The module does not have any mandatory parameters.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Note that the configOverrides parameter of the InitConfiguration resource is used when installing Deckhouse, not ModuleConfig.

Set the certManagerEnabled: true or certManagerEnabled: false in the configOverrides parameter to explicitly enable or disable the module when installing Deckhouse.

Use the certManager section of the configOverrides parameter to configure the module when installing Deckhouse.

Set the spec.enabled module parameter to true or false to explicitly enable or disable the module.

Example of enabling the cert-manager module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: true

Example of disabling the cert-manager module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: false

The module is configured using the ModuleConfig custom resource named cert-manager (learn more about setting up Deckhouse…).

Example of the ModuleConfig/cert-manager resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • cleanupOrphanSecretsboolean

    Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.

    Default: false

    Examples:

    cleanupOrphanSecrets: true
    
    cleanupOrphanSecrets: false
    
  • cloudDNSServiceAccountstring

    The Service Account for Google Cloud for the same project that has the DNS Administrator role.

    Example:

    cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0=
    
  • cloudflareAPITokenstring

    API Tokens allow application-scoped keys bound to specific DNS zones.

    API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.

    It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

    Example:

    cloudflareAPIToken: token
    
  • cloudflareEmailstring

    The email used for accessing the Cloudflare platform.

    Example:

    cloudflareEmail: example@example.com
    
  • cloudflareGlobalAPIKeystring

    The Cloudflare Global API key for managing DNS records

    It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider.

    Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

    Example:

    cloudflareGlobalAPIKey: key
    
  • digitalOceanCredentialsstring

    The Access Token for the Digital Ocean API (you can create it in the API section).

    Example:

    digitalOceanCredentials: creds
    
  • disableLetsencryptboolean

    Disable letsencrypt and letsencrypt-staging ClusterIssuer objects (if set to true).

    Examples:

    disableLetsencrypt: true
    
    disableLetsencrypt: false
    
  • emailstring

    The email used for sending notifications by LetsEncrypt.

    Example:

    email: example@example.com
    
  • nodeSelectorobject

    The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    nodeSelector:
      has-gpu: 'true'
    
  • route53AccessKeyIDstring

    The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.

    Example:

    route53AccessKeyID: key_id
    
  • route53SecretAccessKeystring

    The Secret Access Key of the user with privileges to manage domain records.

    Example:

    route53SecretAccessKey: secret
    
  • tolerationsarray of objects

    The same as in the pods’ spec.tolerations parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    tolerations:
    - key: dedicated.deckhouse.io
      operator: Equal
      value: cert-manager
    
    • tolerations.effectstring
    • tolerations.keystring
    • tolerations.operatorstring
    • tolerations.tolerationSecondsinteger
    • tolerations.valuestring