z$s!@H@Y|J?llzeB_RZwSj!J+lK?WB=Xb<HM%?_qs=W``-n80k3gP
zGN!?8y|wDPQuy8%a6P38r~(2%4c?x$$3iAVYm8w`8JYpFF=9j_+z?60h@k>4V1$qo
zr7#A{wSbw(Bxp=hMl>ql^CVioa3V6UL+E%OO~?d84?ton6xBk`LYPb==~HoFsXAyl
z7=Scm>{2iq%|bXGp9_5{Q6bkJz!z|FgHqDikTXTF=s}YS+)jl;h;!Dd`|RA>+y(j`
zn88h_);6B2n-hDPF*d|VqE;dN{EPL1#iAj!THZKgY~iJ6F<#^d4Z|eU;!=tm>YQV1
zOqjx!2SB;fgfWz-RyNRDCJruQY?mX$gizk{JcaUxMmUHfD_|>-VTutQQ&ey}MLk6c
z1oCk}+(1xMk+In9UL=udj6KMoLeMfpi)g^P(AK5fttN47evB9!=nQl7u_4^u+xgd1
z1S1y^<7Kl9vP_|G$DWRX3k?c25FY2W*j<wuehb7Qq6#L+jYu(uOi@0uh>Hy<HO~WZ
zXO-EARK$Y@b>`g=qfAmgI}u#tM_p1qR^LgHr6F{KATSbMJ}e?B8Bs<xMdjoU5KEC3
z&uti-o!MuJB);Hmb|r-V4`rxkN@G%yv&{HFoeORTG++OqP=?USNwM-XE4V}Vgk?&j
zJiRnFBBT!CRbWg`iA+W~--veznaT)bGmsdGBtafqaccp}YRjxNlybJ+2Q7dhxk1pz
zI}qa?BEeNeMW&n>rowEgaVcgeGKJE2u7ofpfO4~w3YD=u9=Ttsm0=D92jn+Y3Z5X>
z3T~;M0;5{9TmS_r--61bsagIl<@7@~Lf<INOk@xXxFx*CNo88b9k<%4iC|3JQa-WR
z8RcdOiGR(M{hpWwI7X-xk+W|t{}K~nxkrdH$!0K;#L8x@QNqi)s9*Xy(uC?#AEGp~
zdza*YCzx1w*Xh1`OLG=~%TR4P!!u4`hzuj+Qmi6t!HhXL&Hnip&m-e8<y6n?XY2nP
z=YQ#)56&;H-wb{IQ9u2RSr`8Yhn>dxf7Czf?$7^Sz&m7-FwRlH_wTBz@VN=w!%kqO
z{lA|gOHnFcr%z1<*4Y1H@3_~n|Nc?Gv$y|Uz}?-!H{P3%sXfmdA(=gmeeaut`+M*1
zu5F?K$`M+P^uSDML3=*Ph6=tbC7m05{*NxLtj59c$pkYzg8rd>q{%QFkLgEfwOf$m
zGLgvrz2{jXPh8YT$`wptH-q0Y!c0ILo50<Y?|bji;kM(oS;4TPV1yCL6oN7yZ(h1^
zOphtDSb<4m>_LrrKuZ;THJVw0ygnbAu_m%K@x<4@cRB`%%mgtGNhG)?l;@F59+zsk
zrHq+)Iy1SD4U`P=IkoHLTLiFk8Pjno(q?*5h;HTgO~lSriRT}dh45dS@9Uh#QWy@2
zf8`|Q<`#6;UOtkzR8p?T(E3ufzf`RTF1P6BTDJVLrhAo5HTII1vdo6sjm@>hjbdbk
zZ2jii!SkJMa#R(zd(LxH_+)ZqMk0jPKU>gx-+H`3i6jx+5vtY_>V`Q=r^pgtO%E*b
zA>7@WP@ZM+O7?t5z{+7N4_nXjMf{2u<$MpywA_3nY3hF{4cMf^WnJ;^ZpoBS@LMJ{
zHsr8~B_W(lFm8`#4pE^|!#q1(CdVS?-c*uJX4^|CaVhEpGIK7$U(ScE1@H*#TvQEj
znSM79faN*)1`Jl~4(F>}SACeDXZ4L^<f~Qe&%L7m^(vIS%5TMQ6v$ioLu(@h3%=oV
zpWV*^E91Y&l@Fv~_|$Uny8Q33-)+Qy$GxNDef+lzsNVm`5s7?~>8X(PcUv~_KfH3z
zwc~xDJT8k$SAwCJpe8ZVBrM8<RPbw>pwc8sL*N->WvT4}KUOhhV^lI@s6wv|B&D|2
zX3HOKXtiuvxG1UEcU;7%JTM3GD1S9UZGRb6?%|f`XlkFbG$tDV7FPRwu!;STD32+h
zZ0!ct*?+%tT(|#jC+O_&e|7@f+yB3vR{T+JKrp<*vAr6}9l-+xdH{?5>G6xIZ1gKe
z+PWWyZ&-^5HbJ>8__4^{T$Pe#QJH-W_xC&B|CRP1W6H!VLH_i1kTv$-J8Ig0=lC$#
z*MD~cRr@Dts^+Htx>SIgi9gn+AWw_TTmYK_teD8k<nI%3%46gjde$scjPgriMkAt}
z`Q#CM^$yvsSL9c2#l)QdXB842CSoxYofFe{_zN4!@mFM1Ah&l_1%dS&Mu);c^-?r{
z<z{Q~6G>QY<yZ4*mHflKU^U*h=dN6%5cg7UnwQ>lIu@?OpTg9l7v0wBI&Af8+NG4u
zx2tjayPV{_xP`L9XnSrQ)yhpd#{lx1u<~ay<>cc0`s(8B?9J8t^TFFU!^^?Ro60b7
z?HQ{NjwL7uKU`nDzr4Em@pO24asK}N;`N*1DwH|%wYCJm){{^zp)9U-dOo}!Sn5yT
z4!&DO`MkPy@TCfEfh%8l!o-L$pZuOlbUM}`=CsxZ;Y*xQrR8jE1g;fi+u52->T+1A
zVJoyutyHm2w~pDh#5_@YTgdCN5?Yi==@5$UoQk5^Z~nY>r#>?kvg$voiZ<0ct$nCi
z;$`0D@T$`okxHROBv=U7Czq9PjNTwer7ooyVSPQb&Ue_@NPv{+X$S{XBur0#Z+^7v
zHz<@yV!G8LX69_eH7aTG9G2+ayn$o6#x3~!YE!{{SgqCIDSm!oy`n>*a!wXK3(vYv
zr8Qzcs@gBH-D;mZoO?8^jQ^jb@R!5d`rmQ0|GOU?_4e`qF5r>*|7R%tjq(CsqxSc!
z7;Rqqb9W2&F-C^_Dqsl@+W%7ve>tqJ|MeE~|6XVR|37vDTiE{}Tlm|kOtx)#a9<Z}
z!b<zk>3xn6V4eLR9rqXezYh2IzYD1S|F6QzbM5}K)cssPdnJ1;bklrrYgIDFcAg_G
z8E-yRqJ1JKs4trd)v{!<mV4Igi`$mldVh{|VV(WwtshTv18eQS)3E<;&^g@K|91i#
z_2jq?rPYq2I0hf(FCI7$pX@o7B>WA|NV6orP>x@b_gC=$9Xf(m+P_An-M{TfaE_6U
zr?zqfYvccJ(7gXY?C<-3b^=Sy`clM8Y`L}Z;ookkP3w7Vdcj0nMI-7|h!3q0%(7+F
z(7d22D#*94P5|@T`Y2Pgk@#3%>?8>>Quz6$8T#^<q7Er1%DmiI3gPMq#3Gd@Q<A!<
gj-TTV%D<oo*~1?8@K=TZ1pom5|AgBA9RNlE0PYKGR{#J2

literal 0
HcmV?d00001

diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/Chart.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/Chart.yaml
new file mode 100644
index 0000000..ee71d0e
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/Chart.yaml
@@ -0,0 +1,24 @@
+apiVersion: v2
+name: kwasm-operator
+description: A Helm chart for Kubernetes
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.2.3
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "0.2.3"
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/NOTES.txt b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/NOTES.txt
new file mode 100644
index 0000000..59e04cc
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/NOTES.txt
@@ -0,0 +1 @@
+Welcome to KWasm-operator
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/_helpers.tpl b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/_helpers.tpl
new file mode 100644
index 0000000..c727c9e
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/_helpers.tpl
@@ -0,0 +1,62 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "kwasm-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "kwasm-operator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "kwasm-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "kwasm-operator.labels" -}}
+helm.sh/chart: {{ include "kwasm-operator.chart" . }}
+{{ include "kwasm-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "kwasm-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "kwasm-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "kwasm-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "kwasm-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrole.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrole.yaml
new file mode 100644
index 0000000..063a159
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrole.yaml
@@ -0,0 +1,15 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  creationTimestamp: null
+  name: {{ include "kwasm-operator.fullname" . }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - nodes
+  verbs:
+  - get
+  - list
+  - watch
+  - update
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrolebinding.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrolebinding.yaml
new file mode 100644
index 0000000..c5bc392
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/clusterrolebinding.yaml
@@ -0,0 +1,13 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  creationTimestamp: null
+  name: {{ include "kwasm-operator.fullname" . }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: {{ include "kwasm-operator.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kwasm-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/deployment.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/deployment.yaml
new file mode 100644
index 0000000..189aca5
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/deployment.yaml
@@ -0,0 +1,66 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "kwasm-operator.fullname" . }}
+  labels:
+    {{- include "kwasm-operator.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.replicaCount }}
+  selector:
+    matchLabels:
+      {{- include "kwasm-operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "kwasm-operator.selectorLabels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "kwasm-operator.serviceAccountName" . }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          env:
+          - name: CONTROLLER_NAMESPACE
+            value: {{ .Release.Namespace }}
+          - name: AUTO_PROVISION_NODES
+            value: {{ .Values.kwasmOperator.autoProvision | quote }}
+          - name: INSTALLER_IMAGE
+            value: {{ printf "%s/%s:%s" .Values.global.azure.images.kwasmOperatorInstallerImage.registry .Values.global.azure.images.kwasmOperatorInstallerImage.image .Values.global.azure.images.kwasmOperatorInstallerImage.tag }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: {{ printf "%s/%s:%s" .Values.global.azure.images.kwasmOperator.registry .Values.global.azure.images.kwasmOperator.image .Values.global.azure.images.kwasmOperator.tag }}
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          ports:
+            - name: http
+              containerPort: 8081
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: http
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/role.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/role.yaml
new file mode 100644
index 0000000..5b404b4
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/role.yaml
@@ -0,0 +1,16 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  creationTimestamp: null
+  name: {{ include "kwasm-operator.fullname" . }}
+rules:
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - delete
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/rolebinding.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/rolebinding.yaml
new file mode 100644
index 0000000..cd3fa8c
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/rolebinding.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  creationTimestamp: null
+  name: {{ include "kwasm-operator.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: {{ include "kwasm-operator.fullname" . }}
+subjects:
+- kind: ServiceAccount
+  name: {{ include "kwasm-operator.serviceAccountName" . }}
+  namespace: {{ .Release.Namespace }}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/service.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/service.yaml
new file mode 100644
index 0000000..a559460
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "kwasm-operator.fullname" . }}
+  labels:
+    {{- include "kwasm-operator.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.service.type }}
+  ports:
+    - port: {{ .Values.service.port }}
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "kwasm-operator.selectorLabels" . | nindent 4 }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/serviceaccount.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/serviceaccount.yaml
new file mode 100644
index 0000000..5fd5ba8
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/serviceaccount.yaml
@@ -0,0 +1,12 @@
+{{- if .Values.serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "kwasm-operator.serviceAccountName" . }}
+  labels:
+    {{- include "kwasm-operator.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/tests/test-connection.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/tests/test-connection.yaml
new file mode 100644
index 0000000..e798e71
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/templates/tests/test-connection.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: "{{ include "kwasm-operator.fullname" . }}-test-connection"
+  labels:
+    {{- include "kwasm-operator.labels" . | nindent 4 }}
+  annotations:
+    "helm.sh/hook": test
+spec:
+  containers:
+    - name: wget
+      image: busybox
+      command: ['wget']
+      args: ['{{ include "kwasm-operator.fullname" . }}:{{ .Values.service.port }}']
+  restartPolicy: Never
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/values.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/values.yaml
new file mode 100644
index 0000000..0a86c07
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/kwasm-operator/values.yaml
@@ -0,0 +1,63 @@
+# Default values for kwasm-operator.
+# This is a YAML-formatted file.
+# Declare variables to be passed into your templates.
+
+replicaCount: 1
+
+image:
+  repository: ghcr.io/kwasm/kwasm-operator
+  pullPolicy: IfNotPresent
+  # Overrides the image tag whose default is the chart appVersion.
+  tag: kwasm-operator-0.2.2
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+kwasmOperator:
+  autoProvision: "false"
+  installerImage: "ghcr.io/kwasm/kwasm-node-installer:main"
+
+serviceAccount:
+  # Specifies whether a service account should be created
+  create: true
+  # Annotations to add to the service account
+  annotations: {}
+  # The name of the service account to use.
+  # If not set and create is true, a name is generated using the fullname template
+  name: ""
+
+podAnnotations: {}
+
+podSecurityContext: {}
+  # fsGroup: 2000
+
+securityContext: {}
+  # capabilities:
+  #   drop:
+  #   - ALL
+  # readOnlyRootFilesystem: true
+  # runAsNonRoot: true
+  # runAsUser: 1000
+
+service:
+  type: ClusterIP
+  port: 80
+
+resources: {}
+  # We usually recommend not to specify default resources and to leave this as a conscious
+  # choice for the user. This also increases chances charts run on environments with little
+  # resources, such as Minikube. If you do want to specify resources, uncomment the following
+  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+nodeSelector: {}
+
+tolerations: []
+
+affinity: {}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator-0.1.0.tgz b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator-0.1.0.tgz
new file mode 100644
index 0000000000000000000000000000000000000000..640ee4e1013b646f5ee2083513a1638391b5d485
GIT binary patch
literal 5525
zcmV;G6>91qiwG0|00000|0w_~VMtOiV@ORlOnEsqVl!4SWK%V1T2nbTPgYhoO;>Dc
zVQyr3R8em|NM&qo0PH<$a~rvl`}O8mbmXMG-e`uTo<3IX2d$(es<ma6WbalgcV&Sy
zO%f3Xm;e~cT(9o8U*R!NlA<WdlARDAByt95^fdZ~Msr$al!qciNwkoi!!eOMnv#@#
z_lT|A?RNKecI^Ldx7+^T-RgF~>+S4qZ|&{wcei%G>-M(y_jkX8?qedcsO3r%`Ca$H
zbG0At8)+n?zo1l9@IFko0+MCb*KX8{x<P^}mNe7$+5!9xSqib?6Br5!Kj#CK95t$d
zlN9^VV5mS(GwcJ&GDc%!Km?Nlyo3JS&;Os^n({v(EJyX&3Sf!+@AbC!TJpcMwcB0G
z|5LOVFCZ3NOTie*w}g`sN|2aIRLHdgJw~|5D2I2RM<BtBiD`;lN5Ra{egN>|1*CTY
zWCjz;QAPn2Bg}XUfyj{pBGHaZa7c2d&BZ)*&;+PF%h=R>GF=K5jtT%L97f1d61HhN
zC<HYYIZI%Gz;LL6sE{hx-Av|Y4j~N3NSGdnnG^#I2b3ovNfL=l{n&rqeZ5uoOHoT2
zt7ezp)_&BDx>3*c?UsERk_2Ul3}anhL{0__!)qLjg}71$<|SP&FwP~_(?h{Ee$s{v
zl%s-7(g|faLLfW=633`iv5HnH>oLv%D+zOf2xF}?)$eq!O6?s{(Md$CI+~~})rkck
z(orrk%tR8FKsw5!WG~?--LX&?VeDuMKo}F(X9d>BDkh9Ldom<Uq3;!wj0`BFnxZO3
z0whvo)wd81-n=QEgr;PKKzU+p3o5uC(|BxnPAIB{oLcf|GJ;s71Iq1`a7`IAJdi6)
z46zDeS<V>cqXsj%864&8#{!XRjy{aWu{6{(n$*y<)3ktYz>62~)3o5@O^BSMbx>Mc
zpvqxHoTO+nimIU>vV>@d993YIwBdUK-k1Ux8VI8!jtN{-J+?67TuS8H8S4sIF(xHb
zFl=cc<s3g{7;8*GNEk?Qg&YPrCKFnS6u=9ERUeq4wXSG#mNRxH7>%cWI2oP_eda{I
zAgn|sav7tlv_UD*ah7*dOo7pqYE|%VMgJD}mZ172O7Gttz3W462!vkFGn6HRkEkB!
zgD4j1g7xW8rE*lAt)2(zP^maB&hkF&cDreLCB@V(d~fUZTUs*2zj9PF<9c(3?d`m!
zfm4$Po$~>S&!qS?g)!j?Lj~tQ9UKD5^;k&yTfww`O)GZ`4$e+Mp`1A4G(g>3i`uC(
z1L6_%sMQr1GO9H4QbBgDdhGUJ@9b=sUGq$7i6s5etXsd+X=>3<rAEa_3#Aj3@<%Om
zEN@JH?5@@4it6(of?4s$H!qsIw@9WTh}p2zDKi$=#z~n%CX(vD7&=uu<3ecxGUtXi
zMc+R39B?DFG{%EC7CF~-AE{s)C-eo;XMtZh2;f0P7VLu<v%2oF3yFhmIJAkdqa)#5
zXp5)n!{?hI@aoLXddPC6Q67nuP~P?e6L+;Rzy)|XI=!%pj&k?d4n`C#0NXEnFcA}G
zG4L)~L7xUaBh%r%F`!K{dvzu_n_9oX@@oPH3&Imjo$`%^l&CVn6Us+H!)vx`q$wHo
zS(`W+>SaPYb_~JoneDP!vYK0cD0O2dg%+`3eRzL(X0K=>N2t$iw_=#vWP9SAoLNeE
zr*Z)$ns-|`IUMeW!hgGNZ491!SF>(+ZB31<G0m)h*ExOn{`ex&pY$Wlv1I?h)$R6L
z`~ThD?t1_KB(1Uj@cDDGH7WKbH#cT$!o{`U_ha&hAo#n;&EB3NQD|?I6cao6++B=L
zNs4fD69vJ0VRjjkLn<T!8Hik4_3npnf|k?1F^qqNF|riG&_GieiE##^yLxj2N)w%{
zc{8pEXoP0t#O6W@PK9m<G_5y5B`P2=#A_f)LXAo#tmaN>VGK#(I0$Rbf|}><?G_Ah
zXlOz;#Dp7n!4hUjrP3}`Qj42La599c$YD$-$Y1J!Fo`6YLLxYV5}S~@<v^}-@9+<W
zaU3Zh^@E@n!3kH|JZs@oSj(S;YE0A6JfxlTAj^(FVVr9r{i+!A8*65fnL;>R!GZH@
ztU8If=1h>JGnvO>%~6p>2t5)u78wLvP4uscN;OT<;vG)5;5_H%`ynGrJr~~6;Sk0K
z36J;RMQ-<BMu6OUY2hWwtfp+O_8)@aFG9jFmwJp664Zn;wFwH*?fvau{-uKR<AbBO
z$91_;V?RZTAYy8svmKbQgH<a&@!Se%-JZ2Avi~2)$TE~F(%FNL0+!hSot^FW`QP47
zx3{+cPtiVq?)(rOf68pAbd1)Nm%Cc4?}8sXH#foO&!G>Xz(!N;nGqWhR()&$!7EE^
zOQT=hv6AWeZh}(M1mSnkGUqYuZQGADy~u|{`Uy6|4e+p#C)N&I91kTDjX=s7hB;$X
z_*YIC9a2n;`n1?b!LR6G+y2_jV4g(50ArFXV=dE0B+WkakRnT5u*}98FmXXKs^I&<
z)Y8LjP&r8{AA!m+eia2L!_p11K)hM?dfHv1x*2mO)_2Gm^VlvSuj$z&F&&l^EpC=n
z^<5U;zYEowD&hRmK0*J-yDw{nV@V4KWX8R+cs4Gsh+HNq*F)I&lM4T&Hd?UUq<3es
z`5!&+83Rj)Qya=5vF8})L)vL<gy3?KlX(f0L&BB4W+NVlC^a40QwtD-e`2fycXp8?
z;mSgyJZ5=v3pYd-@(8sm&`K&i%F&B(Y6A)a8yTSrQlT_3dWCEX1P1xYVDAaA34>h2
zHCli5TF5IRMa~n$;)AK<Un3j@I9@|xOTbwYhnywXLQ0ibUCv6y9iGGq$lXY{P{GtB
z*XYFJw1oKc8LtXlFGdE)mP)YgTZwO*ZR--%^e}%fRu(q?ya5{@H&$1gB25K%c&cT1
zx?T=Zv*3{$JD0H!i>c}#&XaUeFJ%utg?!_uh-!Lb_AKn?CLmcBHG`OC-bm$%*M|HK
z|H_5N77=ElxMSud98CL-Jzo(gn@7Y8kNh3U*nZY<E+Q`Qx0qrzPMsZ0%~puV*q^&^
zUBuaK^IpVVeWcf(11enpc=cfL=_1S2>=wlig_e`>{c=%#wFn}wKW)t_6tFk^hmAV{
zn9=;t?Uy}OTjc-OvOFG~4YVx(r@P<I|Jm<tZ?FCTr)c&3KayptGwB6alqY>SDmfrX
zQImvd(hmTZDXylO4Xb04(5LtW;1#JqNSe`Zu}Cw)k?THGL*{n0O2sMj*`$lv{uz-v
z6vKI)J(^+02**Cm#oB7P`47!XyY@S9$`j-oc8nS^`-Fbu5YT9BuaIUA_M-A!(FQUL
zOX3KX5*?4<)F^j1tZ&78)-G50?>Qt2mEe)6ae_UPZQyfPjP8xoYll<&0J5Ck$NXCB
z?kz!e+}UKTVvQO{@g>mEWi?ogwfH+p*)8km!A3UkVlLWdiZmrWsUOOBn#2J>KB?b#
zGWYX`pN`K@kKZ3(d^~*f;o|-A`NyMoZx2pR%bwtJgDjIdf2crp(a~%TFPGqChE^VG
z=TE9{om3BI#KeHGi2RmIjO+jvnbmt&#z1jIm6p@Hk8nv`ckZsqXa?ze2GXtKRV+_y
zR2?9r6XdAWnG^%;*C;#II{Pc?`Xzvj=y4x9E@SYw<}G)UTO<s6bUD?Oup?w-dV#Uv
ziRwddx7H&=NkvlL+v=A0922xTr98JSc%|gv#sO^;h(G=fUHVXc_L;+8uo)C2p(_)`
zhP&@elUqpA>(&q}l1^3=&+4eAlF=Gis569W<>ah3)1uU#+FW%M>Jv`{%Ts)7eAUJR
zr{>C;qp?o2&edxbHW##GJzYKuW0YFWtiHKgyJ*(w9cR-%lo?ekYQ0A8*{!<oTh(hn
zH=b~1CD$Cjn#OC6ZK*#;KtqI34oDo@1e81LhS&3SLzRo-fh<r7t4ZEfi-0roSDUdZ
z2KSS{=6v^-!uI6V^XL3PoeF*~gl-7V?DqJf&a!D5W$F`{|0+q0XA4xK(-}42Wsbxv
zjAc`0d;jRINU#q(TXjX~I-kz58dkYH_wHrg9@-Y||LZ?kpn_ZVa^Fb6vizT&UTgoq
z)!pyzt@r;=(dzquyT*;g^XTfe3%(XXfpfv|A>n`-wleTm2nZMyzjQR<KKp!`GoyAx
zAQ}Cu6nW-zDK|EPR&I3Yb1_q5&Flo_z+WGsw*MJb?!&d&@w*}R+3ZJ`pXw4d%lip3
z)HpkREQCzF;qYrYi;v57`Qo_DBLz;7>(<mY_zq|ohQU49^e5_absw2q2OjLd1JeqI
z=QuP^P^{H0)C~Y?I-sEC%LftjWuS6<{%K{$fxl>YQ1_T<){A=Sq1ZD+2WswF;>+jO
z#!ufC*?&*D2ig6iEwTUGySuyX`2W`aI{)WM+KP(R@3J5229(^@HveDR_PYJdVvFOA
z*IW}=nYfzWb9V8Lb6dss<tHbZbuC)cS0{R30R|nH!9DAA%yD5P+JH#O2nkN+5I3Wo
zWLc3m{N*3<o_KYJloLjO!#0Y3#z&iH5rOAE=L2W`+Nizi)35Ge*7V>b_?dNexb`pW
zHfDA2uTIOgd%3hN^#A<JEu{0>ALIru@&CGey{&fqXLomJ?f*SRdnW&{!CkB9x_M_E
zUz^%1{829WxwlUr&fj<|R7lp0ZF-*dUnc+FX?@TZaEbi)dRsH{-`&|-%l}if#{1t2
zDfc$=ar3^y7E67_Qvc=i!Q2n#Yso6jw**Ay{=6ix2jX>GZq<&P&mS89SN&%sE#zz$
z_`NuVtw3x+cysgI9KCL<w1xUV*Y=fDWok+D4H7GvgQe$xJFVaUZEbh=*ZIFs(i-`{
zNlKOZ=o4J#yMS*!XZ-3I<FL*b5Aq3b<+xx@#%GLDhh<Km=umF<dSOh$p%m%tk0XkG
zSm(|-)f1^69H%Va^Jhbq1*y+*Lh;%!fp-Qcy#OF)6uEZPb&sp6x3yI1I(Of<*3&m=
zj4x|omTp{qU!U1$R|>;eNcRK$V#YARNjT{dmW@d-^s$%#U`Qy-B^D`~e<75W?2-Cz
z(bd2oPCD<|MG<Q;pxdHAHoj1&p`)Th#C~-H>bDQij}P7-`!65Pj*2g>7g;r8T#6=m
zJRI790-Oqt|4}Ph#1`+kqU9SLzV?-^$BbuI___7-mu`#fzxA^p<@9g4{qODXx6l8&
z+xu(#{}k<c;y<3dR!si+mSR8c1F>9>k?Z1RK8sRuw75bpts$9zrZN}soJe~6T*QUJ
z-McPth5y_~Ar)ub;~?Z)V36lH6RC*0J`q{BMq6b66|$kSFO&}LYgpw2+<;~0Kij?i
zcKmmHf1UsPB(1LO+xzKK#h+LXc!*k`VW$W0ri)0bfqY>h_u=z8__%6YEdSOh_;*7*
zY!9&X{CB4Q$Nv7_I{x=0?Y8ru!XtRLpZ|ZYi7j(tk$3u4TI&rYH6X1So^Jhbm46@k
z{KEOay<Tr7|95*`|L1Aio$P<@ePs`G0v<7%UfBQQ#cFOF`|=(yKWoQRqq*a(l;7M$
zY7)PEx~Zbt5%J>RIva$XTjjTw#kTRJ@U>Ro)XjKoFN5{ZLI3^QBK<!hj3$qC0=)G6
zcX#IecYANW|9g_Q`uXoKC1*VL3GgzWTb}`cJtv2LtsdzVc(OhP{&v>#j_1IW^*Qi2
z&=%SMwxjwb^MAWry_x*q?e+feN!pjn|84QlDp4Ol^lJ?KEKJ{R7S#I6(sx_Pt<!hc
zt!z#GAK4eZkGPPJY4DcC|97|B@xPs|-n#z(le8CbMzluBZP_Zf^l&{!4uhPsgz^z&
zB)+n*r3-xhM3rYwho~_!1|ud0?(MXck2XOfBbrXodY859geSoZ;5c$+7r)OW4(X?&
zYQY~~MevTZDF|*y8kB6gP)0dML3DKS@j?rU!3*#&wg2Vt0um}!5RItr*uM__AR7E8
zJN9pJVLa-XKgCxy;hhT5fW%jM21CkF1wTaUItzY?2IMOEA=0V&EF>KTKm1?t0)8Qq
zid@0T(Xk4mObT1OA)*PAj_WSPKZ9tZVv%6yTX>0hQ~q69sVGezb&e(SzrVB9uK%;W
zz5e~z)3g^YzbI&Y1*(A5OXXBIxUGRPveg7^<?5n%I-^63r!lj4+GXq%42Z(S7saEp
zs5w_{$|767^h~0yw5O;>6$D`&he<E$^`h-R7ag;rz_qWd7X)XL3R{Agx|(qXYPML#
zCQL>Ck}=@uYWysym>0r74pD0Ghj;(`{ha!7_2^UM%PU)-J=Y>7n#P2&DP&SisH-Ky
z6aOAxc>m_YhOqqUih}QpDkF_`c&VxgL*XBTnktRys|f07LYgZL0|c3KSB%9Mc4`!`
zg~RhBRd#JwDx4`#*rZ{TKYWQOL#&^#iAte(ZRuQcU70TKZwca6ZJpp(92_Wx>3~fO
zD`T*#*J=_8s>l{QHrV{b>tHA~*W8JJ{&jZZ&VY$QCnc0uYVVaT&*QOicFNGNRWMj%
zrZ&Bg?nvx{l6>UQ^TnSnZ+9$Ju7$i}f+Wh4s!77bTxpROKNLQ)MRc5nJUl;oRVyn=
zs>Q%0a;DgC6kK8DLY5BCkE)u>2CG>qbR{ZPJjNtvr94(Omji&y%gb1B<uVR$DW@pO
zb>v8$E0ngdIoG#USF|K|B<;j9=?rYC#krB6k44zcl~a6nJjxJJfzRdTrBy>Ga}-Sw
zysxX2V(nC|fKXZ2zfnc(vVrGiKL~1T;mbW164T_R{|TT`_jKM}w}Gy8a+ixjN1s2#
z;olC<-+%n&`26DJ-6`DM*dD9Ylq{%nCX^2A($qFD31-L>Rj^-0tI8a}$q=~EP}Dn}
zudFspg6J`(z{R!I;0F!1hhq7_N={3X+`5!q^qA-t{c_cm?S@D_oy;hbW(+;e=M+oz
zTp7YaqbzDk)3UJqWxI^(W%Y(=@YPIjAyv`CQfgMk<O-jOCUXk0R+9Q58%dJ11oc#C
z{~S}1LrSJVm=dLjklQgh$NpJ6+A0;FH)i;okybC>ZAtzbbn4foQSB<dZ&JLa4y(%1
zWyR#0*EXvu3s9?T$}gc3Kk#`zseNYmuB@exJoh2}*yd9#d_GTRBg?ilrNmTB&=$h3
zxmq>PLn#qcqKnOXWx$Mg<mOg0-0q5h$HGXaMmB}Kcy>Ee1>QysoTN3-+$^Q>nz;I8
zH4@GEvvquVvI!z{g}K>u(++5rh@LBm9{y8lrKg#Aj*0kU6W>?&JP#Ukl+SbT$JcG$
X)@|LMs{MZe00960{$_790Ga>*iT?3*

literal 0
HcmV?d00001

diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/.helmignore b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/.helmignore
new file mode 100644
index 0000000..0e8a0eb
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/Chart.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/Chart.yaml
new file mode 100644
index 0000000..a26cfe1
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/Chart.yaml
@@ -0,0 +1,23 @@
+apiVersion: v2
+name: spin-operator
+description: A Helm chart for Kubernetes
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+# NOTE: this version is kept static in version control but is bumped when packaging and releasing
+version: 0.1.0
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+# NOTE: this version is kept static in version control but is bumped when packaging and releasing
+appVersion: "v0.1.0"
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/README.md b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/README.md
new file mode 100644
index 0000000..5140ea4
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/README.md
@@ -0,0 +1,87 @@
+# spin-operator
+
+spin-operator is a Kubernetes operator in charge of handling the lifecycle of Spin applications based on their SpinApp resources.
+
+## Prerequisites
+
+- Kubernetes v1.11.3+
+
+## Prepare the cluster
+
+Prior to installing the chart, you'll need to ensure the following:
+
+- [Cert Manager](https://github.com/cert-manager/cert-manager) to automatically provision and manage TLS certificates (used by spin-operator's admission webhook system). Cert Manager must be running and the corresponding CRDs must be present on the cluster before installing the spin-operator chart.
+
+- [Kwasm Operator](https://github.com/kwasm/kwasm-operator) to install WebAssembly support on Kubernetes nodes. See the [project README.md](https://github.com/KWasm/kwasm-operator/blob/main/README.md) for installation and configuration steps, including annotating nodes to run Spin/wasm workloads.
+
+- spin-operator CustomResourceDefinition (CRD) resources are installed. This includes the SpinApp CRD representing Spin applications to be scheduled on the cluster.
+
+  ```console
+  $ kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/crd/bases/core.spinoperator.dev_spinapps.yaml
+  $ kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/crd/bases/core.spinoperator.dev_spinappexecutors.yaml
+  ```
+
+## Installing the chart
+
+The following installs the chart with the release name `spin-operator`:
+
+```console
+$ helm install spin-operator \
+  --namespace spin-operator \
+  --create-namespace \
+  --version {{ CHART_VERSION }} \
+  oci://ghcr.io/spinkube/charts/spin-operator
+```
+
+## Post-installation
+
+spin-operator depends on the following resources. If not already present on the cluster, install them now:
+
+- An application executor is installed. This is the executor that spin-operator uses to run Spin applications.
+
+  ```console
+  $ kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/samples/spin-shim-executor.yaml
+  ```
+
+- A RuntimeClass resource for the `wasmtime-spin-v2` container runtime is installed. This is the runtime that Spin applications use.
+
+  ```console
+  $ kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/samples/spin-runtime-class.yaml
+  ```
+
+## Upgrading the chart
+
+Note that you may also need to upgrade the spin-operator CRDs in tandem with upgrading the Helm release:
+
+```console
+$ kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/crd/bases/core.spinoperator.dev_spinapps.yaml
+$ kubectl apply -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/crd/bases/core.spinoperator.dev_spinappexecutors.yaml
+```
+
+To upgrade the `spin-operator` release, run the following:
+
+```console
+$ helm upgrade spin-operator \
+  --namespace spin-operator \
+  --version {{ CHART_VERSION }} \
+  oci://ghcr.io/spinkube/charts/spin-operator
+```
+
+## Uninstalling the chart
+
+To delete the `spin-operator` release, run:
+
+```console
+$ helm delete spin-operator --namespace spin-operator
+```
+
+This will remove all Kubernetes resources associated with the chart and deletes the Helm release.
+
+To completely uninstall all resources related to spin-operator, you may want to delete the corresponding CRD resources and, optionally, the RuntimeClass:
+
+```console
+$ kubectl delete -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/samples/spin-runtime-class.yaml
+$ kubectl delete -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/samples/spin-shim-executor.yaml
+$ kubectl delete -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/crd/bases/core.spinoperator.dev_spinapps.yaml
+$ kubectl delete -f https://raw.githubusercontent.com/spinkube/spin-operator/main/config/crd/bases/core.spinoperator.dev_spinappexecutors.yaml
+```
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/NOTES.txt b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/NOTES.txt
new file mode 100644
index 0000000..c3b7efc
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/NOTES.txt
@@ -0,0 +1,26 @@
+spin-operator {{ .Chart.Version }} is now deployed!
+
+Your release is named {{ .Release.Name }}.
+
+To learn more about the release, try:
+
+  $ helm --namespace {{ .Release.Namespace }} status {{ .Release.Name }}
+  $ helm --namespace {{ .Release.Namespace }} get all {{ .Release.Name }}
+
+Note: spin-operator requires a few additional resources to be present on the
+Kubernetes cluster before it can run the first Spin application. If you haven't
+already done so, please ensure the following:
+
+1. Install the containerd-shim-spin SpinAppExecutor:
+
+  $ kubectl apply -f https://github.com/spinkube/spin-operator/releases/download/v{{ .Chart.Version }}/spin-operator.shim-executor.yaml
+
+2. Install the wasmtime-spin-v2 RuntimeClass:
+
+  $ kubectl apply -f https://github.com/spinkube/spin-operator/releases/download/v{{ .Chart.Version }}/spin-operator.runtime-class.yaml
+
+You are now ready to deploy your first Spin app!
+
+For further details, see this chart's README:
+
+  $ helm show readme oci://ghcr.io/spinkube/charts/spin-operator
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/_helpers.tpl b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/_helpers.tpl
new file mode 100644
index 0000000..b469858
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/_helpers.tpl
@@ -0,0 +1,73 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "spin-operator.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "spin-operator.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+
+{{/*
+helmify replaces namespace name with `{{ .Release.Namespace }}` in dnsNames for Certificate object
+which means `{{ include "spin-operator.fullname" . }}` gets replaced with `{{ include "{{ .Release.Namespace }}.fullname" . }}`
+
+This is most likely a bug in helmify, but we can workaround it by defining a new template helper with name `{{ .Release.Namespace }}.fullname`
+*/}}
+{{- define "{{ .Release.Namespace }}.fullname" -}}
+{{ include "spin-operator.fullname" . }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "spin-operator.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "spin-operator.labels" -}}
+helm.sh/chart: {{ include "spin-operator.chart" . }}
+{{ include "spin-operator.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "spin-operator.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "spin-operator.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "spin-operator.serviceAccountName" -}}
+{{- if .Values.serviceAccount.create }}
+{{- default (include "spin-operator.fullname" .) .Values.serviceAccount.name }}
+{{- else }}
+{{- default "default" .Values.serviceAccount.name }}
+{{- end }}
+{{- end }}
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/deployment.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/deployment.yaml
new file mode 100644
index 0000000..4bb0e54
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/deployment.yaml
@@ -0,0 +1,81 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-controller-manager
+  labels:
+    app.kubernetes.io/component: manager
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+    control-plane: controller-manager
+  {{- include "spin-operator.labels" . | nindent 4 }}
+spec:
+  replicas: {{ .Values.controllerManager.replicas }}
+  selector:
+    matchLabels:
+      control-plane: controller-manager
+    {{- include "spin-operator.selectorLabels" . | nindent 6 }}
+  template:
+    metadata:
+      labels:
+        control-plane: controller-manager
+      {{- include "spin-operator.selectorLabels" . | nindent 8 }}
+      annotations:
+        kubectl.kubernetes.io/default-container: manager
+    spec:
+      containers:
+      - args: {{- toYaml .Values.controllerManager.manager.args | nindent 8 }}
+        command:
+        - /manager
+        env:
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ printf "%s/%s:%s" .Values.global.azure.images.spinOperator.registry .Values.global.azure.images.spinOperator.image .Values.global.azure.images.spinOperator.tag }}
+        imagePullPolicy: {{ .Values.controllerManager.manager.imagePullPolicy }}
+        livenessProbe:
+          httpGet:
+            path: /healthz
+            port: 8082
+          initialDelaySeconds: 15
+          periodSeconds: 20
+        name: manager
+        ports:
+        - containerPort: 9443
+          name: webhook-server
+          protocol: TCP
+        readinessProbe:
+          httpGet:
+            path: /readyz
+            port: 8082
+          initialDelaySeconds: 5
+          periodSeconds: 10
+        resources: {{- toYaml .Values.controllerManager.manager.resources | nindent 10
+          }}
+        securityContext: {{- toYaml .Values.controllerManager.manager.containerSecurityContext
+          | nindent 10 }}
+        volumeMounts:
+        - mountPath: /tmp/k8s-webhook-server/serving-certs
+          name: cert
+          readOnly: true
+      - args: {{- toYaml .Values.controllerManager.kubeRbacProxy.args | nindent 8 }}
+        env:
+        - name: KUBERNETES_CLUSTER_DOMAIN
+          value: {{ quote .Values.kubernetesClusterDomain }}
+        image: {{ printf "%s/%s:%s" .Values.global.azure.images.spinOperatorKubeRbacProxy.registry .Values.global.azure.images.spinOperatorKubeRbacProxy.image .Values.global.azure.images.spinOperatorKubeRbacProxy.tag }}
+        name: kube-rbac-proxy
+        ports:
+        - containerPort: 8443
+          name: https
+          protocol: TCP
+        resources: {{- toYaml .Values.controllerManager.kubeRbacProxy.resources | nindent
+          10 }}
+        securityContext: {{- toYaml .Values.controllerManager.kubeRbacProxy.containerSecurityContext
+          | nindent 10 }}
+      securityContext:
+        runAsNonRoot: true
+      serviceAccountName: {{ include "spin-operator.fullname" . }}-controller-manager
+      terminationGracePeriodSeconds: 10
+      volumes:
+      - name: cert
+        secret:
+          defaultMode: 420
+          secretName: webhook-server-cert
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/leader-election-rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/leader-election-rbac.yaml
new file mode 100644
index 0000000..7e19cbb
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/leader-election-rbac.yaml
@@ -0,0 +1,59 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-leader-election-role
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - configmaps
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - coordination.k8s.io
+  resources:
+  - leases
+  verbs:
+  - get
+  - list
+  - watch
+  - create
+  - update
+  - patch
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - events
+  verbs:
+  - create
+  - patch
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-leader-election-rolebinding
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: '{{ include "spin-operator.fullname" . }}-leader-election-role'
+subjects:
+- kind: ServiceAccount
+  name: '{{ include "spin-operator.fullname" . }}-controller-manager'
+  namespace: '{{ .Release.Namespace }}'
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/manager-rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/manager-rbac.yaml
new file mode 100644
index 0000000..9a5bb5a
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/manager-rbac.yaml
@@ -0,0 +1,113 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-manager-role
+  labels:
+  {{- include "spin-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - ""
+  resources:
+  - services
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - apps
+  resources:
+  - deployments/status
+  verbs:
+  - get
+- apiGroups:
+  - core.spinoperator.dev
+  resources:
+  - spinappexecutors
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - core.spinoperator.dev
+  resources:
+  - spinappexecutors/finalizers
+  verbs:
+  - update
+- apiGroups:
+  - core.spinoperator.dev
+  resources:
+  - spinappexecutors/status
+  verbs:
+  - get
+  - patch
+  - update
+- apiGroups:
+  - core.spinoperator.dev
+  resources:
+  - spinapps
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - core.spinoperator.dev
+  resources:
+  - spinapps/status
+  verbs:
+  - get
+  - patch
+  - update
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-manager-rolebinding
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "spin-operator.fullname" . }}-manager-role'
+subjects:
+- kind: ServiceAccount
+  name: '{{ include "spin-operator.fullname" . }}-controller-manager'
+  namespace: '{{ .Release.Namespace }}'
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-reader-rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-reader-rbac.yaml
new file mode 100644
index 0000000..9d454f9
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-reader-rbac.yaml
@@ -0,0 +1,14 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-metrics-reader
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+rules:
+- nonResourceURLs:
+  - /metrics
+  verbs:
+  - get
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-service.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-service.yaml
new file mode 100644
index 0000000..6a87905
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/metrics-service.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-controller-manager-metrics-service
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+    control-plane: controller-manager
+  {{- include "spin-operator.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.metricsService.type }}
+  selector:
+    control-plane: controller-manager
+  {{- include "spin-operator.selectorLabels" . | nindent 4 }}
+  ports:
+	{{- .Values.metricsService.ports | toYaml | nindent 2 -}}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/mutating-webhook-configuration.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/mutating-webhook-configuration.yaml
new file mode 100644
index 0000000..5002666
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/mutating-webhook-configuration.yaml
@@ -0,0 +1,49 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: MutatingWebhookConfiguration
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-mutating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "spin-operator.fullname" . }}-serving-cert
+  labels:
+  {{- include "spin-operator.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: '{{ include "spin-operator.fullname" . }}-webhook-service'
+      namespace: '{{ .Release.Namespace }}'
+      path: /mutate-core-spinoperator-dev-v1alpha1-spinapp
+  failurePolicy: Fail
+  name: mspinapp.kb.io
+  rules:
+  - apiGroups:
+    - core.spinoperator.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - spinapps
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: '{{ include "spin-operator.fullname" . }}-webhook-service'
+      namespace: '{{ .Release.Namespace }}'
+      path: /mutate-core-spinoperator-dev-v1alpha1-spinappexecutor
+  failurePolicy: Fail
+  name: mspinappexecutor.kb.io
+  rules:
+  - apiGroups:
+    - core.spinoperator.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - spinappexecutors
+  sideEffects: None
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/proxy-rbac.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/proxy-rbac.yaml
new file mode 100644
index 0000000..53353be
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/proxy-rbac.yaml
@@ -0,0 +1,40 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-proxy-role
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+rules:
+- apiGroups:
+  - authentication.k8s.io
+  resources:
+  - tokenreviews
+  verbs:
+  - create
+- apiGroups:
+  - authorization.k8s.io
+  resources:
+  - subjectaccessreviews
+  verbs:
+  - create
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-proxy-rolebinding
+  labels:
+    app.kubernetes.io/component: kube-rbac-proxy
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: '{{ include "spin-operator.fullname" . }}-proxy-role'
+subjects:
+- kind: ServiceAccount
+  name: '{{ include "spin-operator.fullname" . }}-controller-manager'
+  namespace: '{{ .Release.Namespace }}'
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/selfsigned-issuer.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/selfsigned-issuer.yaml
new file mode 100644
index 0000000..06899d6
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/selfsigned-issuer.yaml
@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-selfsigned-issuer
+  labels:
+  {{- include "spin-operator.labels" . | nindent 4 }}
+spec:
+  selfSigned: {}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serviceaccount.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serviceaccount.yaml
new file mode 100644
index 0000000..a8460dc
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serviceaccount.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-controller-manager
+  labels:
+    app.kubernetes.io/component: rbac
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+  annotations:
+    {{- toYaml .Values.controllerManager.serviceAccount.annotations | nindent 4 }}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serving-cert.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serving-cert.yaml
new file mode 100644
index 0000000..fec3ab5
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/serving-cert.yaml
@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-serving-cert
+  labels:
+  {{- include "spin-operator.labels" . | nindent 4 }}
+spec:
+  dnsNames:
+  - '{{ include "{{ .Release.Namespace }}.fullname" . }}-webhook-service.{{ .Release.Namespace
+    }}.svc'
+  - '{{ include "{{ .Release.Namespace }}.fullname" . }}-webhook-service.{{ .Release.Namespace
+    }}.svc.{{ .Values.kubernetesClusterDomain }}'
+  issuerRef:
+    kind: Issuer
+    name: '{{ include "spin-operator.fullname" . }}-selfsigned-issuer'
+  secretName: webhook-server-cert
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/validating-webhook-configuration.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/validating-webhook-configuration.yaml
new file mode 100644
index 0000000..90a857a
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/validating-webhook-configuration.yaml
@@ -0,0 +1,49 @@
+apiVersion: admissionregistration.k8s.io/v1
+kind: ValidatingWebhookConfiguration
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-validating-webhook-configuration
+  annotations:
+    cert-manager.io/inject-ca-from: {{ .Release.Namespace }}/{{ include "spin-operator.fullname" . }}-serving-cert
+  labels:
+  {{- include "spin-operator.labels" . | nindent 4 }}
+webhooks:
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: '{{ include "spin-operator.fullname" . }}-webhook-service'
+      namespace: '{{ .Release.Namespace }}'
+      path: /validate-core-spinoperator-dev-v1alpha1-spinapp
+  failurePolicy: Fail
+  name: vspinapp.kb.io
+  rules:
+  - apiGroups:
+    - core.spinoperator.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - spinapps
+  sideEffects: None
+- admissionReviewVersions:
+  - v1
+  clientConfig:
+    service:
+      name: '{{ include "spin-operator.fullname" . }}-webhook-service'
+      namespace: '{{ .Release.Namespace }}'
+      path: /validate-core-spinoperator-dev-v1alpha1-spinappexecutor
+  failurePolicy: Fail
+  name: vspinappexecutor.kb.io
+  rules:
+  - apiGroups:
+    - core.spinoperator.dev
+    apiVersions:
+    - v1alpha1
+    operations:
+    - CREATE
+    - UPDATE
+    resources:
+    - spinappexecutors
+  sideEffects: None
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/webhook-service.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/webhook-service.yaml
new file mode 100644
index 0000000..01426ec
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/templates/webhook-service.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "spin-operator.fullname" . }}-webhook-service
+  labels:
+    app.kubernetes.io/component: webhook
+    app.kubernetes.io/created-by: spin-operator
+    app.kubernetes.io/part-of: spin-operator
+  {{- include "spin-operator.labels" . | nindent 4 }}
+spec:
+  type: {{ .Values.webhookService.type }}
+  selector:
+    control-plane: controller-manager
+  {{- include "spin-operator.selectorLabels" . | nindent 4 }}
+  ports:
+	{{- .Values.webhookService.ports | toYaml | nindent 2 -}}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/values.yaml b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/values.yaml
new file mode 100644
index 0000000..7114ff3
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/charts/spin-operator/values.yaml
@@ -0,0 +1,94 @@
+## controllerManager represents the Spin Operator deployment.
+controllerManager:
+  ## manager represents the Spin Operator container.
+  manager:
+    ## args are the default arguments to supply to the operator.
+    ## In general, these should be left as-is.
+    args:
+    - --health-probe-bind-address=:8082
+    - --metrics-bind-address=127.0.0.1:8080
+    - --leader-elect
+    - --enable-webhooks
+    ## containerSecurityContext defines privilege and access control for the
+    ## container.
+    ## See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+    ## image indicates which repository and tag combination will be used for
+    ## pulling the operator image.
+    image:
+      repository: ghcr.io/spinkube/spin-operator
+      ## By default, .Chart.AppVersion is used as the tag.
+      ## Updating this value to a version not aligned with the current chart
+      ## version may lead to unexpected or broken behavior.
+      # tag: latest
+    imagePullPolicy: IfNotPresent
+    ## resources represent default cpu/mem limits for the operator container.
+    resources:
+      # TODO: update these per https://github.com/spinkube/spin-operator/issues/21
+      limits:
+        cpu: 500m
+        memory: 128Mi
+      requests:
+        cpu: 10m
+        memory: 64Mi
+
+  ## kubeRbacProxy handles RBAC authorization with the Kubernetes API server.
+  kubeRbacProxy:
+    ## args are the default arguments to supply to the RBAC proxy.
+    ## In general, these should be left as-is.
+    args:
+    - --secure-listen-address=0.0.0.0:8443
+    - --upstream=http://127.0.0.1:8080/
+    - --logtostderr=true
+    - --v=0
+    ## containerSecurityContext defines privilege and access control for the
+    ## container.
+    ## See https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
+    containerSecurityContext:
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+        - ALL
+    ## resources represent default cpu/mem limits for the RBAC proxy container.
+    resources:
+      # TODO: update these per https://github.com/spinkube/spin-operator/issues/21
+      limits:
+        cpu: 500m
+        memory: 128Mi
+      requests:
+        cpu: 5m
+        memory: 64Mi
+
+  # replicas represent how many pod replicas of the controllerManager to run.
+  replicas: 1
+
+  # serviceAccount represents configuration for the controllerManager Service Account.
+  # See https://kubernetes.io/docs/tasks/configure-pod-container/configure-service-account/
+  serviceAccount:
+    annotations: {}
+
+## kubernetesClusterDomain represents the domain used for service DNS within the cluster.
+kubernetesClusterDomain: cluster.local
+
+## metricsService configuration.
+## This configuration should only be updated in tandem with corresponding
+## controller and RBAC proxy configuration.
+metricsService:
+  ports:
+  - name: https
+    port: 8443
+    protocol: TCP
+    targetPort: https
+  type: ClusterIP
+
+## webhookService configuration.
+webhookService:
+  ports:
+  - port: 443
+    protocol: TCP
+    targetPort: 9443
+  type: ClusterIP
diff --git a/marketplace/charts/spinkube-azure-marketplace/crds b/marketplace/charts/spinkube-azure-marketplace/crds
new file mode 120000
index 0000000..3fba0fe
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/crds
@@ -0,0 +1 @@
+/Users/vdice/code/github.com/spinkube/azure/crds
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/templates/kwasm.annotation.yaml b/marketplace/charts/spinkube-azure-marketplace/templates/kwasm.annotation.yaml
new file mode 100644
index 0000000..9527a42
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/templates/kwasm.annotation.yaml
@@ -0,0 +1,43 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: kwasm-annotate-nodes
+spec:
+  template:
+    metadata:
+      name: kwasm-annotate-nodes
+    spec:
+      serviceAccountName: kwasm-annotate-sa
+      containers:
+      - name: kubectl
+        image: {{ printf "%s/%s:%s" .Values.global.azure.images.kubectl.registry .Values.global.azure.images.kubectl.image .Values.global.azure.images.kubectl.tag }}
+        command: ["kubectl"]
+        args: ["annotate", "node", "--all", "kwasm.sh/kwasm-node=true"]
+      restartPolicy: OnFailure
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: kwasm-annotate-sa
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: kwasm-annotate-clusterrole
+rules:
+- apiGroups: [""]
+  resources: ["nodes"]
+  verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: kwasm-annotate-clusterrolebinding
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: kwasm-annotate-clusterrole
+subjects:
+- kind: ServiceAccount
+  name: kwasm-annotate-sa
+  namespace: {{ .Release.Namespace }}
\ No newline at end of file
diff --git a/marketplace/charts/spinkube-azure-marketplace/templates/spin-operator.runtime-class.yaml b/marketplace/charts/spinkube-azure-marketplace/templates/spin-operator.runtime-class.yaml
new file mode 100644
index 0000000..4fd6654
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/templates/spin-operator.runtime-class.yaml
@@ -0,0 +1,5 @@
+apiVersion: node.k8s.io/v1
+kind: RuntimeClass
+metadata:
+  name: wasmtime-spin-v2
+handler: spin
diff --git a/marketplace/charts/spinkube-azure-marketplace/values.yaml b/marketplace/charts/spinkube-azure-marketplace/values.yaml
new file mode 100644
index 0000000..67784f5
--- /dev/null
+++ b/marketplace/charts/spinkube-azure-marketplace/values.yaml
@@ -0,0 +1,56 @@
+global:
+  azure:
+    images:
+      # spinkube-azure-marketplace
+      kubectl:
+        tag: latest
+        image: kubectl
+        registry: bitnami
+      # spin-operator
+      spinOperator:
+        tag: v0.2.0
+        image: spin-operator
+        registry: ghcr.io/spinkube
+      spinOperatorKubeRbacProxy:
+        tag: v0.15.0
+        image: kube-rbac-proxy
+        registry: gcr.io/kubebuilder
+      # cert-manager
+      certManager:
+        tag: v1.14.6
+        image: cert-manager-controller
+        registry: quay.io/jetstack
+      certManagerAcmesolver:
+        tag: v1.14.6
+        image: cert-manager-acmesolver
+        registry: quay.io/jetstack
+      certManagerCainjector:
+        tag: v1.14.6
+        image: cert-manager-cainjector
+        registry: quay.io/jetstack
+      certManagerStartupapicheck:
+        tag: v1.14.6
+        image: cert-manager-startupapicheck
+        registry: quay.io/jetstack
+      certManagerWebhook:
+        tag: v1.14.6
+        image: cert-manager-webhook
+        registry: quay.io/jetstack
+      # kwasm-operator
+      kwasmOperator:
+        tag: kwasm-operator-0.2.2
+        image: kwasm-operator
+        registry: ghcr.io/kwasm
+      kwasmOperatorInstallerImage:
+        tag: v0.14.1
+        image: node-installer
+        registry: ghcr.io/spinkube/containerd-shim-spin
+
+spin-operator:
+  enabled: true
+
+cert-manager:
+  enabled: true
+
+kwasm-operator:
+  enabled: true
diff --git a/marketplace/manifest.yaml b/marketplace/manifest.yaml
new file mode 100644
index 0000000..bb8a089
--- /dev/null
+++ b/marketplace/manifest.yaml
@@ -0,0 +1,12 @@
+applicationName: com.spinkube.spinkube
+publisher: "Spinkube"
+description: "SpinKube on Azure Marketplace"
+version: 1.0.0 #Must be in the format of #.#.#
+helmChart: "./charts/spinkube-azure-marketplace"
+clusterArmTemplate: "./mainTemplate.json"
+uiDefinition: "./createUIDefinition.json"
+registryServer: "TODO.azurecr.io"
+testParameterFile: "./parameterFile.json"
+extensionRegistrationParameters:
+  defaultScope: "cluster" # cluster or namespace 
+  namespace: "spinkube" # Specify the namespace the extension will install into. This property is required when defaultScope field value is chosen as 'cluster'
\ No newline at end of file