|
|
@@ -0,0 +1,516 @@
|
|
|
+# Default values for cert-manager.
|
|
|
+# This is a YAML-formatted file.
|
|
|
+# Declare variables to be passed into your templates.
|
|
|
+global:
|
|
|
+ ## Reference to one or more secrets to be used when pulling images
|
|
|
+ ## ref: https://kubernetes.io/docs/tasks/configure-pod-container/pull-image-private-registry/
|
|
|
+ ##
|
|
|
+ imagePullSecrets: []
|
|
|
+ # - name: "image-pull-secret"
|
|
|
+
|
|
|
+ # Optional priority class to be used for the cert-manager pods
|
|
|
+ priorityClassName: ""
|
|
|
+ rbac:
|
|
|
+ create: true
|
|
|
+
|
|
|
+ podSecurityPolicy:
|
|
|
+ enabled: false
|
|
|
+ useAppArmor: true
|
|
|
+
|
|
|
+ # Set the verbosity of cert-manager. Range of 0 - 6 with 6 being the most verbose.
|
|
|
+ logLevel: 2
|
|
|
+
|
|
|
+ leaderElection:
|
|
|
+ # Override the namespace used to store the ConfigMap for leader election
|
|
|
+ namespace: "kube-system"
|
|
|
+
|
|
|
+ # The duration that non-leader candidates will wait after observing a
|
|
|
+ # leadership renewal until attempting to acquire leadership of a led but
|
|
|
+ # unrenewed leader slot. This is effectively the maximum duration that a
|
|
|
+ # leader can be stopped before it is replaced by another candidate.
|
|
|
+ # leaseDuration: 60s
|
|
|
+
|
|
|
+ # The interval between attempts by the acting master to renew a leadership
|
|
|
+ # slot before it stops leading. This must be less than or equal to the
|
|
|
+ # lease duration.
|
|
|
+ # renewDeadline: 40s
|
|
|
+
|
|
|
+ # The duration the clients should wait between attempting acquisition and
|
|
|
+ # renewal of a leadership.
|
|
|
+ # retryPeriod: 15s
|
|
|
+
|
|
|
+installCRDs: false
|
|
|
+
|
|
|
+replicaCount: 1
|
|
|
+
|
|
|
+strategy: {}
|
|
|
+ # type: RollingUpdate
|
|
|
+ # rollingUpdate:
|
|
|
+ # maxSurge: 0
|
|
|
+ # maxUnavailable: 1
|
|
|
+
|
|
|
+# Comma separated list of feature gates that should be enabled on the
|
|
|
+# controller pod.
|
|
|
+featureGates: ""
|
|
|
+
|
|
|
+image:
|
|
|
+ repository: quay.io/jetstack/cert-manager-controller
|
|
|
+ # You can manage a registry with
|
|
|
+ # registry: quay.io
|
|
|
+ # repository: jetstack/cert-manager-controller
|
|
|
+
|
|
|
+ # Override the image tag to deploy by setting this variable.
|
|
|
+ # If no value is set, the chart's appVersion will be used.
|
|
|
+ # tag: canary
|
|
|
+
|
|
|
+ # Setting a digest will override any tag
|
|
|
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
|
|
+ pullPolicy: IfNotPresent
|
|
|
+
|
|
|
+# Override the namespace used to store DNS provider credentials etc. for ClusterIssuer
|
|
|
+# resources. By default, the same namespace as cert-manager is deployed within is
|
|
|
+# used. This namespace will not be automatically created by the Helm chart.
|
|
|
+clusterResourceNamespace: ""
|
|
|
+
|
|
|
+serviceAccount:
|
|
|
+ # Specifies whether a service account should be created
|
|
|
+ create: true
|
|
|
+ # The name of the service account to use.
|
|
|
+ # If not set and create is true, a name is generated using the fullname template
|
|
|
+ # name: ""
|
|
|
+ # Optional additional annotations to add to the controller's ServiceAccount
|
|
|
+ # annotations: {}
|
|
|
+ # Automount API credentials for a Service Account.
|
|
|
+ automountServiceAccountToken: true
|
|
|
+
|
|
|
+# Additional command line flags to pass to cert-manager controller binary.
|
|
|
+# To see all available flags run docker run quay.io/jetstack/cert-manager-controller:<version> --help
|
|
|
+extraArgs: []
|
|
|
+ # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
|
|
|
+ # - --enable-certificate-owner-ref=true
|
|
|
+ # Use this flag to enabled or disable arbitrary controllers, for example, disable the CertificiateRequests approver
|
|
|
+ # - --controllers=*,-certificaterequests-approver
|
|
|
+
|
|
|
+extraEnv: []
|
|
|
+# - name: SOME_VAR
|
|
|
+# value: 'some value'
|
|
|
+
|
|
|
+resources: {}
|
|
|
+ # requests:
|
|
|
+ # cpu: 10m
|
|
|
+ # memory: 32Mi
|
|
|
+
|
|
|
+# Pod Security Context
|
|
|
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
+securityContext:
|
|
|
+ runAsNonRoot: true
|
|
|
+# legacy securityContext parameter format: if enabled is set to true, only fsGroup and runAsUser are supported
|
|
|
+# securityContext:
|
|
|
+# enabled: false
|
|
|
+# fsGroup: 1001
|
|
|
+# runAsUser: 1001
|
|
|
+# to support additional securityContext parameters, omit the `enabled` parameter and simply specify the parameters
|
|
|
+# you want to set, e.g.
|
|
|
+# securityContext:
|
|
|
+# fsGroup: 1000
|
|
|
+# runAsUser: 1000
|
|
|
+# runAsNonRoot: true
|
|
|
+
|
|
|
+# Container Security Context to be set on the controller component container
|
|
|
+# ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
+containerSecurityContext: {}
|
|
|
+ # capabilities:
|
|
|
+ # drop:
|
|
|
+ # - ALL
|
|
|
+ # readOnlyRootFilesystem: true
|
|
|
+ # runAsNonRoot: true
|
|
|
+
|
|
|
+
|
|
|
+volumes: []
|
|
|
+
|
|
|
+volumeMounts: []
|
|
|
+
|
|
|
+# Optional additional annotations to add to the controller Deployment
|
|
|
+# deploymentAnnotations: {}
|
|
|
+
|
|
|
+# Optional additional annotations to add to the controller Pods
|
|
|
+# podAnnotations: {}
|
|
|
+
|
|
|
+podLabels: {}
|
|
|
+
|
|
|
+# Optional annotations to add to the controller Service
|
|
|
+# serviceAnnotations: {}
|
|
|
+
|
|
|
+# Optional additional labels to add to the controller Service
|
|
|
+# serviceLabels: {}
|
|
|
+
|
|
|
+# Optional DNS settings, useful if you have a public and private DNS zone for
|
|
|
+# the same domain on Route 53. What follows is an example of ensuring
|
|
|
+# cert-manager can access an ingress or DNS TXT records at all times.
|
|
|
+# NOTE: This requires Kubernetes 1.10 or `CustomPodDNS` feature gate enabled for
|
|
|
+# the cluster to work.
|
|
|
+# podDnsPolicy: "None"
|
|
|
+# podDnsConfig:
|
|
|
+# nameservers:
|
|
|
+# - "1.1.1.1"
|
|
|
+# - "8.8.8.8"
|
|
|
+
|
|
|
+nodeSelector: {}
|
|
|
+
|
|
|
+ingressShim: {}
|
|
|
+ # defaultIssuerName: ""
|
|
|
+ # defaultIssuerKind: ""
|
|
|
+ # defaultIssuerGroup: ""
|
|
|
+
|
|
|
+prometheus:
|
|
|
+ enabled: true
|
|
|
+ servicemonitor:
|
|
|
+ enabled: false
|
|
|
+ prometheusInstance: default
|
|
|
+ targetPort: 9402
|
|
|
+ path: /metrics
|
|
|
+ interval: 60s
|
|
|
+ scrapeTimeout: 30s
|
|
|
+ labels: {}
|
|
|
+ honorLabels: false
|
|
|
+
|
|
|
+# Use these variables to configure the HTTP_PROXY environment variables
|
|
|
+# http_proxy: "http://proxy:8080"
|
|
|
+# https_proxy: "https://proxy:8080"
|
|
|
+# no_proxy: 127.0.0.1,localhost
|
|
|
+
|
|
|
+# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#affinity-v1-core
|
|
|
+# for example:
|
|
|
+# affinity:
|
|
|
+# nodeAffinity:
|
|
|
+# requiredDuringSchedulingIgnoredDuringExecution:
|
|
|
+# nodeSelectorTerms:
|
|
|
+# - matchExpressions:
|
|
|
+# - key: foo.bar.com/role
|
|
|
+# operator: In
|
|
|
+# values:
|
|
|
+# - master
|
|
|
+affinity: {}
|
|
|
+
|
|
|
+# expects input structure as per specification https://kubernetes.io/docs/reference/generated/kubernetes-api/v1.11/#toleration-v1-core
|
|
|
+# for example:
|
|
|
+# tolerations:
|
|
|
+# - key: foo.bar.com/role
|
|
|
+# operator: Equal
|
|
|
+# value: master
|
|
|
+# effect: NoSchedule
|
|
|
+tolerations: []
|
|
|
+
|
|
|
+webhook:
|
|
|
+ replicaCount: 1
|
|
|
+ timeoutSeconds: 10
|
|
|
+
|
|
|
+ # Used to configure options for the webhook pod.
|
|
|
+ # This allows setting options that'd usually be provided via flags.
|
|
|
+ # An APIVersion and Kind must be specified in your values.yaml file.
|
|
|
+ # Flags will override options that are set here.
|
|
|
+ config:
|
|
|
+ # apiVersion: webhook.config.cert-manager.io/v1alpha1
|
|
|
+ # kind: WebhookConfiguration
|
|
|
+
|
|
|
+ # The port that the webhook should listen on for requests.
|
|
|
+ # In GKE private clusters, by default kubernetes apiservers are allowed to
|
|
|
+ # talk to the cluster nodes only on 443 and 10250. so configuring
|
|
|
+ # securePort: 10250, will work out of the box without needing to add firewall
|
|
|
+ # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000.
|
|
|
+ # This should be uncommented and set as a default by the chart once we graduate
|
|
|
+ # the apiVersion of WebhookConfiguration past v1alpha1.
|
|
|
+ # securePort: 10250
|
|
|
+
|
|
|
+ strategy: {}
|
|
|
+ # type: RollingUpdate
|
|
|
+ # rollingUpdate:
|
|
|
+ # maxSurge: 0
|
|
|
+ # maxUnavailable: 1
|
|
|
+
|
|
|
+ # Pod Security Context to be set on the webhook component Pod
|
|
|
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
+ securityContext:
|
|
|
+ runAsNonRoot: true
|
|
|
+
|
|
|
+ # Container Security Context to be set on the webhook component container
|
|
|
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
+ containerSecurityContext: {}
|
|
|
+ # capabilities:
|
|
|
+ # drop:
|
|
|
+ # - ALL
|
|
|
+ # readOnlyRootFilesystem: true
|
|
|
+ # runAsNonRoot: true
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the webhook Deployment
|
|
|
+ # deploymentAnnotations: {}
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the webhook Pods
|
|
|
+ # podAnnotations: {}
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the webhook Service
|
|
|
+ # serviceAnnotations: {}
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the webhook MutatingWebhookConfiguration
|
|
|
+ # mutatingWebhookConfigurationAnnotations: {}
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the webhook ValidatingWebhookConfiguration
|
|
|
+ # validatingWebhookConfigurationAnnotations: {}
|
|
|
+
|
|
|
+ # Additional command line flags to pass to cert-manager webhook binary.
|
|
|
+ # To see all available flags run docker run quay.io/jetstack/cert-manager-webhook:<version> --help
|
|
|
+ extraArgs: []
|
|
|
+ # Path to a file containing a WebhookConfiguration object used to configure the webhook
|
|
|
+ # - --config=<path-to-config-file>
|
|
|
+
|
|
|
+ resources: {}
|
|
|
+ # requests:
|
|
|
+ # cpu: 10m
|
|
|
+ # memory: 32Mi
|
|
|
+
|
|
|
+ ## Liveness and readiness probe values
|
|
|
+ ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
|
|
|
+ ##
|
|
|
+ livenessProbe:
|
|
|
+ failureThreshold: 3
|
|
|
+ initialDelaySeconds: 60
|
|
|
+ periodSeconds: 10
|
|
|
+ successThreshold: 1
|
|
|
+ timeoutSeconds: 1
|
|
|
+ readinessProbe:
|
|
|
+ failureThreshold: 3
|
|
|
+ initialDelaySeconds: 5
|
|
|
+ periodSeconds: 5
|
|
|
+ successThreshold: 1
|
|
|
+ timeoutSeconds: 1
|
|
|
+
|
|
|
+ nodeSelector: {}
|
|
|
+
|
|
|
+ affinity: {}
|
|
|
+
|
|
|
+ tolerations: []
|
|
|
+
|
|
|
+ # Optional additional labels to add to the Webhook Pods
|
|
|
+ podLabels: {}
|
|
|
+
|
|
|
+ # Optional additional labels to add to the Webhook Service
|
|
|
+ serviceLabels: {}
|
|
|
+
|
|
|
+ image:
|
|
|
+ repository: quay.io/jetstack/cert-manager-webhook
|
|
|
+ # You can manage a registry with
|
|
|
+ # registry: quay.io
|
|
|
+ # repository: jetstack/cert-manager-webhook
|
|
|
+
|
|
|
+ # Override the image tag to deploy by setting this variable.
|
|
|
+ # If no value is set, the chart's appVersion will be used.
|
|
|
+ # tag: canary
|
|
|
+
|
|
|
+ # Setting a digest will override any tag
|
|
|
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
|
|
+
|
|
|
+ pullPolicy: IfNotPresent
|
|
|
+
|
|
|
+ serviceAccount:
|
|
|
+ # Specifies whether a service account should be created
|
|
|
+ create: true
|
|
|
+ # The name of the service account to use.
|
|
|
+ # If not set and create is true, a name is generated using the fullname template
|
|
|
+ # name: ""
|
|
|
+ # Optional additional annotations to add to the controller's ServiceAccount
|
|
|
+ # annotations: {}
|
|
|
+ # Automount API credentials for a Service Account.
|
|
|
+ automountServiceAccountToken: true
|
|
|
+
|
|
|
+ # The port that the webhook should listen on for requests.
|
|
|
+ # In GKE private clusters, by default kubernetes apiservers are allowed to
|
|
|
+ # talk to the cluster nodes only on 443 and 10250. so configuring
|
|
|
+ # securePort: 10250, will work out of the box without needing to add firewall
|
|
|
+ # rules or requiring NET_BIND_SERVICE capabilities to bind port numbers <1000
|
|
|
+ securePort: 10250
|
|
|
+
|
|
|
+ # Specifies if the webhook should be started in hostNetwork mode.
|
|
|
+ #
|
|
|
+ # Required for use in some managed kubernetes clusters (such as AWS EKS) with custom
|
|
|
+ # CNI (such as calico), because control-plane managed by AWS cannot communicate
|
|
|
+ # with pods' IP CIDR and admission webhooks are not working
|
|
|
+ #
|
|
|
+ # Since the default port for the webhook conflicts with kubelet on the host
|
|
|
+ # network, `webhook.securePort` should be changed to an available port if
|
|
|
+ # running in hostNetwork mode.
|
|
|
+ hostNetwork: false
|
|
|
+
|
|
|
+ # Specifies how the service should be handled. Useful if you want to expose the
|
|
|
+ # webhook to outside of the cluster. In some cases, the control plane cannot
|
|
|
+ # reach internal services.
|
|
|
+ serviceType: ClusterIP
|
|
|
+ # loadBalancerIP:
|
|
|
+
|
|
|
+ # Overrides the mutating webhook and validating webhook so they reach the webhook
|
|
|
+ # service using the `url` field instead of a service.
|
|
|
+ url: {}
|
|
|
+ # host:
|
|
|
+
|
|
|
+cainjector:
|
|
|
+ enabled: true
|
|
|
+ replicaCount: 1
|
|
|
+
|
|
|
+ strategy: {}
|
|
|
+ # type: RollingUpdate
|
|
|
+ # rollingUpdate:
|
|
|
+ # maxSurge: 0
|
|
|
+ # maxUnavailable: 1
|
|
|
+
|
|
|
+ # Pod Security Context to be set on the cainjector component Pod
|
|
|
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
+ securityContext:
|
|
|
+ runAsNonRoot: true
|
|
|
+
|
|
|
+ # Container Security Context to be set on the cainjector component container
|
|
|
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
+ containerSecurityContext: {}
|
|
|
+ # capabilities:
|
|
|
+ # drop:
|
|
|
+ # - ALL
|
|
|
+ # readOnlyRootFilesystem: true
|
|
|
+ # runAsNonRoot: true
|
|
|
+
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the cainjector Deployment
|
|
|
+ # deploymentAnnotations: {}
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the cainjector Pods
|
|
|
+ # podAnnotations: {}
|
|
|
+
|
|
|
+ # Additional command line flags to pass to cert-manager cainjector binary.
|
|
|
+ # To see all available flags run docker run quay.io/jetstack/cert-manager-cainjector:<version> --help
|
|
|
+ extraArgs: []
|
|
|
+ # Enable profiling for cainjector
|
|
|
+ # - --enable-profiling=true
|
|
|
+
|
|
|
+ resources: {}
|
|
|
+ # requests:
|
|
|
+ # cpu: 10m
|
|
|
+ # memory: 32Mi
|
|
|
+
|
|
|
+ nodeSelector: {}
|
|
|
+
|
|
|
+ affinity: {}
|
|
|
+
|
|
|
+ tolerations: []
|
|
|
+
|
|
|
+ # Optional additional labels to add to the CA Injector Pods
|
|
|
+ podLabels: {}
|
|
|
+
|
|
|
+ image:
|
|
|
+ repository: quay.io/jetstack/cert-manager-cainjector
|
|
|
+ # You can manage a registry with
|
|
|
+ # registry: quay.io
|
|
|
+ # repository: jetstack/cert-manager-cainjector
|
|
|
+
|
|
|
+ # Override the image tag to deploy by setting this variable.
|
|
|
+ # If no value is set, the chart's appVersion will be used.
|
|
|
+ # tag: canary
|
|
|
+
|
|
|
+ # Setting a digest will override any tag
|
|
|
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
|
|
+
|
|
|
+ pullPolicy: IfNotPresent
|
|
|
+
|
|
|
+ serviceAccount:
|
|
|
+ # Specifies whether a service account should be created
|
|
|
+ create: true
|
|
|
+ # The name of the service account to use.
|
|
|
+ # If not set and create is true, a name is generated using the fullname template
|
|
|
+ # name: ""
|
|
|
+ # Optional additional annotations to add to the controller's ServiceAccount
|
|
|
+ # annotations: {}
|
|
|
+ # Automount API credentials for a Service Account.
|
|
|
+ automountServiceAccountToken: true
|
|
|
+
|
|
|
+# This startupapicheck is a Helm post-install hook that waits for the webhook
|
|
|
+# endpoints to become available.
|
|
|
+# The check is implemented using a Kubernetes Job- if you are injecting mesh
|
|
|
+# sidecar proxies into cert-manager pods, you probably want to ensure that they
|
|
|
+# are not injected into this Job's pod. Otherwise the installation may time out
|
|
|
+# due to the Job never being completed because the sidecar proxy does not exit.
|
|
|
+# See https://github.com/jetstack/cert-manager/pull/4414 for context.
|
|
|
+startupapicheck:
|
|
|
+ enabled: true
|
|
|
+
|
|
|
+ # Pod Security Context to be set on the startupapicheck component Pod
|
|
|
+ # ref: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/
|
|
|
+ securityContext:
|
|
|
+ runAsNonRoot: true
|
|
|
+
|
|
|
+ # Timeout for 'kubectl check api' command
|
|
|
+ timeout: 1m
|
|
|
+
|
|
|
+ # Job backoffLimit
|
|
|
+ backoffLimit: 4
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the startupapicheck Job
|
|
|
+ jobAnnotations:
|
|
|
+ helm.sh/hook: post-install
|
|
|
+ helm.sh/hook-weight: "1"
|
|
|
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the startupapicheck Pods
|
|
|
+ # podAnnotations: {}
|
|
|
+
|
|
|
+ # Additional command line flags to pass to startupapicheck binary.
|
|
|
+ # To see all available flags run docker run quay.io/jetstack/cert-manager-ctl:<version> --help
|
|
|
+ extraArgs: []
|
|
|
+
|
|
|
+ resources: {}
|
|
|
+ # requests:
|
|
|
+ # cpu: 10m
|
|
|
+ # memory: 32Mi
|
|
|
+
|
|
|
+ nodeSelector: {}
|
|
|
+
|
|
|
+ affinity: {}
|
|
|
+
|
|
|
+ tolerations: []
|
|
|
+
|
|
|
+ # Optional additional labels to add to the startupapicheck Pods
|
|
|
+ podLabels: {}
|
|
|
+
|
|
|
+ image:
|
|
|
+ repository: quay.io/jetstack/cert-manager-ctl
|
|
|
+ # You can manage a registry with
|
|
|
+ # registry: quay.io
|
|
|
+ # repository: jetstack/cert-manager-ctl
|
|
|
+
|
|
|
+ # Override the image tag to deploy by setting this variable.
|
|
|
+ # If no value is set, the chart's appVersion will be used.
|
|
|
+ # tag: canary
|
|
|
+
|
|
|
+ # Setting a digest will override any tag
|
|
|
+ # digest: sha256:0e072dddd1f7f8fc8909a2ca6f65e76c5f0d2fcfb8be47935ae3457e8bbceb20
|
|
|
+
|
|
|
+ pullPolicy: IfNotPresent
|
|
|
+
|
|
|
+ rbac:
|
|
|
+ # annotations for the startup API Check job RBAC and PSP resources
|
|
|
+ annotations:
|
|
|
+ helm.sh/hook: post-install
|
|
|
+ helm.sh/hook-weight: "-5"
|
|
|
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
|
|
+
|
|
|
+ serviceAccount:
|
|
|
+ # Specifies whether a service account should be created
|
|
|
+ create: true
|
|
|
+
|
|
|
+ # The name of the service account to use.
|
|
|
+ # If not set and create is true, a name is generated using the fullname template
|
|
|
+ # name: ""
|
|
|
+
|
|
|
+ # Optional additional annotations to add to the Job's ServiceAccount
|
|
|
+ annotations:
|
|
|
+ helm.sh/hook: post-install
|
|
|
+ helm.sh/hook-weight: "-5"
|
|
|
+ helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded
|
|
|
+
|
|
|
+ # Automount API credentials for a Service Account.
|
|
|
+ automountServiceAccountToken: true
|
Christian