{{- define "cert-manager-values" }} localCA: enabled: true cert-manager: {{- if not .Values.global.highAvailable }} strategy: type: Recreate {{- end }} {{- if eq .Values.global.platform "aws" }} {{- include "kubezero-lib.control-plane" . | nindent 2 }} webhook: {{- include "kubezero-lib.control-plane" . | nindent 4 }} cainjector: {{- include "kubezero-lib.control-plane" . | nindent 4 }} extraEnv: - name: AWS_REGION value: {{ .Values.global.aws.region }} {{ with index .Values "cert-manager" "IamArn" }} - name: AWS_ROLE_ARN value: "{{ . }}" - name: AWS_WEB_IDENTITY_TOKEN_FILE value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" - name: AWS_STS_REGIONAL_ENDPOINTS value: regional volumes: - name: aws-token projected: sources: - serviceAccountToken: path: token expirationSeconds: 86400 audience: "sts.amazonaws.com" volumeMounts: - name: aws-token mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" readOnly: true {{- end }} {{- end }} {{- if eq .Values.global.platform "gke" }} serviceAccount: annotations: iam.gke.io/gcp-service-account: "dns01-solver@{{ .Values.global.gcp.projectId }}.iam.gserviceaccount.com" {{- end }} prometheus: servicemonitor: enabled: {{ $.Values.metrics.enabled }} {{- with index .Values "cert-manager" "clusterIssuer" }} clusterIssuer: {{- . | toYaml | nindent 2 }} {{- end }} {{- end }} {{- define "cert-manager-argo" }} {{- end }} {{ include "kubezero-app.app" . }}