TLS Protect for Kubernetes
Log inCreate account
Important Announcement!

This deprecated version of TLS Protect for Kubernetes, originally known as Jetstack Secure, will be PERMANENTLY SHUTDOWN on May 19, 2025. If you're still using this version, please work with your CyberArk/Venafi account team to transition to the current version of TLS Protect for Kubernetes.

istio-csr image flags

cert-manager istio agent for signing istio agent certificate signing requests through cert-manager


Usage:
  cert-manager-istio-csr [flags]


App flags:


  -v, --log-level string              Log level (1-5). (default "1")
      --metrics-port int              Port to expose Prometheus metrics on 0.0.0.0 on path '/metrics'. (default 9402)
      --readiness-probe-path string   HTTP path to expose the readiness probe server. (default "/readyz")
      --readiness-probe-port int      Port to expose the readiness probe. (default 6060)


Cert-manager flags:


  -c, --certificate-namespace string    Namespace to request certificates. (default "istio-system")
  -g, --issuer-group string             Group of the issuer to sign istio workload certificates. (default "cert-manager.io")
  -k, --issuer-kind string              Kind of the issuer to sign istio workload certificates. (default "Issuer")
  -u, --issuer-name string              Name of the issuer to sign istio workload certificates. (default "istio-ca")
  -d, --preserve-certificate-requests   If enabled, will preserve created CertificateRequests, rather than deleting when they are ready. *WARNING*: do not use in production environments as over time requests will consume large amounts of etcd and API server resources.


Kubernetes flags:


      --as string                      Username to impersonate for the operation. User could be a regular user or a service account in a namespace.
      --as-group stringArray           Group to impersonate for the operation, this flag can be repeated to specify multiple groups.
      --as-uid string                  UID to impersonate for the operation.
      --cache-dir string               Default cache directory (default "/Users/joakim/.kube/cache")
      --certificate-authority string   Path to a cert file for the certificate authority
      --client-certificate string      Path to a client certificate file for TLS
      --client-key string              Path to a client key file for TLS
      --cluster string                 The name of the kubeconfig cluster to use
      --context string                 The name of the kubeconfig context to use
      --insecure-skip-tls-verify       If true, the server's certificate will not be checked for validity. This will make your HTTPS connections insecure
      --kubeconfig string              Path to the kubeconfig file to use for CLI requests.
  -n, --namespace string               If present, the namespace scope for this CLI request
      --request-timeout string         The length of time to wait before giving up on a single server request. Non-zero values should contain a corresponding time unit (e.g. 1s, 2m, 3h). A value of zero means don't timeout requests. (default "0")
  -s, --server string                  The address and port of the Kubernetes API server
      --tls-server-name string         Server name to use for server certificate validation. If it is not provided, the hostname used to contact the server is used
      --token string                   Bearer token for authentication to the API server
      --user string                    The name of the kubeconfig user to use


TLS flags:


      --root-ca-file string                     File location of a PEM encoded Roots CA bundle to be used as root of trust for TLS in the mesh. If empty, the CA returned from the cert-manager issuer will be used.
      --serving-certificate-dns-names strings   A list of DNS names to request for the server's serving certificate which will be presented to istio-agents. (default [cert-manager-istio-csr.cert-manager.svc])
  -t, --serving-certificate-duration duration   Certificate duration of serving certificates. Will be renewed after 2/3 of the duration. (default 1h0m0s)
      --trust-domain string                     The Istio cluster's trust domain. (default "cluster.local")


Server flags:


      --cluster-id string                          The ID of the istio cluster to verify. (default "Kubernetes")
  -m, --max-client-certificate-duration duration   Maximum duration a client certificate can be requested and valid for. Will override with this value if the requested duration is larger (default 1h0m0s)
  -a, --serving-address string                     Address to serve certificates gRPC service. (default "0.0.0.0:6443")


Controller flags:


      --configmap-namespace-selector string   Selector to filter on namespaces where the controller creates istio-ca-root-cert ConfigMap. Supports '=', '==', and '!='.(e.g. -l key1=value1,key2=value2)
      --leader-election-namespace string      Namespace to use for controller leader election. (default "istio-system")
Copy to clipboard

On this page