The module does not have any mandatory parameters.
The module is enabled by default in the following bundles: Default
, Managed
.
The module is disabled by default in the Minimal
bundle.
The module is configured using the ModuleConfig custom resource named cert-manager
(learn more about setting up Deckhouse…).
Example of the ModuleConfig/cert-manager
resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cert-manager
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- cleanupOrphanSecrets
Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.
Default:
false
Examples:
cleanupOrphanSecrets: true
cleanupOrphanSecrets: false
- cloudDNSServiceAccount
The Service Account for Google Cloud for the same project that has the DNS Administrator role.
Example:
cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0=
- cloudflareAPIToken
API Tokens allow application-scoped keys bound to specific DNS zones.
API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.
It allows you to verify that domains specified in the Certificate resource are managed by
cert-manager
and kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.Example:
cloudflareAPIToken: token
- cloudflareEmail
The email used for accessing the Cloudflare platform.
Example:
cloudflareEmail: example@example.com
- cloudflareGlobalAPIKey
The Cloudflare Global API key for managing DNS records
It allows you to verify that domains specified in the Certificate resource are managed by
cert-manager
and kept by the Cloudflare DNS provider.Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.
Example:
cloudflareGlobalAPIKey: key
- digitalOceanCredentials
The Access Token for the Digital Ocean API (you can create it in the
API
section).Example:
digitalOceanCredentials: creds
- disableLetsencrypt
Disable
letsencrypt
andletsencrypt-staging
ClusterIssuer objects (if set totrue
).Examples:
disableLetsencrypt: true
disableLetsencrypt: false
- email
The email used for sending notifications by LetsEncrypt.
Example:
email: example@example.com
- enableCAInjector
Enable CAInjector. It only needs to inject CA certs into
ValidatingWebhookConfiguration
,MutatingWebhookConfiguration
,CustomResourceDefinition
andAPIService
. Deckhouse does not use CAInjector, so you have to enable it only if you use custom CA injections in your services.Default:
false
Examples:
enableCAInjector: true
enableCAInjector: false
- maxConcurrentChallenges
The maximum number of challenges that can be scheduled as ‘processing’ at once. (default 60)
Allowed values:
0 <= X
Example:
maxConcurrentChallenges: 25
- nodeSelector
The same as in the pods’
spec.nodeSelector
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically.Example:
nodeSelector: has-gpu: 'true'
- route53AccessKeyID
The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.
Example:
route53AccessKeyID: key_id
- route53SecretAccessKey
The Secret Access Key of the user with privileges to manage domain records.
Example:
route53SecretAccessKey: secret
- tolerations
The same as in the pods’
spec.tolerations
parameter in Kubernetes.If the parameter is omitted or
false
, it will be determined automatically.Example:
tolerations: - key: dedicated.deckhouse.io operator: Equal value: cert-manager
- tolerations.effect
- tolerations.key
- tolerations.operator
- tolerations.tolerationSeconds
- tolerations.value