The cert-manager module: configuration

The module does not have any mandatory parameters.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false to explicitly enable or disable the module.

Example of enabling the cert-manager module:

          apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: true

        

Example of disabling the cert-manager module:

          apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: false

        

The module is configured using the ModuleConfig custom resource named cert-manager (learn more about setting up Deckhouse…).

Example of the ModuleConfig/cert-manager resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

cleanupOrphanSecretsboolean
Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.

Default: false
Examples:
```
cleanupOrphanSecrets: true
```
```
cleanupOrphanSecrets: false
```
cloudDNSServiceAccountstring
The Service Account for Google Cloud for the same project that has the DNS Administrator role.

Example:
```
cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0=
```
cloudflareAPITokenstring
API Tokens allow application-scoped keys bound to specific DNS zones.

API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.

It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

Example:
```
cloudflareAPIToken: token
```
cloudflareEmailstring
The email used for accessing the Cloudflare platform.

Example:
```
cloudflareEmail: example@example.com
```
cloudflareGlobalAPIKeystring
The Cloudflare Global API key for managing DNS records

It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider.

Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

Example:
```
cloudflareGlobalAPIKey: key
```
digitalOceanCredentialsstring
The Access Token for the Digital Ocean API (you can create it in the API section).

Example:
```
digitalOceanCredentials: creds
```
disableLetsencryptboolean
Disable letsencrypt and letsencrypt-staging ClusterIssuer objects (if set to true).

Examples:
```
disableLetsencrypt: true
```
```
disableLetsencrypt: false
```
emailstring
The email used for sending notifications by LetsEncrypt.

Example:
```
email: example@example.com
```
nodeSelectorobject
The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

If the parameter is omitted or false, it will be determined automatically.

Example:
```
nodeSelector:
  has-gpu: 'true'
```
route53AccessKeyIDstring
The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.

Example:
```
route53AccessKeyID: key_id
```
route53SecretAccessKeystring
The Secret Access Key of the user with privileges to manage domain records.

Example:
```
route53SecretAccessKey: secret
```
tolerationsarray of objects
The same as in the pods’ spec.tolerations parameter in Kubernetes.

If the parameter is omitted or false, it will be determined automatically.

Example:
```
tolerations:
- key: dedicated.deckhouse.io
  operator: Equal
  value: cert-manager
```
- tolerations.effectstring
- tolerations.keystring
- tolerations.operatorstring
- tolerations.tolerationSecondsinteger
- tolerations.valuestring