The module does not have any mandatory parameters.
The module is enabled by default in the following bundles: Default, Managed.
The module is disabled by default in the Minimal bundle.
The module is configured using the ModuleConfig custom resource named cert-manager (learn more about setting up Deckhouse…).
Example of the ModuleConfig/cert-manager resource for configuring the module:
apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
name: cert-manager
spec:
version: 1
enabled: true
settings: # <-- Module parameters from the "Parameters" section below.
Parameters
Schema version: 1
- cleanupOrphanSecretsboolean
Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.
Default:
falseExamples:
cleanupOrphanSecrets: truecleanupOrphanSecrets: false - cloudDNSServiceAccountstring
The Service Account for Google Cloud for the same project that has the DNS Administrator role.
Example:
cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0= - cloudflareAPITokenstring
API Tokens allow application-scoped keys bound to specific DNS zones.
API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.
It allows you to verify that domains specified in the Certificate resource are managed by
cert-managerand kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.Example:
cloudflareAPIToken: token - cloudflareEmailstring
The email used for accessing the Cloudflare platform.
Example:
cloudflareEmail: example@example.com - cloudflareGlobalAPIKeystring
The Cloudflare Global API key for managing DNS records
It allows you to verify that domains specified in the Certificate resource are managed by
cert-managerand kept by the Cloudflare DNS provider.Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.
Example:
cloudflareGlobalAPIKey: key - digitalOceanCredentialsstring
The Access Token for the Digital Ocean API (you can create it in the
APIsection).Example:
digitalOceanCredentials: creds - disableLetsencryptboolean
Disable
letsencryptandletsencrypt-stagingClusterIssuer objects (if set totrue).Examples:
disableLetsencrypt: truedisableLetsencrypt: false - emailstring
The email used for sending notifications by LetsEncrypt.
Example:
email: example@example.com - enableCAInjectorboolean
Enable CAInjector. It only needs to inject CA certs into
ValidatingWebhookConfiguration,MutatingWebhookConfiguration,CustomResourceDefinitionandAPIService. Deckhouse does not use CAInjector, so you have to enable it only if you use custom CA injections in your services.Default:
falseExamples:
enableCAInjector: trueenableCAInjector: false - maxConcurrentChallengesinteger
The maximum number of challenges that can be scheduled as ‘processing’ at once. (default 60)
Allowed values:
0 <= XExample:
maxConcurrentChallenges: 25 - nodeSelectorobject
The same as in the pods’
spec.nodeSelectorparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.Example:
nodeSelector: has-gpu: 'true' - route53AccessKeyIDstring
The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.
Example:
route53AccessKeyID: key_id - route53SecretAccessKeystring
The Secret Access Key of the user with privileges to manage domain records.
Example:
route53SecretAccessKey: secret - tolerationsarray of objects
The same as in the pods’
spec.tolerationsparameter in Kubernetes.If the parameter is omitted or
false, it will be determined automatically.Example:
tolerations: - key: dedicated.deckhouse.io operator: Equal value: cert-manager- tolerations.effectstring
- tolerations.keystring
- tolerations.operatorstring
- tolerations.tolerationSecondsinteger
- tolerations.valuestring