The module does not have any mandatory parameters.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/cert-manager resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: cert-manager
    spec:
      enabled: true
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module enable cert-manager
    

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
    kind: ModuleConfig
    metadata:
      name: cert-manager
    spec:
      enabled: false
    
  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module disable cert-manager
    

The module is configured using the ModuleConfig custom resource named cert-manager (learn more about setting up Deckhouse…).

Example of the ModuleConfig/cert-manager resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • cleanupOrphanSecrets
    boolean

    Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.

    Default: false

    Examples:

    cleanupOrphanSecrets: true
    
    cleanupOrphanSecrets: false
    
  • cloudDNSServiceAccount
    string

    The Service Account for Google Cloud for the same project that has the DNS Administrator role.

    Example:

    cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0=
    
  • cloudflareAPIToken
    string

    API Tokens allow application-scoped keys bound to specific DNS zones.

    API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.

    It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

    Example:

    cloudflareAPIToken: token
    
  • cloudflareEmail
    string

    The email used for accessing the Cloudflare platform.

    Example:

    cloudflareEmail: example@example.com
    
  • cloudflareGlobalAPIKey
    string

    The Cloudflare Global API key for managing DNS records

    It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider.

    Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

    Example:

    cloudflareGlobalAPIKey: key
    
  • digitalOceanCredentials
    string

    The Access Token for the Digital Ocean API (you can create it in the API section).

    Example:

    digitalOceanCredentials: creds
    
  • disableLetsencrypt
    boolean

    Disable letsencrypt and letsencrypt-staging ClusterIssuer objects (if set to true).

    Examples:

    disableLetsencrypt: true
    
    disableLetsencrypt: false
    
  • email
    string

    The email used for sending notifications by LetsEncrypt.

    Example:

    email: example@example.com
    
  • enableCAInjector
    boolean

    Enable CAInjector. It only needs to inject CA certs into ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition and APIService. Deckhouse does not use CAInjector, so you have to enable it only if you use custom CA injections in your services.

    Default: false

    Examples:

    enableCAInjector: true
    
    enableCAInjector: false
    
  • maxConcurrentChallenges
    integer

    The maximum number of challenges that can be scheduled as ‘processing’ at once. (default 60)

    Allowed values: 0 <= X

    Example:

    maxConcurrentChallenges: 25
    
  • nodeSelector
    object

    The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    nodeSelector:
      has-gpu: 'true'
    
  • route53AccessKeyID
    string

    The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.

    Example:

    route53AccessKeyID: key_id
    
  • route53SecretAccessKey
    string

    The Secret Access Key of the user with privileges to manage domain records.

    Example:

    route53SecretAccessKey: secret
    
  • tolerations
    array of objects

    The same as in the pods’ spec.tolerations parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    tolerations:
    - key: dedicated.deckhouse.io
      operator: Equal
      value: cert-manager
    
    • tolerations.effect
      string
    • tolerations.key
      string
    • tolerations.operator
      string
    • tolerations.tolerationSeconds
      integer
    • tolerations.value
      string