| Giorgi Lekveishvili | 4ec4c02 | 2024-08-17 15:09:24 +0400 | [diff] [blame] | 1 | # cert-manager |
| 2 | |
| 3 | cert-manager is a Kubernetes addon to automate the management and issuance of |
| 4 | TLS certificates from various issuing sources. |
| 5 | |
| 6 | It will ensure certificates are valid and up to date periodically, and attempt |
| 7 | to renew certificates at an appropriate time before expiry. |
| 8 | |
| 9 | ## Prerequisites |
| 10 | |
| 11 | - Kubernetes 1.20+ |
| 12 | |
| 13 | ## Installing the Chart |
| 14 | |
| 15 | Full installation instructions, including details on how to configure extra |
| 16 | functionality in cert-manager can be found in the [installation docs](https://cert-manager.io/docs/installation/kubernetes/). |
| 17 | |
| 18 | Before installing the chart, you must first install the cert-manager CustomResourceDefinition resources. |
| 19 | This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. |
| 20 | |
| 21 | ```bash |
| 22 | $ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.2/cert-manager.crds.yaml |
| 23 | ``` |
| 24 | |
| 25 | To install the chart with the release name `my-release`: |
| 26 | |
| 27 | ```console |
| 28 | ## Add the Jetstack Helm repository |
| 29 | $ helm repo add jetstack https://charts.jetstack.io |
| 30 | |
| 31 | ## Install the cert-manager helm chart |
| 32 | $ helm install my-release --namespace cert-manager --version v1.12.2 jetstack/cert-manager |
| 33 | ``` |
| 34 | |
| 35 | In order to begin issuing certificates, you will need to set up a ClusterIssuer |
| 36 | or Issuer resource (for example, by creating a 'letsencrypt-staging' issuer). |
| 37 | |
| 38 | More information on the different types of issuers and how to configure them |
| 39 | can be found in [our documentation](https://cert-manager.io/docs/configuration/). |
| 40 | |
| 41 | For information on how to configure cert-manager to automatically provision |
| 42 | Certificates for Ingress resources, take a look at the |
| 43 | [Securing Ingresses documentation](https://cert-manager.io/docs/usage/ingress/). |
| 44 | |
| 45 | > **Tip**: List all releases using `helm list` |
| 46 | |
| 47 | ## Upgrading the Chart |
| 48 | |
| 49 | Special considerations may be required when upgrading the Helm chart, and these |
| 50 | are documented in our full [upgrading guide](https://cert-manager.io/docs/installation/upgrading/). |
| 51 | |
| 52 | **Please check here before performing upgrades!** |
| 53 | |
| 54 | ## Uninstalling the Chart |
| 55 | |
| 56 | To uninstall/delete the `my-release` deployment: |
| 57 | |
| 58 | ```console |
| 59 | $ helm delete my-release |
| 60 | ``` |
| 61 | |
| 62 | The command removes all the Kubernetes components associated with the chart and deletes the release. |
| 63 | |
| 64 | If you want to completely uninstall cert-manager from your cluster, you will also need to |
| 65 | delete the previously installed CustomResourceDefinition resources: |
| 66 | |
| 67 | ```console |
| 68 | $ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.2/cert-manager.crds.yaml |
| 69 | ``` |
| 70 | |
| 71 | ## Configuration |
| 72 | |
| 73 | The following table lists the configurable parameters of the cert-manager chart and their default values. |
| 74 | |
| 75 | | Parameter | Description | Default | |
| 76 | | --------- | ----------- | ------- | |
| 77 | | `global.imagePullSecrets` | Reference to one or more secrets to be used when pulling images | `[]` | |
| 78 | | `global.commonLabels` | Labels to apply to all resources | `{}` | |
| 79 | | `global.rbac.create` | If `true`, create and use RBAC resources (includes sub-charts) | `true` | |
| 80 | | `global.priorityClassName`| Priority class name for cert-manager and webhook pods | `""` | |
| 81 | | `global.podSecurityPolicy.enabled` | If `true`, create and use PodSecurityPolicy (includes sub-charts) | `false` | |
| 82 | | `global.podSecurityPolicy.useAppArmor` | If `true`, use Apparmor seccomp profile in PSP | `true` | |
| 83 | | `global.leaderElection.namespace` | Override the namespace used to store the ConfigMap for leader election | `kube-system` | |
| 84 | | `global.leaderElection.leaseDuration` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate | | |
| 85 | | `global.leaderElection.renewDeadline` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration | | |
| 86 | | `global.leaderElection.retryPeriod` | The duration the clients should wait between attempting acquisition and renewal of a leadership | | |
| 87 | | `installCRDs` | If true, CRD resources will be installed as part of the Helm chart. If enabled, when uninstalling CRD resources will be deleted causing all installed custom resources to be DELETED | `false` | |
| 88 | | `image.repository` | Image repository | `quay.io/jetstack/cert-manager-controller` | |
| 89 | | `image.tag` | Image tag | `v1.12.2` | |
| 90 | | `image.pullPolicy` | Image pull policy | `IfNotPresent` | |
| 91 | | `replicaCount` | Number of cert-manager replicas | `1` | |
| 92 | | `clusterResourceNamespace` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources | Same namespace as cert-manager pod | |
| 93 | | `featureGates` | Set of comma-separated key=value pairs that describe feature gates on the controller. Some feature gates may also have to be enabled on other components, and can be set supplying the `feature-gate` flag to `<component>.extraArgs` | `` | |
| 94 | | `extraArgs` | Optional flags for cert-manager | `[]` | |
| 95 | | `extraEnv` | Optional environment variables for cert-manager | `[]` | |
| 96 | | `serviceAccount.create` | If `true`, create a new service account | `true` | |
| 97 | | `serviceAccount.name` | Service account to be used. If not set and `serviceAccount.create` is `true`, a name is generated using the fullname template | | |
| 98 | | `serviceAccount.annotations` | Annotations to add to the service account | | |
| 99 | | `serviceAccount.automountServiceAccountToken` | Automount API credentials for the Service Account | `true` | |
| 100 | | `volumes` | Optional volumes for cert-manager | `[]` | |
| 101 | | `volumeMounts` | Optional volume mounts for cert-manager | `[]` | |
| 102 | | `resources` | CPU/memory resource requests/limits | `{}` | |
| 103 | | `securityContext` | Security context for the controller pod assignment | refer to [Default Security Contexts](#default-security-contexts) | |
| 104 | | `containerSecurityContext` | Security context to be set on the controller component container | refer to [Default Security Contexts](#default-security-contexts) | |
| 105 | | `nodeSelector` | Node labels for pod assignment | `{}` | |
| 106 | | `affinity` | Node affinity for pod assignment | `{}` | |
| 107 | | `tolerations` | Node tolerations for pod assignment | `[]` | |
| 108 | | `topologySpreadConstraints` | Topology spread constraints for pod assignment | `[]` | |
| 109 | | `livenessProbe.enabled` | Enable or disable the liveness probe for the controller container in the controller Pod. See https://cert-manager.io/docs/installation/best-practice/ to learn about when you might want to enable this livenss probe. | `false` | |
| 110 | | `livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `10` | |
| 111 | | `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | |
| 112 | | `livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `10` | |
| 113 | | `livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | |
| 114 | | `livenessProbe.successThreshold` | The liveness probe success threshold | `1` | |
| 115 | | `livenessProbe.failureThreshold` | The liveness probe failure threshold | `8` | |
| 116 | | `ingressShim.defaultIssuerName` | Optional default issuer to use for ingress resources | | |
| 117 | | `ingressShim.defaultIssuerKind` | Optional default issuer kind to use for ingress resources | | |
| 118 | | `ingressShim.defaultIssuerGroup` | Optional default issuer group to use for ingress resources | | |
| 119 | | `prometheus.enabled` | Enable Prometheus monitoring | `true` | |
| 120 | | `prometheus.servicemonitor.enabled` | Enable Prometheus Operator ServiceMonitor monitoring | `false` | |
| 121 | | `prometheus.servicemonitor.namespace` | Define namespace where to deploy the ServiceMonitor resource | (namespace where you are deploying) | |
| 122 | | `prometheus.servicemonitor.prometheusInstance` | Prometheus Instance definition | `default` | |
| 123 | | `prometheus.servicemonitor.targetPort` | Prometheus scrape port | `9402` | |
| 124 | | `prometheus.servicemonitor.path` | Prometheus scrape path | `/metrics` | |
| 125 | | `prometheus.servicemonitor.interval` | Prometheus scrape interval | `60s` | |
| 126 | | `prometheus.servicemonitor.labels` | Add custom labels to ServiceMonitor | | |
| 127 | | `prometheus.servicemonitor.scrapeTimeout` | Prometheus scrape timeout | `30s` | |
| 128 | | `prometheus.servicemonitor.honorLabels` | Enable label honoring for metrics scraped by Prometheus (see [Prometheus scrape config docs](https://prometheus.io/docs/prometheus/latest/configuration/configuration/#scrape_config) for details). By setting `honorLabels` to `true`, Prometheus will prefer label contents given by cert-manager on conflicts. Can be used to remove the "exported_namespace" label for example. | `false` | |
| 129 | | `podAnnotations` | Annotations to add to the cert-manager pod | `{}` | |
| 130 | | `deploymentAnnotations` | Annotations to add to the cert-manager deployment | `{}` | |
| 131 | | `podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | |
| 132 | | `podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | |
| 133 | | `podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | |
| 134 | | `podDnsPolicy` | Optional cert-manager pod [DNS policy](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-policy) | | |
| 135 | | `podDnsConfig` | Optional cert-manager pod [DNS configurations](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pods-dns-config) | | |
| 136 | | `podLabels` | Labels to add to the cert-manager pod | `{}` | |
| 137 | | `serviceLabels` | Labels to add to the cert-manager controller service | `{}` | |
| 138 | | `serviceAnnotations` | Annotations to add to the cert-manager service | `{}` | |
| 139 | | `http_proxy` | Value of the `HTTP_PROXY` environment variable in the cert-manager pod | | |
| 140 | | `https_proxy` | Value of the `HTTPS_PROXY` environment variable in the cert-manager pod | | |
| 141 | | `no_proxy` | Value of the `NO_PROXY` environment variable in the cert-manager pod | | |
| 142 | | `dns01RecursiveNameservers` | Comma separated string with host and port of the recursive nameservers cert-manager should query | `` | |
| 143 | | `dns01RecursiveNameserversOnly` | Forces cert-manager to only use the recursive nameservers for verification. | `false` | |
| 144 | | `enableCertificateOwnerRef` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted | `false` | |
| 145 | | `webhook.replicaCount` | Number of cert-manager webhook replicas | `1` | |
| 146 | | `webhook.timeoutSeconds` | Seconds the API server should wait the webhook to respond before treating the call as a failure. | `10` | |
| 147 | | `webhook.podAnnotations` | Annotations to add to the webhook pods | `{}` | |
| 148 | | `webhook.podLabels` | Labels to add to the cert-manager webhook pod | `{}` | |
| 149 | | `webhook.serviceLabels` | Labels to add to the cert-manager webhook service | `{}` | |
| 150 | | `webhook.deploymentAnnotations` | Annotations to add to the webhook deployment | `{}` | |
| 151 | | `webhook.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | |
| 152 | | `webhook.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | |
| 153 | | `webhook.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | |
| 154 | | `webhook.mutatingWebhookConfigurationAnnotations` | Annotations to add to the mutating webhook configuration | `{}` | |
| 155 | | `webhook.validatingWebhookConfigurationAnnotations` | Annotations to add to the validating webhook configuration | `{}` | |
| 156 | | `webhook.serviceAnnotations` | Annotations to add to the webhook service | `{}` | |
| 157 | | `webhook.config` | WebhookConfiguration YAML used to configure flags for the webhook. Generates a ConfigMap containing contents of the field. See `values.yaml` for example. | `{}` | |
| 158 | | `webhook.extraArgs` | Optional flags for cert-manager webhook component | `[]` | |
| 159 | | `webhook.serviceAccount.create` | If `true`, create a new service account for the webhook component | `true` | |
| 160 | | `webhook.serviceAccount.name` | Service account for the webhook component to be used. If not set and `webhook.serviceAccount.create` is `true`, a name is generated using the fullname template | | |
| 161 | | `webhook.serviceAccount.annotations` | Annotations to add to the service account for the webhook component | | |
| 162 | | `webhook.serviceAccount.automountServiceAccountToken` | Automount API credentials for the webhook Service Account | | |
| 163 | | `webhook.resources` | CPU/memory resource requests/limits for the webhook pods | `{}` | |
| 164 | | `webhook.nodeSelector` | Node labels for webhook pod assignment | `{}` | |
| 165 | | `webhook.networkPolicy.enabled` | Enable default network policies for webhooks egress and ingress traffic | `false` | |
| 166 | | `webhook.networkPolicy.ingress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | |
| 167 | | `webhook.networkPolicy.egress` | Sets ingress policy block. See NetworkPolicy documentation. See `values.yaml` for example. | `{}` | |
| 168 | | `webhook.affinity` | Node affinity for webhook pod assignment | `{}` | |
| 169 | | `webhook.tolerations` | Node tolerations for webhook pod assignment | `[]` | |
| 170 | | `webhook.topologySpreadConstraints` | Topology spread constraints for webhook pod assignment | `[]` | |
| 171 | | `webhook.image.repository` | Webhook image repository | `quay.io/jetstack/cert-manager-webhook` | |
| 172 | | `webhook.image.tag` | Webhook image tag | `v1.12.2` | |
| 173 | | `webhook.image.pullPolicy` | Webhook image pull policy | `IfNotPresent` | |
| 174 | | `webhook.securePort` | The port that the webhook should listen on for requests. | `10250` | |
| 175 | | `webhook.securityContext` | Security context for webhook pod assignment | refer to [Default Security Contexts](#default-security-contexts) | |
| 176 | | `webhook.containerSecurityContext` | Security context to be set on the webhook component container | refer to [Default Security Contexts](#default-security-contexts) | |
| 177 | | `webhook.hostNetwork` | If `true`, run the Webhook on the host network. | `false` | |
| 178 | | `webhook.serviceType` | The type of the `Service`. | `ClusterIP` | |
| 179 | | `webhook.loadBalancerIP` | The specific load balancer IP to use (when `serviceType` is `LoadBalancer`). | | |
| 180 | | `webhook.url.host` | The host to use to reach the webhook, instead of using internal cluster DNS for the service. | | |
| 181 | | `webhook.livenessProbe.failureThreshold` | The liveness probe failure threshold | `3` | |
| 182 | | `webhook.livenessProbe.initialDelaySeconds` | The liveness probe initial delay (in seconds) | `60` | |
| 183 | | `webhook.livenessProbe.periodSeconds` | The liveness probe period (in seconds) | `10` | |
| 184 | | `webhook.livenessProbe.successThreshold` | The liveness probe success threshold | `1` | |
| 185 | | `webhook.livenessProbe.timeoutSeconds` | The liveness probe timeout (in seconds) | `1` | |
| 186 | | `webhook.readinessProbe.failureThreshold` | The readiness probe failure threshold | `3` | |
| 187 | | `webhook.readinessProbe.initialDelaySeconds` | The readiness probe initial delay (in seconds) | `5` | |
| 188 | | `webhook.readinessProbe.periodSeconds` | The readiness probe period (in seconds) | `5` | |
| 189 | | `webhook.readinessProbe.successThreshold` | The readiness probe success threshold | `1` | |
| 190 | | `webhook.readinessProbe.timeoutSeconds` | The readiness probe timeout (in seconds) | `1` | |
| 191 | | `cainjector.enabled` | Toggles whether the cainjector component should be installed (required for the webhook component to work) | `true` | |
| 192 | | `cainjector.replicaCount` | Number of cert-manager cainjector replicas | `1` | |
| 193 | | `cainjector.podAnnotations` | Annotations to add to the cainjector pods | `{}` | |
| 194 | | `cainjector.podLabels` | Labels to add to the cert-manager cainjector pod | `{}` | |
| 195 | | `cainjector.deploymentAnnotations` | Annotations to add to the cainjector deployment | `{}` | |
| 196 | | `cainjector.podDisruptionBudget.enabled` | Adds a PodDisruptionBudget for the cert-manager deployment | `false` | |
| 197 | | `cainjector.podDisruptionBudget.minAvailable` | Configures the minimum available pods for voluntary disruptions. Cannot used if `maxUnavailable` is set. | `1` | |
| 198 | | `cainjector.podDisruptionBudget.maxUnavailable` | Configures the maximum unavailable pods for voluntary disruptions. Cannot used if `minAvailable` is set. | | |
| 199 | | `cainjector.extraArgs` | Optional flags for cert-manager cainjector component | `[]` | |
| 200 | | `cainjector.serviceAccount.create` | If `true`, create a new service account for the cainjector component | `true` | |
| 201 | | `cainjector.serviceAccount.name` | Service account for the cainjector component to be used. If not set and `cainjector.serviceAccount.create` is `true`, a name is generated using the fullname template | | |
| 202 | | `cainjector.serviceAccount.annotations` | Annotations to add to the service account for the cainjector component | | |
| 203 | | `cainjector.serviceAccount.automountServiceAccountToken` | Automount API credentials for the cainjector Service Account | `true` | |
| 204 | | `cainjector.resources` | CPU/memory resource requests/limits for the cainjector pods | `{}` | |
| 205 | | `cainjector.nodeSelector` | Node labels for cainjector pod assignment | `{}` | |
| 206 | | `cainjector.affinity` | Node affinity for cainjector pod assignment | `{}` | |
| 207 | | `cainjector.tolerations` | Node tolerations for cainjector pod assignment | `[]` | |
| 208 | | `cainjector.topologySpreadConstraints` | Topology spread constraints for cainjector pod assignment | `[]` | |
| 209 | | `cainjector.image.repository` | cainjector image repository | `quay.io/jetstack/cert-manager-cainjector` | |
| 210 | | `cainjector.image.tag` | cainjector image tag | `v1.12.2` | |
| 211 | | `cainjector.image.pullPolicy` | cainjector image pull policy | `IfNotPresent` | |
| 212 | | `cainjector.securityContext` | Security context for cainjector pod assignment | refer to [Default Security Contexts](#default-security-contexts) | |
| 213 | | `cainjector.containerSecurityContext` | Security context to be set on cainjector component container | refer to [Default Security Contexts](#default-security-contexts) | |
| 214 | | `acmesolver.image.repository` | acmesolver image repository | `quay.io/jetstack/cert-manager-acmesolver` | |
| 215 | | `acmesolver.image.tag` | acmesolver image tag | `v1.12.2` | |
| 216 | | `acmesolver.image.pullPolicy` | acmesolver image pull policy | `IfNotPresent` | |
| 217 | | `startupapicheck.enabled` | Toggles whether the startupapicheck Job should be installed | `true` | |
| 218 | | `startupapicheck.securityContext` | Security context for startupapicheck pod assignment | refer to [Default Security Contexts](#default-security-contexts) | |
| 219 | | `startupapicheck.containerSecurityContext` | Security context to be set on startupapicheck component container | refer to [Default Security Contexts](#default-security-contexts) | |
| 220 | | `startupapicheck.timeout` | Timeout for 'kubectl check api' command | `1m` | |
| 221 | | `startupapicheck.backoffLimit` | Job backoffLimit | `4` | |
| 222 | | `startupapicheck.jobAnnotations` | Optional additional annotations to add to the startupapicheck Job | `{}` | |
| 223 | | `startupapicheck.podAnnotations` | Optional additional annotations to add to the startupapicheck Pods | `{}` | |
| 224 | | `startupapicheck.extraArgs` | Optional additional arguments for startupapicheck | `[]` | |
| 225 | | `startupapicheck.resources` | CPU/memory resource requests/limits for the startupapicheck pod | `{}` | |
| 226 | | `startupapicheck.nodeSelector` | Node labels for startupapicheck pod assignment | `{}` | |
| 227 | | `startupapicheck.affinity` | Node affinity for startupapicheck pod assignment | `{}` | |
| 228 | | `startupapicheck.tolerations` | Node tolerations for startupapicheck pod assignment | `[]` | |
| 229 | | `startupapicheck.podLabels` | Optional additional labels to add to the startupapicheck Pods | `{}` | |
| 230 | | `startupapicheck.image.repository` | startupapicheck image repository | `quay.io/jetstack/cert-manager-ctl` | |
| 231 | | `startupapicheck.image.tag` | startupapicheck image tag | `v1.12.2` | |
| 232 | | `startupapicheck.image.pullPolicy` | startupapicheck image pull policy | `IfNotPresent` | |
| 233 | | `startupapicheck.serviceAccount.create` | If `true`, create a new service account for the startupapicheck component | `true` | |
| 234 | | `startupapicheck.serviceAccount.name` | Service account for the startupapicheck component to be used. If not set and `startupapicheck.serviceAccount.create` is `true`, a name is generated using the fullname template | | |
| 235 | | `startupapicheck.serviceAccount.annotations` | Annotations to add to the service account for the startupapicheck component | | |
| 236 | | `startupapicheck.serviceAccount.automountServiceAccountToken` | Automount API credentials for the startupapicheck Service Account | `true` | |
| 237 | | `maxConcurrentChallenges` | The maximum number of challenges that can be scheduled as 'processing' at once | `60` | |
| 238 | |
| 239 | ### Default Security Contexts |
| 240 | |
| 241 | The default pod-level and container-level security contexts, below, adhere to the [restricted](https://kubernetes.io/docs/concepts/security/pod-security-standards/#restricted) Pod Security Standards policies. |
| 242 | |
| 243 | Default pod-level securityContext: |
| 244 | ```yaml |
| 245 | runAsNonRoot: true |
| 246 | seccompProfile: |
| 247 | type: RuntimeDefault |
| 248 | ``` |
| 249 | |
| 250 | Default containerSecurityContext: |
| 251 | ```yaml |
| 252 | allowPrivilegeEscalation: false |
| 253 | capabilities: |
| 254 | drop: |
| 255 | - ALL |
| 256 | ``` |
| 257 | |
| 258 | ### Assigning Values |
| 259 | |
| 260 | Specify each parameter using the `--set key=value[,key=value]` argument to `helm install`. |
| 261 | |
| 262 | Alternatively, a YAML file that specifies the values for the above parameters can be provided while installing the chart. For example, |
| 263 | |
| 264 | ```console |
| 265 | $ helm install my-release -f values.yaml . |
| 266 | ``` |
| 267 | > **Tip**: You can use the default [values.yaml](https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml) |
| 268 | |
| 269 | ## Contributing |
| 270 | |
| 271 | This chart is maintained at [github.com/cert-manager/cert-manager](https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager). |