Customize reflector chart & polish certs template

YuryHrytsuk · YuryHrytsuk · commit 6fc601dd7a91 · 2025-10-17T13:48:27.000+02:00
diff --git a/charts/cert-manager/templates/certificates.yaml b/charts/cert-manager/templates/certificates.yaml
@@ -4,6 +4,7 @@ kind: Certificate
 metadata:
   name: {{ .certName }}
 spec:
+  # https://github.com/emberstack/kubernetes-reflector?tab=readme-ov-file#cert-manager-support
   secretTemplate:
     annotations:
       reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
diff --git a/charts/reflector/namespace.yaml b/charts/reflector/namespace.yaml
@@ -0,0 +1,15 @@
+# namespace with defined pod security standard
+# inspired from https://aro-labs.com/pod-security-standards/
+# official doc: https://kubernetes.io/docs/concepts/security/pod-security-standards/
+#
+# Warning: if pod / container does not meet enforced standards, it will not be deployed (silently)
+# execute `kubectl -n <namespace> events` to see errors (e.g.)
+#   Error creating: pods "xyz" is forbidden: violates PodSecurity "baseline:latest": privileged
+#   container "xyz" must not set securityContext.privileged to true
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: reflector
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
diff --git a/charts/reflector/values.yaml.gotmpl b/charts/reflector/values.yaml.gotmpl
@@ -0,0 +1,4 @@
+configuration:
+  watcher:
+    # https://github.com/emberstack/kubernetes-reflector/issues/560#issuecomment-3415122791
+    timeout: 30  # seconds
