diff --git a/chart/chart-index/Chart.yaml b/chart/chart-index/Chart.yaml index 212504d134..d4d5774504 100644 --- a/chart/chart-index/Chart.yaml +++ b/chart/chart-index/Chart.yaml @@ -9,7 +9,7 @@ dependencies: version: 8.0.9 repository: https://argoproj.github.io/argo-helm - name: cert-manager - version: v1.17.1 + version: v1.18.0 repository: https://charts.jetstack.io - name: cloudnative-pg version: 0.24.0 diff --git a/charts/cert-manager/Chart.yaml b/charts/cert-manager/Chart.yaml index 6f05ea15f0..2479e33c7b 100644 --- a/charts/cert-manager/Chart.yaml +++ b/charts/cert-manager/Chart.yaml @@ -6,7 +6,7 @@ annotations: fingerprint: 1020CF3C033D4F35BAE1C19E1226061C665DF13E url: https://cert-manager.io/public-keys/cert-manager-keyring-2021-09-20-1020CF3C033D4F35BAE1C19E1226061C665DF13E.gpg apiVersion: v2 -appVersion: v1.17.1 +appVersion: v1.18.0 description: A Helm chart for cert-manager home: https://cert-manager.io icon: https://raw.githubusercontent.com/cert-manager/community/4d35a69437d21b76322157e6284be4cd64e6d2b7/logo/logo-small.png @@ -23,4 +23,4 @@ maintainers: name: cert-manager sources: - https://github.com/cert-manager/cert-manager -version: v1.17.1 +version: v1.18.0 diff --git a/charts/cert-manager/README.md b/charts/cert-manager/README.md index a995bad282..01df64c6d4 100644 --- a/charts/cert-manager/README.md +++ b/charts/cert-manager/README.md @@ -19,7 +19,7 @@ Before installing the chart, you must first install the cert-manager CustomResou This is performed in a separate step to allow you to easily uninstall and reinstall cert-manager without deleting your installed custom resources. ```bash -$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.1/cert-manager.crds.yaml +$ kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.0/cert-manager.crds.yaml ``` To install the chart with the release name `cert-manager`: @@ -29,7 +29,7 @@ To install the chart with the release name `cert-manager`: $ helm repo add jetstack https://charts.jetstack.io --force-update ## Install the cert-manager helm chart -$ helm install cert-manager --namespace cert-manager --version v1.17.1 jetstack/cert-manager +$ helm install cert-manager --namespace cert-manager --version v1.18.0 jetstack/cert-manager ``` In order to begin issuing certificates, you will need to set up a ClusterIssuer @@ -65,7 +65,7 @@ If you want to completely uninstall cert-manager from your cluster, you will als delete the previously installed CustomResourceDefinition resources: ```console -$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.17.1/cert-manager.crds.yaml +$ kubectl delete -f https://github.com/cert-manager/cert-manager/releases/download/v1.18.0/cert-manager.crds.yaml ``` ## Configuration @@ -122,6 +122,13 @@ Create required ClusterRoles and ClusterRoleBindings for cert-manager. > ``` Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) +#### **global.rbac.disableHTTPChallengesRole** ~ `bool` +> Default value: +> ```yaml +> false +> ``` + +To use HTTP-01 ACME challenges, cert-manager needs extra permissions to create pods. If you want to avoid this added permission and disable HTTP-01 set this value. #### **global.podSecurityPolicy.enabled** ~ `bool` > Default value: > ```yaml @@ -230,13 +237,13 @@ This prevents downtime during voluntary disruptions such as during a Node upgrad Pod is currently running. #### **podDisruptionBudget.minAvailable** ~ `unknown` -This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +This configures the minimum available pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). It cannot be used if `maxUnavailable` is set. #### **podDisruptionBudget.maxUnavailable** ~ `unknown` -This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if `minAvailable` is set. +This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). it cannot be used if `minAvailable` is set. #### **featureGates** ~ `string` @@ -300,7 +307,7 @@ Override the "cert-manager.fullname" value. This value is used as part of most o #### **nameOverride** ~ `string` -Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use eg. "cainjector.name" which resolves to the value "cainjector"). +Override the "cert-manager.name" value, which is used to annotate some of the resources that are created by this Chart (using "app.kubernetes.io/name"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use, e.g., "cainjector.name" which resolves to the value "cainjector"). #### **serviceAccount.create** ~ `bool` > Default value: @@ -371,10 +378,10 @@ config: kubernetesAPIBurst: 9000 numberOfConcurrentWorkers: 200 enableGatewayAPI: true - # Feature gates as of v1.17.0. Listed with their default values. + # Feature gates as of v1.18.0. Listed with their default values. # See https://cert-manager.io/docs/cli/controller/ featureGates: - AdditionalCertificateOutputFormats: true # BETA - default=true + AdditionalCertificateOutputFormats: true # GA - default=true AllAlpha: false # ALPHA - default=false AllBeta: false # BETA - default=false ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false @@ -386,7 +393,7 @@ config: ServerSideApply: false # ALPHA - default=false StableCertificateRequestName: true # BETA - default=true UseCertificateRequestBasicConstraints: false # ALPHA - default=false - UseDomainQualifiedFinalizer: true # BETA - default=false + UseDomainQualifiedFinalizer: true # GA - default=true ValidateCAA: false # ALPHA - default=false # Configure the metrics server for TLS # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls @@ -425,7 +432,7 @@ Option to disable cert-manager's build-in auto-approver. The auto-approver appro > - clusterissuers.cert-manager.io/* > ``` -List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'. +List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'. ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval #### **extraArgs** ~ `array` @@ -684,7 +691,7 @@ enableServiceLinks indicates whether information about services should be inject Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a ServiceMonitor resource. -Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. +Otherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. #### **prometheus.servicemonitor.enabled** ~ `bool` > Default value: > ```yaml @@ -703,13 +710,14 @@ The namespace that the service monitor should live in, defaults to the cert-mana > ``` Specifies the `prometheus` label on the created ServiceMonitor. This is used when different Prometheus instances have label selectors matching different ServiceMonitors. -#### **prometheus.servicemonitor.targetPort** ~ `number` +#### **prometheus.servicemonitor.targetPort** ~ `string,integer` > Default value: > ```yaml -> 9402 +> http-metrics > ``` The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics. + #### **prometheus.servicemonitor.path** ~ `string` > Default value: > ```yaml @@ -969,13 +977,13 @@ This prevents downtime during voluntary disruptions such as during a Node upgrad Pod is currently running. #### **webhook.podDisruptionBudget.minAvailable** ~ `unknown` -This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). It cannot be used if `maxUnavailable` is set. #### **webhook.podDisruptionBudget.maxUnavailable** ~ `unknown` -This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). +This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). It cannot be used if `minAvailable` is set. @@ -1442,14 +1450,14 @@ Pod is currently running. #### **cainjector.podDisruptionBudget.minAvailable** ~ `unknown` `minAvailable` configures the minimum available pods for disruptions. It can either be set to -an integer (e.g. 1) or a percentage value (e.g. 25%). +an integer (e.g., 1) or a percentage value (e.g., 25%). Cannot be used if `maxUnavailable` is set. #### **cainjector.podDisruptionBudget.maxUnavailable** ~ `unknown` `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to -an integer (e.g. 1) or a percentage value (e.g. 25%). +an integer (e.g., 1) or a percentage value (e.g., 25%). Cannot be used if `minAvailable` is set. diff --git a/charts/cert-manager/templates/NOTES.txt b/charts/cert-manager/templates/NOTES.txt index 341d10123c..4d0b4b6048 100644 --- a/charts/cert-manager/templates/NOTES.txt +++ b/charts/cert-manager/templates/NOTES.txt @@ -1,6 +1,12 @@ {{- if .Values.installCRDs }} ⚠️ WARNING: `installCRDs` is deprecated, use `crds.enabled` instead. + {{- end }} +⚠️ WARNING: New default private key rotation policy for Certificate resources. +The default private key rotation policy for Certificate resources was +changed to `Always` in cert-manager >= v1.18.0. +Learn more in the [1.18 release notes](https://cert-manager.io/docs/releases/release-notes/release-notes-1.18). + cert-manager {{ .Chart.AppVersion }} has been deployed successfully! In order to begin issuing certificates, you will need to set up a ClusterIssuer diff --git a/charts/cert-manager/templates/cainjector-deployment.yaml b/charts/cert-manager/templates/cainjector-deployment.yaml index dc14ab0227..79ba857d59 100644 --- a/charts/cert-manager/templates/cainjector-deployment.yaml +++ b/charts/cert-manager/templates/cainjector-deployment.yaml @@ -138,7 +138,9 @@ spec: {{- end }} {{- with .Values.cainjector.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} {{- with .Values.cainjector.affinity }} affinity: diff --git a/charts/cert-manager/templates/crds.yaml b/charts/cert-manager/templates/crds.yaml index f5f8ec4378..7979a58450 100644 --- a/charts/cert-manager/templates/crds.yaml +++ b/charts/cert-manager/templates/crds.yaml @@ -408,10 +408,6 @@ spec: description: |- Defines extra output formats of the private key and signed certificate chain to be written to this Certificate's target Secret. - - This is a Beta Feature enabled by default. It can be disabled with the - `--feature-gates=AdditionalCertificateOutputFormats=false` option set on both - the controller and webhook components. type: array items: description: |- @@ -615,7 +611,7 @@ spec: `LegacyRC2`: Deprecated. Not supported by default in OpenSSL 3 or Java 20. `LegacyDES`: Less secure algorithm. Use this option for maximal compatibility. `Modern2023`: Secure algorithm. Use this option in case you have to always use secure algorithms - (eg. because of company policy). Please note that the security of the algorithm is not that important + (e.g., because of company policy). Please note that the security of the algorithm is not that important in reality, because the unencrypted certificate and private key are also stored in the Secret. type: string enum: @@ -768,7 +764,11 @@ spec: to await user intervention. If set to `Always`, a private key matching the specified requirements will be generated whenever a re-issuance occurs. - Default is `Never` for backward compatibility. + Default is `Always`. + The default was changed from `Never` to `Always` in cert-manager >=v1.18.0. + The new default can be disabled by setting the + `--feature-gates=DefaultPrivateKeyRotationPolicyAlways=false` option on + the controller component. type: string enum: - Never @@ -828,8 +828,7 @@ spec: revisions exceeds this number. If set, revisionHistoryLimit must be a value of `1` or greater. - If unset (`nil`), revisions will not be garbage collected. - Default value is `nil`. + Default value is `1`. type: integer format: int32 secretName: @@ -858,6 +857,21 @@ spec: type: object additionalProperties: type: string + signatureAlgorithm: + description: |- + Signature algorithm to use. + Allowed values for RSA keys: SHA256WithRSA, SHA384WithRSA, SHA512WithRSA. + Allowed values for ECDSA keys: ECDSAWithSHA256, ECDSAWithSHA384, ECDSAWithSHA512. + Allowed values for Ed25519 keys: PureEd25519. + type: string + enum: + - SHA256WithRSA + - SHA384WithRSA + - SHA512WithRSA + - ECDSAWithSHA256 + - ECDSAWithSHA384 + - ECDSAWithSHA512 + - PureEd25519 subject: description: |- Requested set of X509 certificate subject attributes. @@ -1187,9 +1201,9 @@ spec: type: string dnsName: description: |- - dnsName is the identifier that this challenge is for, e.g. example.com. + dnsName is the identifier that this challenge is for, e.g., example.com. If the requested DNSName is a 'wildcard', this field MUST be set to the - non-wildcard domain, e.g. for `*.example.com`, it must be `example.com`. + non-wildcard domain, e.g., for `*.example.com`, it must be `example.com`. type: string issuerRef: description: |- @@ -1383,15 +1397,15 @@ spec: type: object properties: clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID + description: client ID of the managed identity, cannot be used at the same time as resourceID type: string resourceID: description: |- - resource ID of the managed identity, can not be used at the same time as clientID + resource ID of the managed identity, cannot be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string tenantID: - description: tenant ID of the managed identity, can not be used at the same time as resourceID + description: tenant ID of the managed identity, cannot be used at the same time as resourceID type: string resourceGroupName: description: resource group the DNS zone is located in @@ -1700,7 +1714,7 @@ spec: when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for a DNS service), you + If secret values are needed (e.g., credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. @@ -1716,14 +1730,14 @@ spec: description: |- The name of the solver to use, as defined in the webhook provider implementation. - This will typically be the name of the provider, e.g. 'cloudflare'. + This will typically be the name of the provider, e.g., 'cloudflare'. type: string http01: description: |- Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names - (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + (e.g., `*.example.com`) using the HTTP01 challenge mechanism. type: object properties: gatewayHTTPRoute: @@ -4330,6 +4344,8 @@ spec: kind: ClusterIssuer listKind: ClusterIssuerList plural: clusterissuers + shortNames: + - ciss singular: clusterissuer categories: - cert-manager @@ -4480,7 +4496,7 @@ spec: PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. - For example, for Let's Encrypt's DST crosssign you would use: + For example, for Let's Encrypt's DST cross-sign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. This value picks the first certificate bundle in the combined set of ACME default and alternative chains that has a root-most certificate with @@ -4509,6 +4525,11 @@ spec: Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string + profile: + description: |- + Profile allows requesting a certificate profile from the ACME server. + Supported profiles are listed by the server's ACME directory URL. + type: string server: description: |- Server is the URL used to access the ACME server's 'directory' endpoint. @@ -4699,15 +4720,15 @@ spec: type: object properties: clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID + description: client ID of the managed identity, cannot be used at the same time as resourceID type: string resourceID: description: |- - resource ID of the managed identity, can not be used at the same time as clientID + resource ID of the managed identity, cannot be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string tenantID: - description: tenant ID of the managed identity, can not be used at the same time as resourceID + description: tenant ID of the managed identity, cannot be used at the same time as resourceID type: string resourceGroupName: description: resource group the DNS zone is located in @@ -5016,7 +5037,7 @@ spec: when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for a DNS service), you + If secret values are needed (e.g., credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. @@ -5032,14 +5053,14 @@ spec: description: |- The name of the solver to use, as defined in the webhook provider implementation. - This will typically be the name of the provider, e.g. 'cloudflare'. + This will typically be the name of the provider, e.g., 'cloudflare'. type: string http01: description: |- Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names - (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + (e.g., `*.example.com`) using the HTTP01 challenge mechanism. type: object properties: gatewayHTTPRoute: @@ -7852,6 +7873,11 @@ spec: server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + serverName: + description: |- + ServerName is used to verify the hostname on the returned certificates + by the Vault server. + type: string venafi: description: |- Venafi configures this issuer to sign certificates using a Venafi TPP @@ -7888,7 +7914,7 @@ spec: url: description: |- URL is the base URL for Venafi Cloud. - Defaults to "https://api.venafi.cloud/v1". + Defaults to "https://api.venafi.cloud/". type: string tpp: description: |- @@ -8060,6 +8086,8 @@ spec: kind: Issuer listKind: IssuerList plural: issuers + shortNames: + - iss singular: issuer categories: - cert-manager @@ -8209,7 +8237,7 @@ spec: PreferredChain is the chain to use if the ACME server outputs multiple. PreferredChain is no guarantee that this one gets delivered by the ACME endpoint. - For example, for Let's Encrypt's DST crosssign you would use: + For example, for Let's Encrypt's DST cross-sign you would use: "DST Root CA X3" or "ISRG Root X1" for the newer Let's Encrypt root CA. This value picks the first certificate bundle in the combined set of ACME default and alternative chains that has a root-most certificate with @@ -8238,6 +8266,11 @@ spec: Name of the resource being referred to. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names type: string + profile: + description: |- + Profile allows requesting a certificate profile from the ACME server. + Supported profiles are listed by the server's ACME directory URL. + type: string server: description: |- Server is the URL used to access the ACME server's 'directory' endpoint. @@ -8428,15 +8461,15 @@ spec: type: object properties: clientID: - description: client ID of the managed identity, can not be used at the same time as resourceID + description: client ID of the managed identity, cannot be used at the same time as resourceID type: string resourceID: description: |- - resource ID of the managed identity, can not be used at the same time as clientID + resource ID of the managed identity, cannot be used at the same time as clientID Cannot be used for Azure Managed Service Identity type: string tenantID: - description: tenant ID of the managed identity, can not be used at the same time as resourceID + description: tenant ID of the managed identity, cannot be used at the same time as resourceID type: string resourceGroupName: description: resource group the DNS zone is located in @@ -8745,7 +8778,7 @@ spec: when challenges are processed. This can contain arbitrary JSON data. Secret values should not be specified in this stanza. - If secret values are needed (e.g. credentials for a DNS service), you + If secret values are needed (e.g., credentials for a DNS service), you should use a SecretKeySelector to reference a Secret resource. For details on the schema of this field, consult the webhook provider implementation's documentation. @@ -8761,14 +8794,14 @@ spec: description: |- The name of the solver to use, as defined in the webhook provider implementation. - This will typically be the name of the provider, e.g. 'cloudflare'. + This will typically be the name of the provider, e.g., 'cloudflare'. type: string http01: description: |- Configures cert-manager to attempt to complete authorizations by performing the HTTP01 challenge flow. It is not possible to obtain certificates for wildcard domain names - (e.g. `*.example.com`) using the HTTP01 challenge mechanism. + (e.g., `*.example.com`) using the HTTP01 challenge mechanism. type: object properties: gatewayHTTPRoute: @@ -11581,6 +11614,11 @@ spec: server: description: 'Server is the connection address for the Vault server, e.g: "https://vault.example.com:8200".' type: string + serverName: + description: |- + ServerName is used to verify the hostname on the returned certificates + by the Vault server. + type: string venafi: description: |- Venafi configures this issuer to sign certificates using a Venafi TPP @@ -11617,7 +11655,7 @@ spec: url: description: |- URL is the base URL for Venafi Cloud. - Defaults to "https://api.venafi.cloud/v1". + Defaults to "https://api.venafi.cloud/". type: string tpp: description: |- @@ -11892,6 +11930,11 @@ spec: name: description: Name of the resource being referred to. type: string + profile: + description: |- + Profile allows requesting a certificate profile from the ACME server. + Supported profiles are listed by the server's ACME directory URL. + type: string request: description: |- Certificate signing request bytes in DER encoding. @@ -11942,7 +11985,7 @@ spec: type: string type: description: |- - Type is the type of challenge being offered, e.g. 'http-01', 'dns-01', + Type is the type of challenge being offered, e.g., 'http-01', 'dns-01', 'tls-sni-01', etc. This is the raw value retrieved from the ACME server. Only 'http-01' and 'dns-01' are supported by cert-manager, other values diff --git a/charts/cert-manager/templates/deployment.yaml b/charts/cert-manager/templates/deployment.yaml index 8a4a9734b8..b1af92799a 100644 --- a/charts/cert-manager/templates/deployment.yaml +++ b/charts/cert-manager/templates/deployment.yaml @@ -211,7 +211,9 @@ spec: {{- end }} {{- with .Values.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} {{- with .Values.affinity }} affinity: diff --git a/charts/cert-manager/templates/rbac.yaml b/charts/cert-manager/templates/rbac.yaml index baae425f05..9b8c5f76db 100644 --- a/charts/cert-manager/templates/rbac.yaml +++ b/charts/cert-manager/templates/rbac.yaml @@ -217,11 +217,12 @@ rules: --- -# Challenges controller role +# HTTP01 Challenges controller role +{{ if not .Values.global.rbac.disableHTTPChallengesRole }} apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: - name: {{ template "cert-manager.fullname" . }}-controller-challenges + name: {{ template "cert-manager.fullname" . }}-http01-controller-challenges labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} @@ -249,6 +250,12 @@ rules: - apiGroups: [""] resources: ["events"] verbs: ["create", "patch"] + # We require these rules to support users with the OwnerReferencesPermissionEnforcement + # admission controller enabled: + # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement + - apiGroups: [ "acme.cert-manager.io" ] + resources: [ "challenges/finalizers" ] + verbs: [ "update" ] # HTTP01 rules - apiGroups: [""] resources: ["pods", "services"] @@ -265,6 +272,42 @@ rules: - apiGroups: ["route.openshift.io"] resources: ["routes/custom-host"] verbs: ["create"] +{{- end }} + +--- + +# DNS01 Challenges controller role +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: {{ template "cert-manager.fullname" . }}-dns01-controller-challenges + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +rules: + # Use to update challenge resource status + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges", "challenges/status"] + verbs: ["update", "patch"] + # Used to watch challenge resources + - apiGroups: ["acme.cert-manager.io"] + resources: ["challenges"] + verbs: ["get", "list", "watch"] + # Used to watch challenges, issuer and clusterissuer resources + - apiGroups: ["cert-manager.io"] + resources: ["issuers", "clusterissuers"] + verbs: ["get", "list", "watch"] + # Need to be able to retrieve ACME account private key to complete challenges + - apiGroups: [""] + resources: ["secrets"] + verbs: ["get", "list", "watch"] + # Used to create events + - apiGroups: [""] + resources: ["events"] + verbs: ["create", "patch"] # We require these rules to support users with the OwnerReferencesPermissionEnforcement # admission controller enabled: # https://kubernetes.io/docs/reference/access-authn-authz/admission-controllers/#ownerreferencespermissionenforcement @@ -401,10 +444,33 @@ subjects: --- +{{ if not .Values.global.rbac.disableHTTPChallengesRole }} +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: {{ template "cert-manager.fullname" . }}-http01-controller-challenges + labels: + app: {{ include "cert-manager.name" . }} + app.kubernetes.io/name: {{ include "cert-manager.name" . }} + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/component: "controller" + {{- include "labels" . | nindent 4 }} +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: {{ template "cert-manager.fullname" . }}-http01-controller-challenges +subjects: + - name: {{ template "cert-manager.serviceAccountName" . }} + namespace: {{ include "cert-manager.namespace" . }} + kind: ServiceAccount +{{- end }} + +--- + apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: - name: {{ template "cert-manager.fullname" . }}-controller-challenges + name: {{ template "cert-manager.fullname" . }}-dns01-controller-challenges labels: app: {{ include "cert-manager.name" . }} app.kubernetes.io/name: {{ include "cert-manager.name" . }} @@ -414,7 +480,7 @@ metadata: roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole - name: {{ template "cert-manager.fullname" . }}-controller-challenges + name: {{ template "cert-manager.fullname" . }}-dns01-controller-challenges subjects: - name: {{ template "cert-manager.serviceAccountName" . }} namespace: {{ include "cert-manager.namespace" . }} diff --git a/charts/cert-manager/templates/serviceaccount.yaml b/charts/cert-manager/templates/serviceaccount.yaml index 698ddef8c6..fac93d0a00 100644 --- a/charts/cert-manager/templates/serviceaccount.yaml +++ b/charts/cert-manager/templates/serviceaccount.yaml @@ -12,7 +12,8 @@ metadata: {{- with .Values.serviceAccount.annotations }} annotations: {{- range $k, $v := . }} - {{- printf "%s: %s" (tpl $k $) (tpl $v $) | nindent 4 }} + {{- $value := $v | quote }} + {{- printf "%s: %s" (tpl $k $) (tpl $value $) | nindent 4 }} {{- end }} {{- end }} labels: diff --git a/charts/cert-manager/templates/servicemonitor.yaml b/charts/cert-manager/templates/servicemonitor.yaml index dd1beec8a5..a29f3c6aa7 100644 --- a/charts/cert-manager/templates/servicemonitor.yaml +++ b/charts/cert-manager/templates/servicemonitor.yaml @@ -16,7 +16,9 @@ metadata: app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/component: "controller" {{- include "labels" . | nindent 4 }} + {{- if .Values.prometheus.servicemonitor.prometheusInstance }} prometheus: {{ .Values.prometheus.servicemonitor.prometheusInstance }} + {{- end }} {{- with .Values.prometheus.servicemonitor.labels }} {{- toYaml . | nindent 4 }} {{- end }} @@ -54,8 +56,12 @@ spec: endpoints: - targetPort: {{ .Values.prometheus.servicemonitor.targetPort }} path: {{ .Values.prometheus.servicemonitor.path }} + {{- if .Values.prometheus.servicemonitor.interval }} interval: {{ .Values.prometheus.servicemonitor.interval }} + {{- end }} + {{- if .Values.prometheus.servicemonitor.scrapeTimeout }} scrapeTimeout: {{ .Values.prometheus.servicemonitor.scrapeTimeout }} + {{- end }} honorLabels: {{ .Values.prometheus.servicemonitor.honorLabels }} {{- with .Values.prometheus.servicemonitor.endpointAdditionalProperties }} {{- toYaml . | nindent 4 }} diff --git a/charts/cert-manager/templates/startupapicheck-job.yaml b/charts/cert-manager/templates/startupapicheck-job.yaml index 183cff4e36..606cc1ea55 100644 --- a/charts/cert-manager/templates/startupapicheck-job.yaml +++ b/charts/cert-manager/templates/startupapicheck-job.yaml @@ -78,7 +78,9 @@ spec: {{- end }} {{- with .Values.startupapicheck.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} {{- with .Values.startupapicheck.affinity }} affinity: diff --git a/charts/cert-manager/templates/webhook-deployment.yaml b/charts/cert-manager/templates/webhook-deployment.yaml index 857cf353d8..f237c2d976 100644 --- a/charts/cert-manager/templates/webhook-deployment.yaml +++ b/charts/cert-manager/templates/webhook-deployment.yaml @@ -137,11 +137,7 @@ spec: livenessProbe: httpGet: path: /livez - {{- if $config.healthzPort }} - port: {{ $config.healthzPort }} - {{- else }} - port: 6080 - {{- end }} + port: healthcheck scheme: HTTP initialDelaySeconds: {{ .Values.webhook.livenessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.webhook.livenessProbe.periodSeconds }} @@ -151,11 +147,7 @@ spec: readinessProbe: httpGet: path: /healthz - {{- if $config.healthzPort }} - port: {{ $config.healthzPort }} - {{- else }} - port: 6080 - {{- end }} + port: healthcheck scheme: HTTP initialDelaySeconds: {{ .Values.webhook.readinessProbe.initialDelaySeconds }} periodSeconds: {{ .Values.webhook.readinessProbe.periodSeconds }} @@ -190,7 +182,9 @@ spec: {{- end }} {{- with .Values.webhook.nodeSelector }} nodeSelector: - {{- toYaml . | nindent 8 }} + {{- range $key, $value := . }} + {{ $key }}: {{ $value | quote }} + {{- end }} {{- end }} {{- with .Values.webhook.affinity }} affinity: diff --git a/charts/cert-manager/values.schema.json b/charts/cert-manager/values.schema.json index 36d1d0ca85..bd30c0d171 100644 --- a/charts/cert-manager/values.schema.json +++ b/charts/cert-manager/values.schema.json @@ -236,7 +236,7 @@ "issuers.cert-manager.io/*", "clusterissuers.cert-manager.io/*" ], - "description": "List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because eg. you are using approver-policy, you can enable 'disableAutoApproval'.\nref: https://cert-manager.io/docs/concepts/certificaterequest/#approval", + "description": "List of signer names that cert-manager will approve by default. CertificateRequests referencing these signer names will be auto-approved by cert-manager. Defaults to just approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'.\nref: https://cert-manager.io/docs/concepts/certificaterequest/#approval", "items": {}, "type": "array" }, @@ -461,10 +461,10 @@ "type": "boolean" }, "helm-values.cainjector.podDisruptionBudget.maxUnavailable": { - "description": "`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to\nan integer (e.g. 1) or a percentage value (e.g. 25%).\nCannot be used if `minAvailable` is set." + "description": "`maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to\nan integer (e.g., 1) or a percentage value (e.g., 25%).\nCannot be used if `minAvailable` is set." }, "helm-values.cainjector.podDisruptionBudget.minAvailable": { - "description": "`minAvailable` configures the minimum available pods for disruptions. It can either be set to\nan integer (e.g. 1) or a percentage value (e.g. 25%).\nCannot be used if `maxUnavailable` is set." + "description": "`minAvailable` configures the minimum available pods for disruptions. It can either be set to\nan integer (e.g., 1) or a percentage value (e.g., 25%).\nCannot be used if `maxUnavailable` is set." }, "helm-values.cainjector.podLabels": { "default": {}, @@ -579,7 +579,7 @@ }, "helm-values.config": { "default": {}, - "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n apiVersion: controller.config.cert-manager.io/v1alpha1\n kind: ControllerConfiguration\n logging:\n verbosity: 2\n format: text\n leaderElectionConfig:\n namespace: kube-system\n kubernetesAPIQPS: 9000\n kubernetesAPIBurst: 9000\n numberOfConcurrentWorkers: 200\n enableGatewayAPI: true\n # Feature gates as of v1.17.0. Listed with their default values.\n # See https://cert-manager.io/docs/cli/controller/\n featureGates:\n AdditionalCertificateOutputFormats: true # BETA - default=true\n AllAlpha: false # ALPHA - default=false\n AllBeta: false # BETA - default=false\n ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false\n ExperimentalGatewayAPISupport: true # BETA - default=true\n LiteralCertificateSubject: true # BETA - default=true\n NameConstraints: true # BETA - default=true\n OtherNames: false # ALPHA - default=false\n SecretsFilteredCaching: true # BETA - default=true\n ServerSideApply: false # ALPHA - default=false\n StableCertificateRequestName: true # BETA - default=true\n UseCertificateRequestBasicConstraints: false # ALPHA - default=false\n UseDomainQualifiedFinalizer: true # BETA - default=false\n ValidateCAA: false # ALPHA - default=false\n # Configure the metrics server for TLS\n # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n metricsTLSConfig:\n dynamic:\n secretNamespace: \"cert-manager\"\n secretName: \"cert-manager-metrics-ca\"\n dnsNames:\n - cert-manager-metrics", + "description": "This property is used to configure options for the controller pod. This allows setting options that would usually be provided using flags.\n\nIf `apiVersion` and `kind` are unspecified they default to the current latest version (currently `controller.config.cert-manager.io/v1alpha1`). You can pin the version by specifying the `apiVersion` yourself.\n\nFor example:\nconfig:\n apiVersion: controller.config.cert-manager.io/v1alpha1\n kind: ControllerConfiguration\n logging:\n verbosity: 2\n format: text\n leaderElectionConfig:\n namespace: kube-system\n kubernetesAPIQPS: 9000\n kubernetesAPIBurst: 9000\n numberOfConcurrentWorkers: 200\n enableGatewayAPI: true\n # Feature gates as of v1.18.0. Listed with their default values.\n # See https://cert-manager.io/docs/cli/controller/\n featureGates:\n AdditionalCertificateOutputFormats: true # GA - default=true\n AllAlpha: false # ALPHA - default=false\n AllBeta: false # BETA - default=false\n ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false\n ExperimentalGatewayAPISupport: true # BETA - default=true\n LiteralCertificateSubject: true # BETA - default=true\n NameConstraints: true # BETA - default=true\n OtherNames: false # ALPHA - default=false\n SecretsFilteredCaching: true # BETA - default=true\n ServerSideApply: false # ALPHA - default=false\n StableCertificateRequestName: true # BETA - default=true\n UseCertificateRequestBasicConstraints: false # ALPHA - default=false\n UseDomainQualifiedFinalizer: true # GA - default=true\n ValidateCAA: false # ALPHA - default=false\n # Configure the metrics server for TLS\n # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls\n metricsTLSConfig:\n dynamic:\n secretNamespace: \"cert-manager\"\n secretName: \"cert-manager-metrics-ca\"\n dnsNames:\n - cert-manager-metrics", "type": "object" }, "helm-values.containerSecurityContext": { @@ -796,6 +796,9 @@ }, "create": { "$ref": "#/$defs/helm-values.global.rbac.create" + }, + "disableHTTPChallengesRole": { + "$ref": "#/$defs/helm-values.global.rbac.disableHTTPChallengesRole" } }, "type": "object" @@ -810,6 +813,11 @@ "description": "Create required ClusterRoles and ClusterRoleBindings for cert-manager.", "type": "boolean" }, + "helm-values.global.rbac.disableHTTPChallengesRole": { + "default": false, + "description": "To use HTTP-01 ACME challenges, cert-manager needs extra permissions to create pods. If you want to avoid this added permission and disable HTTP-01 set this value.", + "type": "boolean" + }, "helm-values.global.revisionHistoryLimit": { "description": "The number of old ReplicaSets to retain to allow rollback (if not set, the default Kubernetes value is set to 10).", "type": "number" @@ -921,7 +929,7 @@ "type": "number" }, "helm-values.nameOverride": { - "description": "Override the \"cert-manager.name\" value, which is used to annotate some of the resources that are created by this Chart (using \"app.kubernetes.io/name\"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use eg. \"cainjector.name\" which resolves to the value \"cainjector\").", + "description": "Override the \"cert-manager.name\" value, which is used to annotate some of the resources that are created by this Chart (using \"app.kubernetes.io/name\"). NOTE: There are some inconsistencies in the Helm chart when it comes to these annotations (some resources use, e.g., \"cainjector.name\" which resolves to the value \"cainjector\").", "type": "string" }, "helm-values.namespace": { @@ -965,10 +973,10 @@ "type": "boolean" }, "helm-values.podDisruptionBudget.maxUnavailable": { - "description": "This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%). it cannot be used if `minAvailable` is set." + "description": "This configures the maximum unavailable pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%). it cannot be used if `minAvailable` is set." }, "helm-values.podDisruptionBudget.minAvailable": { - "description": "This configures the minimum available pods for disruptions. It can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).\nIt cannot be used if `maxUnavailable` is set." + "description": "This configures the minimum available pods for disruptions. It can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).\nIt cannot be used if `maxUnavailable` is set." }, "helm-values.podDnsConfig": { "description": "Pod DNS configuration. The podDnsConfig field is optional and can work with any podDnsPolicy settings. However, when a Pod's dnsPolicy is set to \"None\", the dnsConfig field has to be specified. For more information, see [Pod's DNS Config](https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config).", @@ -1000,7 +1008,7 @@ }, "helm-values.prometheus.enabled": { "default": true, - "description": "Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a\nServiceMonitor resource.\nOtherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.", + "description": "Enable Prometheus monitoring for the cert-manager controller and webhook. If you use the Prometheus Operator, set prometheus.podmonitor.enabled or prometheus.servicemonitor.enabled, to create a PodMonitor or a\nServiceMonitor resource.\nOtherwise, 'prometheus.io' annotations are added to the cert-manager and cert-manager-webhook Deployments. Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error.", "type": "boolean" }, "helm-values.prometheus.podmonitor": { @@ -1177,9 +1185,8 @@ "type": "string" }, "helm-values.prometheus.servicemonitor.targetPort": { - "default": 9402, - "description": "The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics.", - "type": "number" + "default": "http-metrics", + "description": "The target port to set on the ServiceMonitor. This must match the port that the cert-manager controller is listening on for metrics." }, "helm-values.replicaCount": { "default": 1, @@ -1948,10 +1955,10 @@ "type": "boolean" }, "helm-values.webhook.podDisruptionBudget.maxUnavailable": { - "description": "This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).\nIt cannot be used if `minAvailable` is set." + "description": "This property configures the maximum unavailable pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).\nIt cannot be used if `minAvailable` is set." }, "helm-values.webhook.podDisruptionBudget.minAvailable": { - "description": "This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g. 1) or a percentage value (e.g. 25%).\nIt cannot be used if `maxUnavailable` is set." + "description": "This property configures the minimum available pods for disruptions. Can either be set to an integer (e.g., 1) or a percentage value (e.g., 25%).\nIt cannot be used if `maxUnavailable` is set." }, "helm-values.webhook.podLabels": { "default": {}, diff --git a/charts/cert-manager/values.yaml b/charts/cert-manager/values.yaml index a8c94f8b46..6f6ccfca5e 100644 --- a/charts/cert-manager/values.yaml +++ b/charts/cert-manager/values.yaml @@ -33,6 +33,9 @@ global: create: true # Aggregate ClusterRoles to Kubernetes default user-facing roles. For more information, see [User-facing roles](https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles) aggregateClusterRoles: true + # To use HTTP-01 ACME challenges, cert-manager needs extra permissions to create pods. + # If you want to avoid this added permission and disable HTTP-01 set this value. + disableHTTPChallengesRole: false podSecurityPolicy: # Create PodSecurityPolicy for cert-manager. @@ -117,14 +120,14 @@ podDisruptionBudget: enabled: false # This configures the minimum available pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # It cannot be used if `maxUnavailable` is set. # +docs:property # +docs:type=unknown # minAvailable: 1 # This configures the maximum unavailable pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # it cannot be used if `minAvailable` is set. # +docs:property # +docs:type=unknown @@ -176,7 +179,7 @@ namespace: "" # Override the "cert-manager.name" value, which is used to annotate some of # the resources that are created by this Chart (using "app.kubernetes.io/name"). # NOTE: There are some inconsistencies in the Helm chart when it comes to -# these annotations (some resources use eg. "cainjector.name" which resolves +# these annotations (some resources use, e.g., "cainjector.name" which resolves # to the value "cainjector"). # +docs:property # nameOverride: "my-cert-manager" @@ -231,10 +234,10 @@ enableCertificateOwnerRef: false # kubernetesAPIBurst: 9000 # numberOfConcurrentWorkers: 200 # enableGatewayAPI: true -# # Feature gates as of v1.17.0. Listed with their default values. +# # Feature gates as of v1.18.0. Listed with their default values. # # See https://cert-manager.io/docs/cli/controller/ # featureGates: -# AdditionalCertificateOutputFormats: true # BETA - default=true +# AdditionalCertificateOutputFormats: true # GA - default=true # AllAlpha: false # ALPHA - default=false # AllBeta: false # BETA - default=false # ExperimentalCertificateSigningRequestControllers: false # ALPHA - default=false @@ -246,7 +249,7 @@ enableCertificateOwnerRef: false # ServerSideApply: false # ALPHA - default=false # StableCertificateRequestName: true # BETA - default=true # UseCertificateRequestBasicConstraints: false # ALPHA - default=false -# UseDomainQualifiedFinalizer: true # BETA - default=false +# UseDomainQualifiedFinalizer: true # GA - default=true # ValidateCAA: false # ALPHA - default=false # # Configure the metrics server for TLS # # See https://cert-manager.io/docs/devops-tips/prometheus-metrics/#tls @@ -278,7 +281,7 @@ disableAutoApproval: false # referencing these signer names will be auto-approved by cert-manager. Defaults to just # approving the cert-manager.io Issuer and ClusterIssuer issuers. When set to an empty # array, ALL issuers will be auto-approved by cert-manager. To disable the auto-approval, -# because eg. you are using approver-policy, you can enable 'disableAutoApproval'. +# because, e.g., you are using approver-policy, you can enable 'disableAutoApproval'. # ref: https://cert-manager.io/docs/concepts/certificaterequest/#approval # +docs:property approveSignerNames: @@ -502,7 +505,7 @@ prometheus: # ServiceMonitor resource. # Otherwise, 'prometheus.io' annotations are added to the cert-manager and # cert-manager-webhook Deployments. - # Note that you can not enable both PodMonitor and ServiceMonitor as they are + # Note that you cannot enable both PodMonitor and ServiceMonitor as they are # mutually exclusive. Enabling both will result in an error. enabled: true @@ -522,7 +525,8 @@ prometheus: # The target port to set on the ServiceMonitor. This must match the port that the # cert-manager controller is listening on for metrics. - targetPort: 9402 + # +docs:type=string,integer + targetPort: http-metrics # The path to scrape for metrics. path: /metrics @@ -556,7 +560,7 @@ prometheus: # +docs:property endpointAdditionalProperties: {} - # Note that you can not enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. + # Note that you cannot enable both PodMonitor and ServiceMonitor as they are mutually exclusive. Enabling both will result in an error. podmonitor: # Create a PodMonitor to add cert-manager to Prometheus. enabled: false @@ -706,14 +710,14 @@ webhook: enabled: false # This property configures the minimum available pods for disruptions. Can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # It cannot be used if `maxUnavailable` is set. # +docs:property # +docs:type=unknown # minAvailable: 1 # This property configures the maximum unavailable pods for disruptions. Can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # It cannot be used if `minAvailable` is set. # +docs:property # +docs:type=unknown @@ -1073,14 +1077,14 @@ cainjector: enabled: false # `minAvailable` configures the minimum available pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # Cannot be used if `maxUnavailable` is set. # +docs:property # +docs:type=unknown # minAvailable: 1 # `maxUnavailable` configures the maximum unavailable pods for disruptions. It can either be set to - # an integer (e.g. 1) or a percentage value (e.g. 25%). + # an integer (e.g., 1) or a percentage value (e.g., 25%). # Cannot be used if `minAvailable` is set. # +docs:property # +docs:type=unknown