KubeZero/charts/kubezero/templates/cert-manager.yaml

70 lines
1.6 KiB
YAML

{{- define "cert-manager-values" }}
localCA:
enabled: true
cert-manager:
{{- if not .Values.global.highAvailable }}
strategy:
type: Recreate
{{- end }}
{{- if eq .Values.global.platform "aws" }}
{{- include "kubezero-lib.control-plane" . | nindent 2 }}
webhook:
{{- include "kubezero-lib.control-plane" . | nindent 4 }}
cainjector:
{{- include "kubezero-lib.control-plane" . | nindent 4 }}
extraEnv:
- name: AWS_REGION
value: {{ .Values.global.aws.region }}
{{ with index .Values "cert-manager" "IamArn" }}
- name: AWS_ROLE_ARN
value: "{{ . }}"
- name: AWS_WEB_IDENTITY_TOKEN_FILE
value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
- name: AWS_STS_REGIONAL_ENDPOINTS
value: regional
volumes:
- name: aws-token
projected:
sources:
- serviceAccountToken:
path: token
expirationSeconds: 86400
audience: "sts.amazonaws.com"
volumeMounts:
- name: aws-token
mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
readOnly: true
{{- end }}
{{- end }}
{{- if eq .Values.global.platform "gke" }}
serviceAccount:
annotations:
iam.gke.io/gcp-service-account: "dns01-solver@{{ .Values.global.gcp.projectId }}.iam.gserviceaccount.com"
{{- end }}
prometheus:
servicemonitor:
enabled: {{ $.Values.metrics.enabled }}
{{- with index .Values "cert-manager" "clusterIssuer" }}
clusterIssuer:
{{- . | toYaml | nindent 2 }}
{{- end }}
{{- end }}
{{- define "cert-manager-argo" }}
{{- end }}
{{ include "kubezero-app.app" . }}