cert-manager-istio-csr
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# nameOverride replaces the name of the chart in the Chart.yaml file when this
2
# is used to construct Kubernetes object names.
3
# +docs:property
4
# nameOverride: istio-csr
5
6
# The number of replicas of istio-csr to run.
7
replicaCount: 1
8
image:
9
# Target image registry. This value is prepended to the target image repository, if set.
10
# For example:
11
# registry: quay.io
12
# repository: jetstack/cert-manager-istio-csr
13
# +docs:property
14
# registry: quay.io
15
16
# Target image repository.
17
repository: chainreg.biz/chainguard-private/cert-manager-istio-csr
18
# Override the image tag to deploy by setting this variable.
19
# If no value is set, the chart's appVersion is used.
20
# +docs:property
21
# tag: vX.Y.Z
22
23
# Target image digest. Override any tag, if set.
24
# For example:
25
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
26
# +docs:property
27
# digest: sha256:...
28
29
# Kubernetes imagePullPolicy on Deployment.
30
pullPolicy: IfNotPresent
31
tag: latest
32
digest: sha256:85c84bde51371aa17bcb0744af3aacf9aa0d362d5c009e80333e33c30418dd70
33
# Optional secrets used for pulling the istio-csr container image.
34
imagePullSecrets: []
35
service:
36
# Service type to expose the istio-csr gRPC service.
37
type: ClusterIP
38
# Service port to expose the istio-csr gRPC service.
39
port: 443
40
# Service nodePort to expose the istio-csr gRPC service.
41
# +docs:type=number
42
# +docs:property
43
# nodePort:
44
app:
45
# Verbosity of istio-csr logging.
46
logLevel: 1 # 1-5
47
# Output format of istio-csr logging.
48
logFormat: text # text or json
49
metrics:
50
# Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
51
port: 9402
52
# Service to expose metrics endpoint.
53
service:
54
# Create a Service resource to expose the metrics endpoint.
55
enabled: true
56
# Service type to expose metrics.
57
type: ClusterIP
58
# The ServiceMonitor resource for this Service.
59
servicemonitor:
60
# Create a Prometheus ServiceMonitor resource.
61
enabled: false
62
# The value for the "prometheus" label on the ServiceMonitor. This allows
63
# for multiple Prometheus instances selecting different ServiceMonitors
64
# using label selectors.
65
prometheusInstance: default
66
# The interval at which Prometheus will scrape for metrics.
67
interval: 10s
68
# The timeout on each metric probe request.
69
scrapeTimeout: 5s
70
# Additional labels to give the ServiceMonitor resource.
71
labels: {}
72
# DEPRECATED: moved to app.runtimeConfiguration.name
73
#
74
# Name of a ConfigMap in the installation namespace to watch, providing
75
# runtime configuration of an issuer to use.
76
#
77
# The "issuer-name", "issuer-kind" and "issuer-group" keys must be present in
78
# the ConfigMap for it to be used.
79
#
80
# +docs:hidden
81
runtimeIssuanceConfigMap: ""
82
runtimeConfiguration:
83
# Create the runtime-configuration ConfigMap.
84
create: false
85
# Name of a ConfigMap in the installation namespace to watch, providing
86
# runtime configuration of an issuer to use.
87
#
88
# If create is set to true, then this name is used to create the ConfigMap,
89
# otherwise the ConfigMap must exist, and the "issuer-name", "issuer-kind"
90
# and "issuer-group" keys must be present in it.
91
name: ""
92
issuer:
93
# Issuer name set on created CertificateRequests for both istio-csr's
94
# serving certificate and incoming gRPC CSRs.
95
name: istio-ca
96
# Issuer kind set on created CertificateRequests for both istio-csr's
97
# serving certificate and incoming gRPC CSRs.
98
kind: Issuer
99
# Issuer group name set on created CertificateRequests for both
100
# istio-csr's serving certificate and incoming gRPC CSRs.
101
group: cert-manager.io
102
readinessProbe:
103
# Container port to expose the istio-csr HTTP readiness probe on the default network interface.
104
port: 6060
105
# Path to expose the istio-csr HTTP readiness probe on the default network interface.
106
path: "/readyz"
107
certmanager:
108
# Namespace to create CertificateRequests for both istio-csr's serving
109
# certificate and incoming gRPC CSRs.
110
namespace: istio-system
111
# Don't delete created CertificateRequests once they have been signed.
112
# WARNING: Do not enable this option in production, or environments with
113
# any non-trivial number of workloads for an extended period of time. Doing
114
# so will balloon the resource consumption of both ETCD and the API server,
115
# leading to errors and slow down. This option is intended for debugging
116
# purposes only, for limited periods of time.
117
preserveCertificateRequests: false
118
# Additional annotations to include on certificate requests.
119
# Takes key/value pairs in the format:
120
# additionalAnnotations:
121
# - name: custom.cert-manager.io/policy-name
122
# value: istio-csr
123
additionalAnnotations: []
124
issuer:
125
# Enable the default issuer, this is the issuer used when no runtime
126
# configuration is provided.
127
#
128
# When enabled, the istio-csr Pod will not be "Ready" until the issuer
129
# has been used to issue the istio-csr GRPC certificate.
130
#
131
# For istio-csr to function, either this or runtime configuration must be
132
# enabled.
133
enabled: true
134
# Issuer name set on created CertificateRequests for both istio-csr's
135
# serving certificate and incoming gRPC CSRs.
136
name: istio-ca
137
# Issuer kind set on created CertificateRequests for both istio-csr's
138
# serving certificate and incoming gRPC CSRs.
139
kind: Issuer
140
# Issuer group name set on created CertificateRequests for both
141
# istio-csr's serving certificate and incoming gRPC CSRs.
142
group: cert-manager.io
143
tls:
144
# The Istio cluster's trust domain.
145
trustDomain: "cluster.local"
146
# An optional file location to a PEM encoded root CA that the root CA
147
# ConfigMap in all namespaces will be populated with. If empty, the CA
148
# returned from cert-manager for the serving certificate will be used.
149
rootCAFile: # /var/certs/ca.pem
150
# The DNS names to request for the server's serving certificate which is
151
# presented to istio-agents. istio-agents must route to istio-csr using one
152
# of these DNS names.
153
certificateDNSNames:
154
- cert-manager-istio-csr.cert-manager.svc
155
# Requested duration of the gRPC serving certificate. Will be automatically
156
# renewed.
157
# Based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
158
certificateDuration: 1h
159
# If true, create the istiod certificate using a cert-manager certificate as part
160
# of the install. If set to "dynamic", will create the cert dynamically when
161
# istio-csr pods start up. If false, no cert is created.
162
# +docs:type=boolean,string,null
163
istiodCertificateEnable: true
164
# Requested duration of istio's Certificate. Will be automatically renewed.
165
# Default is based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
166
# Warning: cert-manager does not allow a duration on Certificates less than 1 hour.
167
istiodCertificateDuration: 1h
168
# Amount of time to wait before trying to renew the istiod certificate.
169
# Must be smaller than the certificate's duration.
170
istiodCertificateRenewBefore: 30m
171
# Private key algorithm to use. For backwards compatibility, defaults to the same value as app.server.serving.signatureAlgorithm
172
istiodPrivateKeyAlgorithm: ""
173
# Parameter for the istiod certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.
174
istiodPrivateKeySize: 2048
175
# Provide additional DNS names to request on the istiod certificate. Useful if istiod
176
# should be accessible via multiple DNS names and/or outside of the cluster.
177
istiodAdditionalDNSNames: []
178
server:
179
authenticators:
180
# Enable the client certificate authenticator. This will allow workloads to use preexisting certificates to
181
# authenticate with istio-csr when rotating their certificate.
182
enableClientCert: false
183
# The istio cluster ID to verify incoming CSRs.
184
clusterID: "Kubernetes"
185
# Maximum validity duration that can be requested for a certificate.
186
# istio-csr will request a duration of the smaller of this value, and that of
187
# the incoming gRPC CSR.
188
# Based on [NIST 800-204A recommendations (SM-DR13)](https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-204A.pdf).
189
maxCertificateDuration: 1h
190
serving:
191
# Container address to serve the istio-csr gRPC service.
192
address: 0.0.0.0
193
# Container port to serve the istio-csr gRPC service.
194
port: 6443
195
# Parameter for the serving certificate key. For RSA, must be a number of bits >= 2048. For ECDSA, can only be 256 or 384, corresponding to P-256 and P-384 respectively.
196
certificateKeySize: 2048
197
# The type of private key to generate for the serving certificate. Only RSA (default) and ECDSA are supported.
198
# NB: This variable is named incorrectly; it controls private key algorithm, not signature algorithm.
199
signatureAlgorithm: "RSA"
200
# A comma-separated list of service accounts that are allowed to use node authentication for CSRs, e.g. "istio-system/ztunnel".
201
caTrustedNodeAccounts: ""
202
istio:
203
# The istio revisions that are currently installed in the cluster.
204
# Changing this field will modify the DNS names that will be requested for
205
# the istiod certificate (if enabled).
206
# The common name for the istiod certificate is hard coded to the `default` revision
207
# DNS name.
208
# Some issuers may require that the common name on certificates match one
209
# of the DNS names. If 1. Your issuer has this constraint, and 2. You are
210
# not using `default` as a revision, add the `default` revision here
211
# anyway. The resulting certificate will include a DNS name that won't be
212
# used, but will pass this constraint.
213
revisions: ["default"]
214
# The namespace where the istio control-plane is running.
215
namespace: istio-system
216
controller:
217
leaderElectionNamespace: istio-system
218
# If set, limit where istio-csr creates configmaps with root CA certificates. If unset, configmap created in ALL namespaces.
219
# Example: maistra.io/member-of=istio-system
220
# +docs:type=string
221
# +docs:property
222
# configmapNamespaceSelector:
223
224
# Allows you to disable the default Kubernetes client rate limiter if
225
# istio-csr is exceeding the default QPS (5) and Burst (10) limits.
226
# For example, in large clusters with many Istio workloads, restarting the Pods may cause
227
# istio-csr to send bursts of Kubernetes API requests that exceed the limits of
228
# the default Kubernetes client rate limiter, and istio-csr will become slow to issue
229
# certificates for your workloads.
230
# Only disable client rate limiting if the Kubernetes API server supports
231
# [API Priority and Fairness](https://kubernetes.io/docs/concepts/cluster-administration/flow-control/),
232
# to avoid overloading the server.
233
disableKubernetesClientRateLimiter: false
234
# Optional extra labels for deployment.
235
deploymentLabels: {}
236
# Optional extra annotations for deployment.
237
deploymentAnnotations: {}
238
# Optional extra labels for pod.
239
podLabels: {}
240
# Optional extra annotations for pod.
241
podAnnotations: {}
242
# Optional extra volumes. Useful for mounting custom root CAs.
243
#
244
# For example:
245
# volumes:
246
# - name: root-ca
247
# secret:
248
# secretName: root-cert
249
volumes: []
250
# Optional extra volume mounts. Useful for mounting custom root CAs.
251
#
252
# For example:
253
# volumeMounts:
254
# - name: root-ca
255
# mountPath: /etc/tls
256
volumeMounts: []
257
# Kubernetes [pod resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
258
#
259
# For example:
260
# resources:
261
# limits:
262
# cpu: 100m
263
# memory: 128Mi
264
# requests:
265
# cpu: 100m
266
# memory: 128Mi
267
resources: {}
268
# Kubernetes [security context](https://kubernetes.io/docs/tasks/configure-pod-container/security-context/).
269
#
270
# See the default values for an example.
271
# +docs:property
272
securityContext:
273
allowPrivilegeEscalation: false
274
readOnlyRootFilesystem: true
275
runAsNonRoot: true
276
capabilities:
277
drop:
278
- ALL
279
seccompProfile:
280
type: RuntimeDefault
281
# Expects input structure as per [specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core).
282
#
283
# For example:
284
# affinity:
285
# nodeAffinity:
286
# requiredDuringSchedulingIgnoredDuringExecution:
287
# nodeSelectorTerms:
288
# - matchExpressions:
289
# - key: foo.bar.com/role
290
# operator: In
291
# values:
292
# - master
293
affinity: {}
294
# Expects input structure as per [specification](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core).
295
#
296
# For example:
297
# tolerations:
298
# - key: foo.bar.com/role
299
# operator: Equal
300
# value: master
301
# effect: NoSchedule
302
tolerations: []
303
# List of Kubernetes TopologySpreadConstraints. For more information, see [TopologySpreadConstraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
304
# For example:
305
# topologySpreadConstraints:
306
# - maxSkew: 2
307
# topologyKey: topology.kubernetes.io/zone
308
# whenUnsatisfiable: ScheduleAnyway
309
# labelSelector:
310
# matchLabels:
311
# app.kubernetes.io/name: cert-manager-istio-csr
312
# app.kubernetes.io/instance: istio-csr
313
topologySpreadConstraints: []
314
# Kubernetes node selector: node labels for pod assignment.
315
# +docs:property=nodeSelector
316
nodeSelector:
317
kubernetes.io/os: linux
318
# Labels to apply to all resources.
319
commonLabels: {}
320
# Create resources alongside installing istio-csr, via Helm values. Can accept an array of YAML-formatted
321
# resources. Each array entry can include multiple YAML documents, separated by '---'.
322
#
323
# For example:
324
# extraObjects:
325
# - |
326
# apiVersion: v1
327
# kind: ConfigMap
328
# metadata:
329
# name: '{{ template "cert-manager-istio-csr.fullname" . }}-extra-configmap'
330
extraObjects: []
331
# Configures a disruption budget for istio-csr.
332
podDisruptionBudget:
333
# Enable or disable the PodDisruptionBudget resource for istio-csr.
334
enabled: false
335
# This configures the minimum available pods for disruptions. It can either be set to
336
# an integer (e.g., 1) or a percentage value (e.g., 25%).
337
# It cannot be used if `maxUnavailable` is set.
338
# +docs:property
339
# +docs:type=string,integer
340
# minAvailable: 0
341
342
# This configures the maximum unavailable pods for disruptions. It can either be set to
343
# an integer (e.g., 1) or a percentage value (e.g., 25%).
344
# it cannot be used if `minAvailable` is set.
345
# +docs:property
346
# +docs:type=string,integer
347
maxUnavailable: 1
348
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.