trust-manager
Helm chart
Request a free trial
Contact our team to test out this Helm chart and related images for free. Please also indicate any other images you would like to evaluate.
Tag:
1
# +docs:section=Global
2
global:
3
rbac:
4
# Create required ClusterRoles, Roles, ClusterRoleBindings and RoleBindings for trust-manager.
5
create: true
6
# +docs:section=CRDs
7
crds:
8
# This option decides if the CRDs should be installed
9
# as part of the Helm installation.
10
enabled: true
11
# This option makes it so that the "helm.sh/resource-policy": keep
12
# annotation is added to the CRD. This will prevent Helm from uninstalling
13
# the CRD when the Helm release is uninstalled.
14
# WARNING: when the CRDs are removed, all cert-manager custom resources
15
# (Certificates, Issuers, ...) will be removed too by the garbage collector.
16
keep: true
17
# +docs:section=Trust Manager
18
19
# The number of replicas of trust-manager to run.
20
#
21
# For example:
22
# Use integer to set a fixed number of replicas
23
# replicaCount: 2
24
#
25
# Use null, if you want to omit the replicas field and use the Kubernetes default value.
26
# replicaCount: null
27
#
28
# Use a string if you want to insert a variable for post-processing of the rendered template.
29
# replicaCount: ${REPLICAS_OVERRIDE:=3}
30
#
31
# +docs:type=number,string,null
32
replicaCount: 1
33
# The number of old ReplicaSets to retain to allow rollback.
34
# This is used to control the number of old ReplicaSets that are retained to allow rollback.
35
# If set to 0, no old ReplicaSets are retained.
36
# +docs:type=number,null
37
revisionHistoryLimit: 10
38
nameOverride: ""
39
# The namespace to install trust-manager into.
40
# If not set, the namespace of the release is used.
41
# This is helpful when installing trust-manager as a chart dependency (sub chart).
42
namespace: ""
43
# For Private docker registries, authentication is needed. Registry secrets are applied to the service account.
44
imagePullSecrets: []
45
# The container registry used for trust-manager images by default.
46
# This can include path prefixes (e.g. "artifactory.example.com/docker").
47
# +docs:property
48
imageRegistry: quay.io
49
# The repository namespace used for trust-manager images by default.
50
# Examples:
51
# - jetstack
52
# - cert-manager
53
# +docs:property
54
imageNamespace: jetstack
55
image:
56
# Target image registry. This value is prepended to the target image repository, if set.
57
# For example:
58
# registry: legacy.example.io
59
# Deprecated: per-component registry prefix.
60
#
61
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
62
# This applies both when `image.repository` is set and when the repository is computed from
63
# `imageRegistry` + `imageNamespace` + `image.name`.
64
#
65
# This can produce "double registry" style references such as
66
# `legacy.example.io/quay.io/jetstack/...`. Prefer using the global
67
# `imageRegistry`/`imageNamespace` values.
68
# +docs:property
69
# registry: quay.io
70
71
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`,
72
# and `image.name`).
73
# Example: quay.io/jetstack/trust-manager
74
# +docs:property
75
repository: chainreg.biz/chainguard-private/trust-manager
76
# The image name for trust-manager.
77
# This is used (together with `imageRegistry` and `imageNamespace`) to construct the full
78
# image reference.
79
# +docs:property
80
name: trust-manager
81
# Override the image tag to deploy by setting this variable.
82
# If no value is set, the chart's appVersion is used.
83
# +docs:property
84
# tag: vX.Y.Z
85
86
# Target image digest. Override any tag, if set.
87
# For example:
88
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
89
# +docs:property
90
# digest: sha256:...
91
92
# Kubernetes imagePullPolicy on Deployment.
93
pullPolicy: IfNotPresent
94
tag: latest
95
digest: sha256:9830eb5eb6e8a50ba2d57da218ce65aa3e127181aa2167d0600d22add5b576bf
96
defaultPackage:
97
# Whether to load the default trust package during pod initialization, and include it in main container args. This container enables the 'useDefaultCAs' source on Bundles.
98
enabled: true
99
# Kubernetes pod resource limits for default package init container.
100
#
101
# For example:
102
# resources:
103
# limits:
104
# cpu: 100m
105
# memory: 128Mi
106
# requests:
107
# cpu: 100m
108
# memory: 128Mi
109
resources: {}
110
defaultPackageImage:
111
# Target image registry. This value is prepended to the target image repository, if set.
112
# For example:
113
# registry: quay.io
114
# repository: jetstack/cert-manager-package-debian
115
# Deprecated: per-component registry prefix.
116
#
117
# If set, this value is *prepended* to the image repository that the chart would otherwise render.
118
# This applies both when `image.repository` is set and when the repository is computed from
119
# `imageRegistry` + `imageNamespace` + `image.name`.
120
#
121
# This can produce "double registry" style references such as
122
# `legacy.example.io/quay.io/jetstack/...`. Prefer using the global
123
# `imageRegistry`/`imageNamespace` values.
124
# +docs:property
125
# registry: quay.io
126
127
# Full repository override (takes precedence over `imageRegistry`, `imageNamespace`,
128
# and `image.name`).
129
# Example: quay.io/jetstack/trust-manager
130
# +docs:property
131
repository: chainreg.biz/chainguard-private/cert-manager-package-12
132
# The image name for trust-manager.
133
# This is used (together with `imageRegistry` and `imageNamespace`) to construct the full
134
# image reference.
135
# +docs:property
136
name: trust-pkg-debian-trixie
137
# Override the image tag of the default package image.
138
# Is set at chart build time to the version specified in ./make/00_debian_trixie_version.mk.
139
# +docs:property
140
# tag: vX.Y.Z
141
142
# Target image digest. Override any tag, if set.
143
# For example:
144
# digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
145
# +docs:property
146
# digest: sha256:...
147
148
# WARNING: For internal use only, is overwritten before releasing the chart.
149
# +docs:hidden
150
_defaultReference: :20230311-deb12u1.7
151
# imagePullPolicy for the default package image.
152
pullPolicy: IfNotPresent
153
tag: latest
154
digest: sha256:9e551f7889283ebc07c64c92ed5415fed5f831f03d647b630c5f78c5912643f6
155
# Automounting API credentials for the trust-manager pod.
156
# +docs:property
157
automountServiceAccountToken: true
158
serviceAccount:
159
# Specifies whether a service account should be created.
160
create: true
161
# The name of the service account to use.
162
# If not set and create is true, a name is generated using the fullname template.
163
# +docs:property
164
# name: ""
165
166
# Automount API credentials for a Service Account.
167
# +docs:property
168
automountServiceAccountToken: true
169
# Additional volumes to add to the trust-manager pod.
170
volumes: []
171
# Additional volume mounts to add to the trust-manager container.
172
volumeMounts: []
173
secretTargets:
174
# If set to true, enable writing trust bundles to Kubernetes Secrets as a target.
175
# trust-manager can only write to secrets which are explicitly allowed via either authorizedSecrets or authorizedSecretsAll.
176
# Note that enabling secret targets will grant trust-manager read access to all secrets in the cluster.
177
enabled: false
178
# If set to true, grant read/write permission to all secrets across the cluster. Use with caution!
179
# If set, ignores the authorizedSecrets list.
180
authorizedSecretsAll: false
181
# A list of secret names which trust-manager will be permitted to read and write across all namespaces.
182
# These are the only allowable Secrets that can be used as targets. If the list is empty (and authorizedSecretsAll is false),
183
# trust-manager can't write to secrets and can only read secrets in the trust namespace for use as sources.
184
authorizedSecrets: []
185
# Kubernetes pod resource limits for trust.
186
#
187
# For example:
188
# resources:
189
# limits:
190
# cpu: 100m
191
# memory: 128Mi
192
# requests:
193
# cpu: 100m
194
# memory: 128Mi
195
resources: {}
196
# Configure the priority class of the pod. For more information, see [PriorityClass](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass).
197
priorityClassName: ""
198
# Configure the nodeSelector; defaults to any Linux node (trust-manager doesn't support Windows nodes)
199
# +docs:property
200
nodeSelector:
201
kubernetes.io/os: linux
202
# Kubernetes Affinity. For more information, see [Affinity v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core).
203
# For example:
204
# affinity:
205
# nodeAffinity:
206
# requiredDuringSchedulingIgnoredDuringExecution:
207
# nodeSelectorTerms:
208
# - matchExpressions:
209
# - key: foo.bar.com/role
210
# operator: In
211
# values:
212
# - master
213
affinity: {}
214
# List of Kubernetes Tolerations, if required. For more information, see [Toleration v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core).
215
# For example:
216
# tolerations:
217
# - key: foo.bar.com/role
218
# operator: Equal
219
# value: master
220
# effect: NoSchedule
221
tolerations: []
222
# List of Kubernetes TopologySpreadConstraints. For more information, see [TopologySpreadConstraint v1 core](https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core).
223
# For example:
224
# topologySpreadConstraints:
225
# - maxSkew: 2
226
# topologyKey: topology.kubernetes.io/zone
227
# whenUnsatisfiable: ScheduleAnyway
228
# labelSelector:
229
# matchLabels:
230
# app.kubernetes.io/name: trust-manager
231
topologySpreadConstraints: []
232
filterExpiredCertificates:
233
# Whether to filter expired certificates from the trust bundle.
234
enabled: false
235
filterNonCACerts:
236
# Filter non-CA certificates, only CAs are used in the resulting Bundle.
237
enabled: false
238
app:
239
# Minimum TLS version supported. If omitted, the default Go minimum version will be used.
240
minTLSVersion: ""
241
# Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used.
242
cipherSuites: ""
243
# The format of trust-manager logging. Accepted values are text or json.
244
logFormat: text
245
# The verbosity of trust-manager logging. This takes a value from 1-5, with the higher value being more verbose.
246
logLevel: 1
247
leaderElection:
248
# Whether to enable leader election for trust-manager.
249
enabled: true
250
# The duration that non-leader candidates will wait to force acquire leadership.
251
# The default should be sufficient in a healthy cluster but can be slightly increased to prevent trust-manager from restart-looping when the API server is overloaded.
252
leaseDuration: 15s
253
# The interval between attempts by the acting leader to renew a leadership slot before it stops leading.
254
# This MUST be less than or equal to the lease duration.
255
# The default should be sufficient in a healthy cluster but can be slightly increased to prevent trust-manager from restart-looping when the API server is overloaded.
256
renewDeadline: 10s
257
readinessProbe:
258
# The container port on which to expose the trust-manager HTTP readiness probe using the default network interface.
259
port: 6060
260
# The path on which to expose the trust-manager HTTP readiness probe using the default network interface.
261
path: "/readyz"
262
trust:
263
# The namespace used as the trust source. Note that the namespace _must_ exist
264
# before installing trust-manager.
265
namespace: cert-manager
266
# List of target namespaces that trust-manager can write to. By default, trust-manager can write targets in any namespace.
267
# +docs:property
268
# targetNamespaces: ["ns-1", "ns-2"]
269
securityContext:
270
# If false, disables the default seccomp profile, which might be required to run on certain platforms.
271
seccompProfileEnabled: true
272
# Pod labels to add to trust-manager pods.
273
podLabels: {}
274
# Pod annotations to add to trust-manager pods.
275
podAnnotations: {}
276
# +docs:section=Webhook
277
webhook:
278
# Host that the webhook listens on.
279
host: 0.0.0.0
280
# Port that the webhook listens on.
281
port: 6443
282
# Timeout of webhook HTTP request.
283
timeoutSeconds: 5
284
service:
285
# The type of Kubernetes Service used by the Webhook.
286
type: ClusterIP
287
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
288
ipFamilyPolicy: ""
289
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
290
ipFamilies: []
291
# The nodePort set on the Service used by the webhook.
292
# +docs:property
293
# nodePort: 8080
294
tls:
295
helmCert:
296
# Whether to issue a webhook cert using Helm, which removes the need to install cert-manager.
297
# Helm-issued certificates can be challenging to rotate and maintain, and the issued cert will have a duration of 10 years and be modified when trust-manager is updated.
298
# It's safer and easier to rely on cert-manager for issuing the webhook cert - avoid using Helm-generated certs in production.
299
enabled: false
300
approverPolicy:
301
# Whether to create an approver-policy CertificateRequestPolicy allowing auto-approval of the trust-manager webhook certificate. If you have approver-policy installed, you almost certainly want to enable this.
302
enabled: false
303
# The namespace in which cert-manager was installed. Only used if `app.webhook.tls.approverPolicy.enabled` is true.
304
certManagerNamespace: "cert-manager"
305
# The name of cert-manager's Service Account. Only used if `app.webhook.tls.approverPolicy.enabled` is true.
306
certManagerServiceAccount: "cert-manager"
307
# Configure certificate duration and add labels/annotations to secrets created by Certificate resources when using cert-manager provisioned TLS certificate.
308
certificate:
309
# Certificate duration, if unset/empty the default from cert-manager will be used. Example configuration to set 1 year: duration: 8766h
310
duration: ""
311
secretTemplate: {}
312
# For example:
313
# annotations:
314
# my-secret-annotation-1: "foo"
315
# my-secret-annotation-2: "bar"
316
# labels:
317
# my-secret-label: foo
318
# This value specifies if the app should be started in hostNetwork mode. It is required for use in some managed Kubernetes clusters (such as AWS EKS) with custom CNI.
319
hostNetwork: false
320
# +docs:section=Metrics
321
metrics:
322
# The port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'.
323
port: 9402
324
# The service to expose metrics endpoint.
325
service:
326
# Create a Service resource to expose the metrics endpoint.
327
enabled: true
328
# The Service type to expose metrics.
329
type: ClusterIP
330
# Set the ip family policy to configure dual-stack see [Configure dual-stack](https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services)
331
ipFamilyPolicy: ""
332
# Sets the families that should be supported and the order in which they should be applied to ClusterIP as well. Can be IPv4 and/or IPv6.
333
ipFamilies: []
334
# The ServiceMonitor resource for this Service.
335
servicemonitor:
336
# Create a Prometheus ServiceMonitor for trust-manager.
337
enabled: false
338
# Sets the value of the "prometheus" label on the ServiceMonitor.
339
# This is used so that separate Prometheus instances can select different ServiceMonitors using labels.
340
prometheusInstance: default
341
# The interval to scrape the metrics.
342
interval: 10s
343
# The timeout for a metrics scrape.
344
scrapeTimeout: 5s
345
# Additional labels to add to the ServiceMonitor.
346
labels: {}
347
# EndpointAdditionalProperties allows setting additional properties on the
348
# endpoint such as relabelings, metricRelabelings etc.
349
#
350
# For example:
351
# endpointAdditionalProperties:
352
# relabelings:
353
# - action: replace
354
# sourceLabels:
355
# - __meta_kubernetes_pod_node_name
356
# targetLabel: instance
357
#
358
# +docs:property
359
endpointAdditionalProperties: {}
360
podDisruptionBudget:
361
# Enable or disable the PodDisruptionBudget resource.
362
#
363
# This prevents downtime during voluntary disruptions such as during a Node upgrade.
364
# For example, the PodDisruptionBudget will block `kubectl drain`
365
# if it is used on the Node where the only remaining trust-manager
366
# Pod is currently running.
367
enabled: false
368
# This configures the minimum available pods for disruptions. It can either be set to
369
# an integer (e.g. 1) or a percentage value (e.g. 25%).
370
# It cannot be used if `maxUnavailable` is set.
371
# +docs:type=unknown
372
# +docs:property
373
# minAvailable: 1
374
# This configures the maximum unavailable pods for disruptions. It can either be set to
375
# an integer (e.g. 1) or a percentage value (e.g. 25%).
376
# it cannot be used if `minAvailable` is set.
377
# +docs:type=unknown
378
# +docs:property
379
# maxUnavailable: 1
380
381
# Labels to apply to all resources
382
commonLabels: {}
383
# Annotations to apply to all resources
384
# NOTE: These annotations won't be added to the CRDs.
385
commonAnnotations: {}
386
# Extra manifests to be deployed. This is useful for deploying additional resources that are not part of the chart.
387
# For example:
388
# extraObjects:
389
# - apiVersion: cilium.io/v2
390
# kind: CiliumNetworkPolicy
391
# metadata:
392
# name: trust-manager
393
# namespace: trust-manager
394
# spec:
395
# endpointSelector:
396
# matchLabels:
397
# io.cilium.k8s.policy.serviceaccount: trust-manager
398
# egress:
399
# - toEntities:
400
# - kube-apiserver
401
extraObjects: []
402
# Field to optionally disable installation of the chart when wrapping it as a
403
# dependency in another chart.
404
# This matched the helm best practices:
405
# https://helm.sh/docs/chart_best_practices/dependencies/#conditions-and-tags
406
# +docs:hidden
407
enabled: true
408
The trusted source for open source
Talk to an expertProduct
Customers
© 2026 Chainguard, Inc. All Rights Reserved.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.
Chainguard® and the Chainguard logo are registered trademarks of Chainguard, Inc. in the United States and/or other countries.
The other respective trademarks mentioned on this page are owned by the respective companies and use of them does not imply any affiliation or endorsement.