No matter how you like to participate in developer communities, Pulumi wants to meet you there. If you want to meet other Pulumi users to share use-cases and best practices, contribute code or documentation, see us at an event, or just tell a story about something cool you did with Pulumi, you are part of our community.

Pulumi Community

<@UHC2MBSCE> I suspect that's a problem with the underlying chart. Can you show us the snippet of code where `.Values.podDnsConfig.nameservers` is referenced in the chart?

Thanks <@UFPFMDBTK>
I was actually trying and comparing the charts just now.

This happens with istio chart which comes from `<https://gcsweb.istio.io/gcs/istio-release/releases/1.1.5/charts/>` and the config belongs to certmanager (`<https://github.com/jetstack/cert-manager/blob/release-0.7/deploy/charts/cert-manager/templates/deployment.yaml#L119`>).

I was trying to compare the one that istio has and the original one and it seems OK individually. There could be a clash with another part of the result yaml.

My full istio chart values are something like this

```const istioChartValues = {
            prometheus: { enabled: true },
            grafana: { enabled: true },
            tracing: { enabled: true },
            certmanager: {
                enabled: true,
                email: "<mailto:xt@x.com|xt@x.com>",
                podDnsPolicy: "None",
                podDnsConfig: {
                    nameservers: ["1.1.1.1", "8.8.8.8"]
                }

            },
            gateways: {
                "istio-ingressgateway":
                {
                    serviceAnnotations: { "<http://service.beta.kubernetes.io/azure-load-balancer-internal|service.beta.kubernetes.io/azure-load-balancer-internal>": true }, //<https://docs.microsoft.com/en-us/azure/aks/internal-lb#create-an-internal-load-balancer>
                }
            },
        }```

According to the documents, setting the `podDnsConfig` of cert-manager looks like

```helm install --name cert-manager \
    --namespace cert-manager \
    --set "podDnsPolicy"="None" \
    --set "podDnsConfig.nameservers[1]"="1.1.1.1" \
    --set "podDnsConfig.nameservers[2]"="8.8.8.8" \
    stable/cert-manager```

which matches with my config, I believe

That's a good question. I think the docs are wrong here and I wonder if the chart is broken

Helm uses 0 based indexing with array `--set`, I just checked my own configs

(And <https://github.com/helm/helm/blob/master/docs/using_helm.md#the-format-and-limitations-of---set>)

Here's a question for you, why are you trying to set nameservers?

There is an internal / private domain clashing on Let's Encrypt challenge

I'll try to set and escape the values. Thanks much

Yeah, worse comes to worse you can just edit the chart directly. Helm get it, commit the chart to your repo, and use the chart with a relative path and manually set the template how you want.

I was avoiding that but could be the last resort. Thanks for helping me finding a new angle.

I confirm that certmanager chart of istio has problem on this issue. This is what it produces
```dnsPolicy: None
      dnsConfig:
              nameservers:
        - 1.1.1.1
        - 8.8.8.8```