{"id":28899261,"url":"https://github.com/nalum/cert-manager-module","last_synced_at":"2025-08-17T22:11:07.607Z","repository":{"id":209880043,"uuid":"725126064","full_name":"nalum/cert-manager-module","owner":"nalum","description":"timoni.sh module for cert-manager","archived":false,"fork":false,"pushed_at":"2024-04-27T10:24:44.000Z","size":599,"stargazers_count":14,"open_issues_count":0,"forks_count":4,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-08-16T03:50:34.003Z","etag":null,"topics":["cert-manager","kubernetes","timoni"],"latest_commit_sha":null,"homepage":"","language":"CUE","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/nalum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-11-29T13:48:39.000Z","updated_at":"2025-08-03T11:00:23.000Z","dependencies_parsed_at":"2024-01-02T19:39:56.253Z","dependency_job_id":"160393d9-dd26-487b-8c2d-6633cefc730e","html_url":"https://github.com/nalum/cert-manager-module","commit_stats":null,"previous_names":["nalum/cert-manager-module"],"tags_count":10,"template":false,"template_full_name":null,"purl":"pkg:github/nalum/cert-manager-module","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalum%2Fcert-manager-module","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalum%2Fcert-manager-module/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalum%2Fcert-manager-module/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalum%2Fcert-manager-module/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/nalum","download_url":"https://codeload.github.com/nalum/cert-manager-module/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/nalum%2Fcert-manager-module/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":270912602,"owners_count":24666751,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-17T02:00:09.016Z","response_time":129,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cert-manager","kubernetes","timoni"],"created_at":"2025-06-21T08:08:54.293Z","updated_at":"2025-08-17T22:11:07.579Z","avatar_url":"https://github.com/nalum.png","language":"CUE","funding_links":[],"categories":[],"sub_categories":[],"readme":"# cert-manager\n\n[![cert-manager](https://img.shields.io/badge/cert--manager-v1.14.5-00bfff)](https://cert-manager.io)\n[![timoni.sh](https://img.shields.io/badge/timoni.sh-v0.21.0-7e56c2)](https://timoni.sh)\n[![License](https://img.shields.io/github/license/nalum/cert-manager-module)](https://github.com/nalum/cert-manager-module/blob/main/LICENSE)\n[![Release](https://img.shields.io/github/v/release/nalum/cert-manager-module)](https://github.com/nalum/cert-manager-module/releases)\n\nA [timoni.sh](http://timoni.sh) module for deploying cert-manager to Kubernetes clusters.\n\n[![Timoni cert-manager](https://asciinema.org/a/631238.svg)](https://asciinema.org/a/631238)\n\nThis module is applied to these Kubernetes version in CI:\n\n- [![kubernetes](https://img.shields.io/badge/kubernetes-v1.27.11-326CE5?logo=kubernetes\u0026logoColor=white)](https://kubernetes.io)\n- [![kubernetes](https://img.shields.io/badge/kubernetes-v1.28.7-326CE5?logo=kubernetes\u0026logoColor=white)](https://kubernetes.io)\n- [![kubernetes](https://img.shields.io/badge/kubernetes-v1.29.2-326CE5?logo=kubernetes\u0026logoColor=white)](https://kubernetes.io)\n\n## Install\n\nTo create an instance using the default values:\n\n```shell\ntimoni -n cert-manager apply cert-manager oci://ghcr.io/nalum/timoni/modules/cert-manager\n```\n\nTo change the [default configuration](#configuration),\ncreate one or more `values.cue` files and apply them to the instance.\n\nFor example, create a file `my-values.cue` with the following content:\n\n```cue\nvalues: {\n highAvailability: enabled: true\n\n controller: {\n config: logging: format: \"json\"\n podDisruptionBudget: minAvailable: 2\n\n monitoring: {\n enabled: true\n }\n\n image: {\n tag: \"v1.14.0\"\n digest: \"sha256:2547fde4e736101abf33f8c2503f12aa3a0b42614d3d64cfecf2835c0ee81c10\"\n }\n }\n\n webhook: {\n podDisruptionBudget: minAvailable: 3\n }\n\n test: enabled: false\n}\n```\n\nAnd apply the values with:\n\n```shell\ntimoni -n cert-manager apply cert-manager oci://ghcr.io/nalum/timoni/modules/cert-manager \\\n --values ./my-values.cue\n```\n\n## Uninstall\n\nTo uninstall an instance and delete all its Kubernetes resources:\n\n```shell\ntimoni -n cert-manager delete cert-manager\n```\n\n## Configuration\n\n| KEY | TYPE | DEFAULT | DESCRIPTION |\n|------------------------------------------------------------------------------|------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|\n| `metadata: labels:` | `struct` | `{}` | Map of string keys and values that can be used to organize and categorize (scope and select) objects. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels |\n| `metadata: annotations:` | `struct` | `{}` | Annotations is an unstructured key value map stored with a resource that may be set to store and retrieve arbitrary metadata. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/annotations |\n| `imagePullSecrets:` | `list` | `[]` | Reference to one or more secrets to be used when pulling images ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/ |\n| `priorityClassName:` | `string` | `` | Optional priority class to be used for the cert-manager pods |\n| `logLevel:` | `int` | `2` | Logging verbosity |\n| `rbac: enabled:` | `bool` | `true` | Create the roles and bindings for cert-manager |\n| `rbac: aggregateClusterRoles:` | `bool` | `true` | Aggregate ClusterRoles to Kubernetes default user-facing roles. Ref: https://kubernetes.io/docs/reference/access-authn-authz/rbac/#user-facing-roles |\n| `podSecurityAdmission: mode:` | `string` | `\"enforce\"` | Set the PodSecurity admission controller mode for the namespace |\n| `podSecurityAdmission: level:` | `string` | `\"restricted\"` | Set the PodSecurity admission controller level for the namespace |\n| `highAvailability: enabled:` | `bool` | `false` | Enable high availability features |\n| `leaderElection: namespace:` | `string` | `\"kube-system\"` | Override the namespace used for the leader election lease |\n| `leaderElection: leaseDuration:` | `string` | `` | The duration that non-leader candidates will wait after observing a leadership renewal until attempting to acquire leadership of a led but unrenewed leader slot. This is effectively the maximum duration that a leader can be stopped before it is replaced by another candidate. |\n| `leaderElection: renewDeadline:` | `string` | `` | The interval between attempts by the acting master to renew a leadership slot before it stops leading. This must be less than or equal to the lease duration. |\n| `leaderElection: retryPeriod:` | `string` | `` | The duration the clients should wait between attempting acquisition and renewal of a leadership. |\n| `controller: clusterResourceNamespace:` | `string` | `` | Override the namespace used to store DNS provider credentials etc. for ClusterIssuer resources. By default, the same namespace as cert-manager is deployed within is used. This namespace will not be automatically created by the Helm chart. |\n| `controller: affinity:` | `struct` | `{}` | group of affinity scheduling rules. |\n| `controller: dns01RecursiveNameservers:` | `string` | `` | Comma separated string with host and port of the recursive nameservers cert-manager should query |\n| `controller: dns01RecursiveNameserversOnly:` | `bool` | `false` | Forces cert-manager to only use the recursive nameservers for verification. Enabling this option could cause the DNS01 self check to take longer due to caching performed by the recursive nameservers |\n| `controller: enableCertificateOwnerRef:` | `bool` | `false` | When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted |\n| `controller: featureGates:` | `string` | `` | Comma separated list of feature gates that should be enabled on the controller pod. |\n| `controller: maxConcurrentChallenges:` | `int` | `60` | The maximum number of challenges that can be scheduled as 'processing' at once |\n| `controller: podDNSConfig:` | `struct` | `{}` | Optional DNS settings, useful if you have a public and private DNS zone for the same domain on Route 53. What follows is an example of ensuring cert-manager can access an ingress or DNS TXT records at all times. NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for the cluster to work. |\n| `controller: podDNSPolicy:` | `string` | `\"ClusterFirst\"` | |\n| `controller: monitoring: enabled:` | `bool` | `false` | Enable Prometheus monitoring for the cert-manager controller to use with the Prometheus Operator. |\n| `controller: monitoring: namespace:` | `string` | `\"default\"` | The namespace to create the Monitor in |\n| `controller: monitoring: type:` | `string` | `\"Annotations\"` | The type of monitoring to enable, can be one of \"ServiceMonitor\", \"PodMonitor\" or \"Annotations\" If ServiceMonitor is used a Service will also be created |\n| `controller: monitoring: prometheusInstance:` | `string` | `\"default\"` | Specifies the `prometheus` label on the created PodMonitor/ServiceMonitor, this is used when different Prometheus instances have label selectors matching different PodMonitor/ServiceMonitor. |\n| `controller: monitoring: targetPort:` | `(int\\|string)` | `\"http-metrics\"` | The target port to set on the Monitor, should match the port that cert-manager controller is listening on for metrics |\n| `controller: monitoring: path:` | `string` | `\"/metrics\"` | The path to scrape for metrics |\n| `controller: monitoring: interval:` | `string` | `\"60s\"` | The interval to scrape metrics |\n| `controller: monitoring: scrapeTimeout:` | `string` | `\"30s\"` | The timeout before a metrics scrape fails |\n| `controller: monitoring: labels:` | `struct` | `{}` | Additional labels to add to the PodMonitor |\n| `controller: monitoring: annotations:` | `struct` | `{}` | Additional annotations to add to the PodMonitor |\n| `controller: monitoring: honorLabels:` | `bool` | `false` | Keep labels from scraped data, overriding server-side labels. |\n| `controller: monitoring: endpointAdditionalProperties:` | `struct` | `{}` | EndpointAdditionalProperties allows setting additional properties on the endpoint such as relabelings, metricRelabelings etc. For example: endpointAdditionalProperties: relabelings: - action: replace sourceLabels: - __meta_kubernetes_pod_node_name targetLabel: instance |\n| `controller: config:` | `struct` | `{\"apiVersion\": \"controller.config.cert-manager.io/v1alpha1\",\"kind\": \"ControllerConfiguration\",\"logging\": {\"verbosity\": 2,\"format\": \"text\"}, \"leaderElectionConfig\": {\"namespace\": \"kube-system\"}, \"kubernetesAPIQPS\": 9000,\"kubernetesAPIBurst\": 9000,\"numberOfConcurrentWorkers\": 200}` | Used to configure options for the controller pod. This allows setting options that'd usually be provided via flags. An APIVersion and Kind must be specified in your values.yaml file. Flags will override options that are set here. |\n| `controller: automountServiceAccountToken:` | `bool` | `false` | indicates whether a service account token should be automatically mounted. |\n| `controller: containerSecurityContext: capabilities: add:` | `list` | `[]` | Added capabilities |\n| `controller: containerSecurityContext: capabilities: drop:` | `list` | `[\"ALL\"]` | Removed capabilities |\n| `controller: containerSecurityContext: privileged:` | `(null\\|bool)` | `` | Run container in privileged mode. Processes in privileged containers are essentially equivalent to root on the host. Defaults to false. Note that this field cannot be set when spec.os.name is windows. |\n| `controller: containerSecurityContext: seLinuxOptions:` | `(null\\|struct)` | `` | The SELinux context to be applied to the container. If unspecified, the container runtime will allocate a random SELinux context for each container. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |\n| `controller: containerSecurityContext: windowsOptions:` | `(null\\|struct)` | `` | The Windows specific settings applied to all containers. If unspecified, the options from the PodSecurityContext will be used. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is linux. |\n| `controller: containerSecurityContext: runAsUser:` | `(null\\|int)` | `` | The UID to run the entrypoint of the container process. Defaults to user specified in image metadata if unspecified. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |\n| `controller: containerSecurityContext: runAsGroup:` | `(null\\|int)` | `` | The GID to run the entrypoint of the container process. Uses runtime default if unset. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. Note that this field cannot be set when spec.os.name is windows. |\n| `controller: containerSecurityContext: runAsNonRoot:` | `bool` | `true` | Indicates that the container must run as a non-root user. If true, the Kubelet will validate the image at runtime to ensure that it does not run as UID 0 (root) and fail to start the container if it does. If unset or false, no such validation will be performed. May also be set in PodSecurityContext. If set in both SecurityContext and PodSecurityContext, the value specified in SecurityContext takes precedence. |\n| `controller: containerSecurityContext: readOnlyRootFilesystem:` | `bool` | `true` | Whether this container has a read-only root filesystem. Default is false. Note that this field cannot be set when spec.os.name is windows. |\n| `controller: containerSecurityContext: allowPrivilegeEscalation:` | `bool` | `false` | AllowPrivilegeEscalation controls whether a process can gain more privileges than its parent process. This bool directly controls if the no_new_privs flag will be set on the container process. AllowPrivilegeEscalation is true always when the container is: 1) run as Privileged 2) has CAP_SYS_ADMIN Note that this field cannot be set when spec.os.name is windows. |\n| `controller: containerSecurityContext: procMount:` | `(null\\|string)` | `` | procMount denotes the type of proc mount to use for the containers. The default is DefaultProcMount which uses the container runtime defaults for readonly paths and masked paths. This requires the ProcMountType feature flag to be enabled. Note that this field cannot be set when spec.os.name is windows. |\n| `controller: containerSecurityContext: seccompProfile:` | `(null\\|struct)` | `` | The seccomp options to use by this container. If seccomp options are provided at both the pod \u0026 container level, the container options override the pod options. Note that this field cannot be set when spec.os.name is windows. |\n| `controller: deploymentAnnotations:` | `struct` | `{}` | is the annotations for the deployment. |\n| `controller: deploymentLabels:` | `struct` | `{}` | is the labels for the deployment. |\n| `controller: enableServiceLinks:` | `bool` | `false` | indicates whether information about services should be injected into pod's environment variables, matching the syntax of Docker links. |\n| `controller: extraArgs:` | `list` | `[]` | Additional command line flags to pass to cert-manager binaries. To see all available flags run docker run quay.io/jetstack/cert-manager-\u003ccomponent\u003e:\u003cversion\u003e --help |\n| `controller: extraEnvs:` | `list` | `[]` | is a list of additional environment variables to pass to the container. |\n| `controller: image: repository:` | `string` | `\"quay.io/jetstack/cert-manager-controller\"` | Repository is the address of a container registry repository. An image repository is made up of slash-separated name components, optionally prefixed by a registry hostname and port in the format [HOST[:PORT_NUMBER]/]PATH. |\n| `controller: image: tag:` | `string` | `\"v1.14.2\"` | Tag identifies an image in the repository. A tag name may contain lowercase and uppercase characters, digits, underscores, periods and dashes. A tag name may not start with a period or a dash and may contain a maximum of 128 characters. |\n| `controller: image: digest:` | `string` | `\"sha256:94c24f76822cbf523eedb36c4c4aaa1eb8fffad31841a82946a175c74e3a9673\"` | Digest uniquely and immutably identifies an image in the repository. Spec: https://github.com/opencontainers/image-spec/blob/main/descriptor.md#digests. |\n| `controller: image: pullPolicy:` | `string` | `\"IfNotPresent\"` | PullPolicy defines the pull policy for the image. By default, it is set to IfNotPresent. |\n| `controller: livenessProbe: initialDelaySeconds:` | `int` | `` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |\n| `controller: livenessProbe: exec:` | `(null\\|struct)` | `` | Exec specifies the action to take. |\n| `controller: livenessProbe: timeoutSeconds:` | `int` | `` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |\n| `controller: livenessProbe: periodSeconds:` | `int` | `` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. |\n| `controller: livenessProbe: successThreshold:` | `int` | `` | Minimum consecutive successes for the probe to be considered successful after having failed. Defaults to 1. Must be 1 for liveness and startup. Minimum value is 1. |\n| `controller: livenessProbe: failureThreshold:` | `int` | `` | Minimum consecutive failures for the probe to be considered failed after having succeeded. Defaults to 3. Minimum value is 1. |\n| `controller: livenessProbe: httpGet:` | `(null\\|struct)` | `` | HTTPGet specifies the http request to perform. |\n| `controller: livenessProbe: tcpSocket:` | `(null\\|struct)` | `` | TCPSocket specifies an action involving a TCP port. |\n| `controller: livenessProbe: terminationGracePeriodSeconds:` | `(null\\|int)` | `` | Optional duration in seconds the pod needs to terminate gracefully upon probe failure. The grace period is the duration in seconds after the processes running in the pod are sent a termination signal and the time when the processes are forcibly halted with a kill signal. Set this value longer than the expected cleanup time for your process. If this value is nil, the pod's terminationGracePeriodSeconds will be used. Otherwise, this value overrides the value provided by the pod spec. Value must be non-negative integer. The value zero indicates stop immediately via the kill signal (no opportunity to shut down). This is a beta field and requires enabling ProbeTerminationGracePeriod feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds is used if unset. |\n| `controller: livenessProbe: grpc:` | `(null\\|struct)` | `` | GRPC specifies an action involving a GRPC port. |\n| `controller: ingressShim:` | `struct` | `{}` | |\n| `controller: podAnnotations:` | `struct` | `{}` | is the annotations for the pod. |\n| `controller: podDisruptionBudget:` | `struct` | `{\"enabled\": false}` | is the pod disruption budget. |\n| `controller: podLabels:` | `struct` | `{}` | is the labels for the pod. |\n| `controller: proxy:` | `struct` | `` | defines the proxy configuration to be used by the container. |\n| `controller: readinessProbe: initialDelaySeconds:` | `int` | `` | Number of seconds after the container has started before liveness probes are initiated. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |\n| `controller: readinessProbe: exec:` | `(null\\|struct)` | `` | Exec specifies the action to take. |\n| `controller: readinessProbe: timeoutSeconds:` | `int` | `` | Number of seconds after which the probe times out. Defaults to 1 second. Minimum value is 1. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes |\n| `controller: readinessProbe: periodSeconds:` | `int` | `` | How often (in seconds) to perform the probe. Default to 10 seconds. Minimum value is 1. ","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnalum%2Fcert-manager-module","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fnalum%2Fcert-manager-module","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fnalum%2Fcert-manager-module/lists"}