blob: 8507a8a3453795e0eebaf4ca4af828a85dd02c51 [file] [log] [blame] [view]
Giorgi Lekveishvili4ec4c022024-08-17 15:09:24 +04001# cert-manager
2
3cert-manager is a Kubernetes addon to automate the management and issuance of
4TLS certificates from various issuing sources.
5
6It will ensure certificates are valid and up to date periodically, and attempt
7to renew certificates at an appropriate time before expiry.
8
9## Prerequisites
10
11- Kubernetes 1.20+
12
13## Installing the Chart
14
15Full installation instructions, including details on how to configure extra
16functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/).
17
18Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources.
19This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources.
20
21```bash
22$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.2/cert-manager.crds.yaml
23```
24
25To install the chart with the release name `my-release`:
26
27```console
28## Add the Jetstack Helm repository
29$ helm repo add jetstack https://charts.jetstack.io
30
31## Install the cert-manager helm chart
32$ helm install my-release --namespace cert-manager --version v1.12.2 jetstack/cert-manager
33```
34
35In order to begin issuing certificates, you will need to set up a ClusterIssuer
36or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer).
37
38More information on the different types of issuers and how to configure them
39can be found in [our documentation](https://cert-manager.io/docs/configuration/).
40
41For information on how to configure cert-manager to automatically provision
42Certificates for Ingress resources, take a look at the
43[Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/).
44
45> **Tip**: List all releases using `helm list`
46
47## Upgrading the Chart
48
49Special considerations may be required when upgrading the Helm chart, and these
50are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/).
51
52**Please check here before performing upgrades!**
53
54## Uninstalling the Chart
55
56To uninstall/delete the `my-release` deployment:
57
58```console
59$ helm delete my-release
60```
61
62The command removes all the Kubernetes components associated with the chart and deletes the release.
63
64If you want to completely uninstall cert-manager from your cluster, you will also need to
65delete the previously installed CustomResourceDefinition resources:
66
67```console
68$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.2/cert-manager.crds.yaml
69```
70
71## Configuration
72
73The following table lists the configurable parameters of the cert-manager chart and their default values.
74
75| Parameter | Description | Default |
76| --------- | ----------- | ------- |
77| `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` |
78| `global.commonLabels` | Labels to apply to all resources | `{}` |
79| `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` |
80| `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` |
81| `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` |
82| `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` |
83| `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` |
84| `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | |
85| `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | |
86| `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | |
87| `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` |
88| `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` |
89| `image.tag` | Image tag | `v1.12.2` |
90| `image.pullPolicy` | Image pull policy | `IfNotPresent` |
91| `replicaCount` | Number of cert-manager replicas | `1` |
92| `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod |
93| `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` |
94| `extraArgs` | Optional flags for cert-manager | `[]` |
95| `extraEnv` | Optional environment variables for cert-manager | `[]` |
96| `serviceAccount.create` | If `true`, create a new service account | `true` |
97| `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | |
98| `serviceAccount.annotations` | Annotations to add to the service account | |
99| `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` |
100| `volumes` | Optional volumes for cert-manager | `[]` |
101| `volumeMounts` | Optional volume mounts for cert-manager | `[]` |
102| `resources` | CPU/memory resource requests/limits | `{}` |
103| `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
104| `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) |
105| `nodeSelector` | Node labels for pod assignment | `{}` |
106| `affinity` | Node affinity for pod assignment | `{}` |
107| `tolerations` | Node tolerations for pod assignment | `[]` |
108| `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` |
109| `livenessProbe.enabled` | Enable or disable the liveness probe for the controller container in the controller Pod. See https://cert-manager.io/docs/installation/best-practice/ to learn about when you might want to enable this livenss probe. | `false` |
110| `livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `10` |
111| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
112| `livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `10` |
113| `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
114| `livenessProbe.successThreshold` | The liveness probe success threshold | `1` |
115| `livenessProbe.failureThreshold` | The liveness probe failure threshold | `8` |
116| `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | |
117| `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | |
118| `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | |
119| `prometheus.enabled` | Enable Prometheus monitoring | `true` |
120| `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` |
121| `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) |
122| `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` |
123| `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` |
124| `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` |
125| `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` |
126| `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | |
127| `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` |
128| `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` |
129| `podAnnotations` | Annotations to add to the cert-manager pod | `{}` |
130| `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` |
131| `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
132| `podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
133| `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
134| `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | |
135| `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | |
136| `podLabels` | Labels to add to the cert-manager pod | `{}` |
137| `serviceLabels` | Labels to add to the cert-manager controller service | `{}` |
138| `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` |
139| `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | |
140| `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | |
141| `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | |
142| `dns01RecursiveNameservers` | Comma separated string with host and port of the recursive nameservers cert-manager should query | `` |
143| `dns01RecursiveNameserversOnly` | Forces cert-manager to only use the recursive nameservers for verification. | `false` |
144| `enableCertificateOwnerRef` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted | `false` |
145| `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` |
146| `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` |
147| `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` |
148| `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` |
149| `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` |
150| `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` |
151| `webhook.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
152| `webhook.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
153| `webhook.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
154| `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` |
155| `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` |
156| `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` |
157| `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` |
158| `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` |
159| `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` |
160| `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | |
161| `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | |
162| `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | |
163| `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` |
164| `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` |
165| `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` |
166| `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
167| `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` |
168| `webhook.affinity` | Node affinity for webhook pod assignment | `{}` |
169| `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` |
170| `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` |
171| `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` |
172| `webhook.image.tag` | Webhook image tag | `v1.12.2` |
173| `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` |
174| `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` |
175| `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
176| `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) |
177| `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` |
178| `webhook.serviceType` | The type of the `Service`. | `ClusterIP` |
179| `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | |
180| `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | |
181| `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` |
182| `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` |
183| `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` |
184| `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` |
185| `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` |
186| `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` |
187| `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` |
188| `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` |
189| `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` |
190| `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` |
191| `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` |
192| `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` |
193| `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` |
194| `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` |
195| `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` |
196| `cainjector.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` |
197| `cainjector.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` |
198| `cainjector.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | |
199| `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` |
200| `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` |
201| `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | |
202| `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | |
203| `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` |
204| `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` |
205| `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` |
206| `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` |
207| `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` |
208| `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` |
209| `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` |
210| `cainjector.image.tag` | cainjector image tag | `v1.12.2` |
211| `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` |
212| `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
213| `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) |
214| `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` |
215| `acmesolver.image.tag` | acmesolver image tag | `v1.12.2` |
216| `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` |
217| `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` |
218| `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) |
219| `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) |
220| `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` |
221| `startupapicheck.backoffLimit` | Job backoffLimit | `4` |
222| `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` |
223| `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` |
224| `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` |
225| `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` |
226| `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` |
227| `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` |
228| `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` |
229| `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` |
230| `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` |
231| `startupapicheck.image.tag` | startupapicheck image tag | `v1.12.2` |
232| `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` |
233| `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` |
234| `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | |
235| `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | |
236| `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` |
237| `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` |
238
239### Default Security Contexts
240
241The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies.
242
243Default pod-level securityContext:
244```yaml
245runAsNonRoot: true
246seccompProfile:
247 type: RuntimeDefault
248```
249
250Default containerSecurityContext:
251```yaml
252allowPrivilegeEscalation: false
253capabilities:
254 drop:
255 - ALL
256```
257
258### Assigning Values
259
260Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`.
261
262Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example,
263
264```console
265$ helm install my-release -f values.yaml .
266```
267> **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml)
268
269## Contributing
270
271This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager).