cert-manager is a Kubernetes addon to automate the management and issuance of
TLS certificates from various issuing sources.
The webhook component provides API validation, mutation and conversion
functionality for cert-manager.
Usage:
webhook [flags]
Flags:
--api-server-host string Optional apiserver host address to connect to. If not specified, autoconfiguration will be attempted.
--config string Path to a file containing a WebhookConfiguration object used to configure the webhook
--dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates
--dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs serving certificates
--dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the dynamic serving CA
--dynamic-serving-leaf-duration duration leaf duration of serving certificates (default 168h0m0s)
--enable-profiling Enable profiling for webhook.
--feature-gates mapStringBool A set of key=value pairs that describe feature gates for alpha/experimental features. Options are:
ACMEHTTP01IngressPathTypeExact=true|false (BETA - default=true)
AllAlpha=true|false (ALPHA - default=false)
AllBeta=true|false (BETA - default=false)
DefaultPrivateKeyRotationPolicyAlways=true|false (BETA - default=true)
ExperimentalCertificateSigningRequestControllers=true|false (ALPHA - default=false)
ExperimentalGatewayAPISupport=true|false (BETA - default=true)
LiteralCertificateSubject=true|false (BETA - default=true)
NameConstraints=true|false (BETA - default=true)
OtherNames=true|false (ALPHA - default=false)
SecretsFilteredCaching=true|false (BETA - default=true)
ServerSideApply=true|false (ALPHA - default=false)
StableCertificateRequestName=true|false (BETA - default=true)
UseCertificateRequestBasicConstraints=true|false (ALPHA - default=false)
ValidateCAA=true|false (ALPHA - default=false)
--healthz-port int32 port number to listen on for insecure healthz connections (default 6080)
-h, --help help for webhook
--kubeconfig string optional path to the kubeconfig used to connect to the apiserver. If not specified, in-cluster-config will be used
--log-flush-frequency duration Maximum number of seconds between log flushes (default 5s)
--logging-format string Sets the log format. Permitted formats: "json" (gated by LoggingBetaOptions), "text". (default "text")
--metrics-dynamic-serving-ca-secret-name string name of the secret used to store the CA that signs serving certificates
--metrics-dynamic-serving-ca-secret-namespace string namespace of the secret used to store the CA that signs metrics serving certificates
--metrics-dynamic-serving-dns-names strings DNS names that should be present on certificates generated by the metrics dynamic serving CA
--metrics-dynamic-serving-leaf-duration duration leaf duration of metrics serving certificates (default 168h0m0s)
--metrics-listen-address string The host and port that the metrics endpoint should listen on. The value '0' disables the metrics server (default "0.0.0.0:9402")
--metrics-tls-cert-file string path to the file containing the TLS certificate to serve metrics with
--metrics-tls-cipher-suites strings Comma-separated list of cipher suites for the metrics server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
--metrics-tls-min-version string Minimum TLS version supported by the metrics server. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
--metrics-tls-private-key-file string path to the file containing the TLS private key to serve metrics with
--profiler-address string Address of the Go profiler (pprof). This should never be exposed on a public interface. If this flag is not set, the profiler is not run. (default "localhost:6060")
--secure-port int32 port number to listen on for secure TLS connections (default 6443)
--tls-cert-file string path to the file containing the TLS certificate to serve with
--tls-cipher-suites strings Comma-separated list of cipher suites for the server. If omitted, the default Go cipher suites will be used. Possible values: TLS_AES_128_GCM_SHA256,TLS_AES_256_GCM_SHA384,TLS_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_ECDSA_WITH_RC4_128_SHA,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305,TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256,TLS_ECDHE_RSA_WITH_RC4_128_SHA,TLS_RSA_WITH_3DES_EDE_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA,TLS_RSA_WITH_AES_128_CBC_SHA256,TLS_RSA_WITH_AES_128_GCM_SHA256,TLS_RSA_WITH_AES_256_CBC_SHA,TLS_RSA_WITH_AES_256_GCM_SHA384,TLS_RSA_WITH_RC4_128_SHA
--tls-min-version string Minimum TLS version supported. If omitted, the default Go minimum version will be used. Possible values: VersionTLS10, VersionTLS11, VersionTLS12, VersionTLS13
--tls-private-key-file string path to the file containing the TLS private key to serve with
-v, --v Level number for the log level verbosity
--vmodule pattern=N,... comma-separated list of pattern=N settings for file-filtered logging (only works for text log format)
