A timoni.sh module for deploying trust-manager to Kubernetes clusters.
This module is applied to these Kubernetes version in CI:
To create an instance using the default values:
timoni -n trust-manager apply trust-manager oci://ghcr.io/nalum/timoni/modules/trust-managerTo change the default configuration,
create one or more values.cue files and apply them to the instance.
For example, create a file my-values.cue with the following content:
values: {
resources: requests: {
cpu: "100m"
memory: "128Mi"
}
}And apply the values with:
timoni -n trust-manager apply trust-manager oci://ghcr.io/nalum/timoni/modules/trust-manager
--values ./my-values.cueTo uninstall an instance and delete all its Kubernetes resources:
timoni -n trust-manager delete trust-manager| KEY | TYPE | DEFAULT | DESCRIPTION |
|---|---|---|---|
metadata: labels: |
struct |
{} |
Annotations is an unstructured key value map stored with a resource that may be set to store and retrieve arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations The annotations allows adding metadata.annotations to all resources. |
metadata: annotations: |
struct |
{} |
Annotations is an unstructured key value map stored with a resource that may be set to store and retrieve arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations The annotations allows adding metadata.annotations to all resources. |
replicaCount: |
int |
1 |
Number of replicas of trust-manager to run. |
imagePullSecrets: |
list |
[] |
Reference to one or more secrets to be used when pulling images ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |
image: repository: |
string |
"quay.io/jetstack/trust-manager" |
Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |
image: tag: |
string |
"v0.8.0" |
Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
image: digest: |
string |
"sha256:e45773dbc05105a19e0750fdb2524ba056ae1568f37b7ed99d42ad64264734fc" |
Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |
image: pullPolicy: |
string |
"IfNotPresent" |
PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |
defaultPackage: enabled: |
bool |
true |
Whether to load the default trust package during pod initialization and include it in main container args. This container enables the 'useDefaultCAs' source on Bundles. |
defaultPackage: image: repository: |
string |
"quay.io/jetstack/cert-manager-package-debian" |
Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |
defaultPackage: image: tag: |
string |
"20210119.0" |
Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |
defaultPackage: image: digest: |
string |
"sha256:aa3466521072e0f54666092acde1e394314d5f4247034ed1379a90919fa904a4" |
Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |
defaultPackage: image: pullPolicy: |
string |
"IfNotPresent" |
PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |
secretTargets: enabled: |
bool |
false |
If set to true, enable writing trust bundles to Kubernetes Secrets as a target. trust-manager can only write to secrets which are explicitly allowed via either authorizedSecrets or authorizedSecretsAll. NOTE: Enabling secret targets will grant trust-manager read access to all secrets in the cluster. |
secretTargets: authorizedSecretsAll: |
bool |
false |
If set to true, grant read/write permission to all secrets across the cluster. Use with caution! If set, ignores the authorizedSecrets list. |
secretTargets: authorizedSecrets: |
list |
[] |
A list of secret names which trust-manager will be permitted to read and write across all namespaces. These will be the only allowable Secrets that can be used as targets. If the list is empty (and authorizedSecretsAll is false), trust-manager will not be able to write to secrets and will only be able to read secrets in the trust namespace for use as sources. |
resources: limits: |
struct |
{} |
Limits describes the maximum amount of compute resources allowed. |
resources: requests: cpu: |
string |
"100m" |
|
resources: requests: memory: |
string |
"128Mi" |
|
priorityClassName: |
string |
`` | Configure the priority class of the pod; see https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass |
nodeSelector: |
struct |
{} |
|
affinity: |
struct |
{"nodeAffinity": {"requiredDuringSchedulingIgnoredDuringExecution": {"nodeSelectorTerms": [{"matchExpressions": [{"key": "kubernetes.io/os","operator": "In","values": ["linux"]}]}]}}} |
Kubernetes Affinty; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core for example: affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: foo.bar.com/role operator: In values: - master Kubernetes Affinty; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#affinity-v1-core |
tolerations: |
list |
[] |
List of Kubernetes Tolerations, if required; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core for example: tolerations: - key: foo.bar.com/role operator: Equal value: master effect: NoSchedule List of Kubernetes Tolerations; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#toleration-v1-core |
topologySpreadConstraints: |
list |
[] |
List of Kubernetes TopologySpreadConstraints; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core For example: topologySpreadConstraints: - maxSkew: 2 topologyKey: topology.kubernetes.io/zone whenUnsatisfiable: ScheduleAnyway labelSelector: matchLabels: app.kubernetes.io/instance: cert-manager app.kubernetes.io/component: controller List of Kubernetes TopologySpreadConstraints; see https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.27/#topologyspreadconstraint-v1-core |
filterExpiredCertificates: |
bool |
false |
Whether to filter expired certificates from the trust bundle. |
app: logLevel: |
int |
1 |
Verbosity of trust-manager logging; takes a value from 1-5, with higher being more verbose |
app: readinessProbe: initialDelaySeconds: |
int |
3 |
Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
app: readinessProbe: timeoutSeconds: |
int |
`` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |
app: readinessProbe: periodSeconds: |
int |
7 |
How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |
app: readinessProbe: successThreshold: |
int |
`` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |
app: readinessProbe: failureThreshold: |
int |
`` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |
app: readinessProbe: terminationGracePeriodSeconds: |
(null|int) |
`` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |
app: trust: namespace: |
string |
"default" |
Namespace used as trust source. Note that the namespace must exist before installing trust-manager. |
app: securityContext: seccompProfileEnabled: |
bool |
true |
If false, disables the default seccomp profile, which might be required to run on certain platforms |
app: webhook: host: |
string |
"0.0.0.0" |
Host that the webhook listens on. |
app: webhook: port: |
int |
6443 |
Port that the webhook listens on. |
app: webhook: timeoutSeconds: |
int |
5 |
Timeout of webhook HTTP request. |
app: webhook: service: type: |
string |
"ClusterIP" |
Type of Kubernetes Service used by the Webhook |
app: webhook: tls: approverPolicy: enabled: |
bool |
false |
Whether to create an approver-policy CertificateRequestPolicy allowing auto-approval of the trust-manager webhook certificate. If you have approver-policy installed, you almost certainly want to enable this. |
app: webhook: tls: approverPolicy: certManagerNamespace: |
string |
"cert-manager" |
Namespace in which cert-manager was installed. Only used if app.webhook.tls.approverPolicy.enabled is true |
app: webhook: tls: approverPolicy: certManagerServiceAccount: |
string |
"cert-manager" |
Name of cert-manager's ServiceAccount. Only used if app.webhook.tls.approverPolicy.enabled is true |
app: webhook: hostNetwork: |
bool |
false |
Specifies if the app should be started in hostNetwork mode. Required for use in some managed kubernetes clusters (such as AWS EKS) with custom CNI. |
app: metrics: port: |
int |
9402 |
Port for exposing Prometheus metrics on 0.0.0.0 on path '/metrics'. |
app: metrics: service: enabled: |
bool |
true |
Create a Service resource to expose metrics endpoint. |
app: metrics: service: type: |
string |
"ClusterIP" |
Service type to expose metrics. |
app: metrics: service: serviceMonitor: enabled: |
bool |
false |
Create a Prometheus ServiceMonitor for trust-manager |
app: metrics: service: serviceMonitor: prometheusInstance: |
string |
"default" |
Sets the value of the "prometheus" label on the ServiceMonitor, this is used as separate Prometheus instances can select difference ServiceMonitors using labels |
app: metrics: service: serviceMonitor: interval: |
string |
"10s" |
Interval to scrape the metrics |
app: metrics: service: serviceMonitor: scrapeTimeout: |
string |
"5s" |
Timeout for a metrics scrape |
Comply with the restricted By default this module is configured for a production deployment and should comply with the restricted Kubernetes pod security standard, any changes would potentially result in a deployment that doesn't meet these standards.
values: {
replicaCount: 2
}