smallstep · brookelew · Jan 20, 2026
@@ -50,17 +50,21 @@ and their default values.
 | `image.repository`                                     | Repository of the Step Issuer image.                                                                      | `cr.step.sm/smallstep/step-issuer`  |
 | `image.tag`                                            | Tag of the image. If empty it will use .Chart.appVersion.                                                 | `""`                                |
 | `image.pullPolicy`                                     | Step Issuer image pull policy                                                                             | `IfNotPresent`                      |
+| `commonLabels`                                         | Additional labels to be added to most deployed resources.                                                 | `{}`                                |
 | `deployment.args.enableLeaderElection`                 | Enable k8s controller leader election.                                                                    | `true`                              |
 | `deployment.args.disableApprovalCheck`                 | To disable cert-manager approvals on old version of cert-manager.                                         | `false`                             |
 | `deployment.strategy`                                  | To change the deployment strategy.                                                                        | `{}`                                |
-| `deployment.priorityClassName`                         | Pod priority for the Kubernetes scheduler                                                                 | `""`                                |
+| `deployment.priorityClassName`                         | Pod priority for the Kubernetes scheduler.                                                                | `""`                                |
+| `deployment.labels`                                    | Additional labels for the deployment. To add labels to the pods, see `deployment.podLabels`.              | `{}`                                |
+| `deployment.podLabels`                                 | Additional labels for the pods.                                                                           | `{}`                                |
 | `stepIssuer.create`                                    | If we should automatically create a StepIssuer                                                            | `false`                             |
 | `stepIssuer.caUrl`                                     | Step Certificates CA URL. This is usually the step certificates service FQDN.                             | `""`                                |
 | `stepIssuer.caBundle`                                  | Step Certificates root certificate in a single-line base64 string.                                        | `""`                                |
 | `stepIssuer.provisioner.name`                          | Name of the provisioner used for authorizing the sign of certificates.                                    | `""`                                |
 | `stepIssuer.provisioner.kid`                           | Key id of the provisioner used for authorizing the sign of certificates.                                  | `""`                                |
 | `stepIssuer.provisioner.passwordRef.name`              | Name of the secret with the provisioner password.                                                         | `""`                                |
 | `stepIssuer.provisioner.passwordRef.key`               | Key name in the the secret with the provisioner password.                                                 | `""`                                |
+| `stepIssuer.labels`                                    | Additional labels for the issuer.                                                                         | `{}`                                |
 | `stepClusterIssuer.create`                             | If we should automatically create a StepClusterIssuer                                                     | `false`                             |
 | `stepClusterIssuer.caUrl`                              | Step Certificates CA URL. This is usually the step certificates service FQDN.                             | `""`                                |
 | `stepClusterIssuer.caBundle`                           | Step Certificates root certificate in a single-line base64 string.                                        | `""`                                |
@@ -69,3 +73,6 @@ and their default values.
 | `stepClusterIssuer.provisioner.passwordRef.name`       | Name of the secret with the provisioner password.                                                         | `""`                                |
 | `stepClusterIssuer.provisioner.passwordRef.key`        | Key name in the the secret with the provisioner password.                                                 | `""`                                |
 | `stepClusterIssuer.provisioner.passwordRef.namespace`  | Namespace where the provisioner password secret resides.                                                  | `""`                                |
+| `stepClusterIssuer.labels`                             | Additional labels for the cluster issuer.                                                                 | `{}`                                |
+| `service.labels`                                       | Additional labels for the service.                                                                        | `{}`                                |
+| `serviceAccount.labels`                                | Additional labels for the service account.                                                                | `{}`                                |
@@ -41,6 +41,9 @@ helm.sh/chart: {{ include "step-issuer.chart" . }}
 app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
 {{- end }}
 app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- with .Values.commonLabels }}
+{{ toYaml . }}
+{{- end }}
 {{- end -}}
 
 {{/*

@@ -6,6 +6,9 @@ metadata:
   labels:
     control-plane: {{ .Values.service.controlPlane }}
     {{- include "step-issuer.labels" . | nindent 4 }}
+  {{- with .Values.deployment.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   {{- if .Values.deployment.strategy }}
   strategy: {{ toYaml .Values.deployment.strategy | nindent 4 }}
@@ -20,6 +23,9 @@ spec:
       labels:
         control-plane: {{ .Values.service.controlPlane }}
         {{- include "step-issuer.labels" . | nindent 8 }}
+      {{- with .Values.deployment.podLabels }}
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
     spec:
       {{- if $.Values.imagePullSecrets }}
       imagePullSecrets:

@@ -5,8 +5,11 @@ metadata:
   name: {{ include "step-issuer.serviceAccountName" . }}
   labels:
     {{- include "step-issuer.labels" . | nindent 4 }}
+  {{- with .Values.serviceAccount.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
   {{- with .Values.serviceAccount.annotations }}
   annotations:
     {{- toYaml . | nindent 4 }}
   {{- end }}
-{{- end }}
+{{- end }}
@@ -10,6 +10,9 @@ metadata:
   labels:
     control-plane: {{ .Values.service.controlPlane }}
     {{- include "step-issuer.labels" . | nindent 4 }}
+  {{- with .Values.service.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   ports:
   - name: {{ .Values.service.targetPorts }}

@@ -3,6 +3,13 @@ apiVersion: certmanager.step.sm/v1beta1
 kind: StepClusterIssuer
 metadata:
   name: "{{ template "step-issuer.fullname" . }}"
+  labels:
+  {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.stepClusterIssuer.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   # The CA URL.
   {{- if .Values.stepClusterIssuer.caUrl }}
@@ -20,4 +27,4 @@ spec:
       name: {{ .Values.stepClusterIssuer.provisioner.passwordRef.name }}
       namespace: {{ .Values.stepClusterIssuer.provisioner.passwordRef.namespace }}
       key: {{ .Values.stepClusterIssuer.provisioner.passwordRef.key }}
-{{- end }}
+{{- end }}
@@ -4,6 +4,13 @@ kind: StepIssuer
 metadata:
   name: "{{ template "step-issuer.fullname" . }}"
   namespace: {{ .Release.Namespace }}
+  labels:
+  {{- with .Values.commonLabels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  {{- with .Values.stepIssuer.labels }}
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
 spec:
   # The CA URL.
   {{- if .Values.stepIssuer.caUrl }}
@@ -20,4 +27,4 @@ spec:
     passwordRef:
       name: {{ .Values.stepIssuer.provisioner.passwordRef.name }}
       key: {{ .Values.stepIssuer.provisioner.passwordRef.key }}
-{{- end }}
+{{- end }}
@@ -27,6 +27,9 @@ imagePullSecrets: []
 nameOverride: ""
 fullnameOverride: ""
 
+# Labels to be added to most objects deployed by this chart.
+commonLabels: {}
+
 deployment:
   # Configure arguments to pass to the step issuer
   args:
@@ -36,6 +39,10 @@ deployment:
   # Strategy used for the deployment
   strategy: {}
   priorityClassName: ""
+  # Labels for the deployment, does not affect the deployment's pods.
+  labels: {}
+  # Labels for the pods.
+  podLabels: {}
 
 resources:
   limits:
@@ -52,6 +59,7 @@ service:
   controlPlane: controller-manager
   scrape: true
   scrapePort: 8080
+  labels: {}
 
 # Security Context for the pod
 podSecurityContext: {}
@@ -72,6 +80,7 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+  labels: {}
 
 # mandatory values to generate stepIssuer resource
 # please follow the https://github.com/smallstep/step-issuer#getting-started to setup step-ca and get step-issuer values
@@ -85,6 +94,7 @@ stepIssuer:
     passwordRef:
       name: ""
       key: ""
+  labels: {}
 
 # mandatory values to generate stepClusterIssuer resource
 # please follow the https://github.com/smallstep/step-issuer#getting-started to setup step-ca and get step-issuer values
@@ -99,6 +109,7 @@ stepClusterIssuer:
       name: ""
       namespace: ""
       key: ""
+  labels: {}
 
 # For the cert-manager approver
 certManager: