The module does not have any mandatory parameters.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/cert-manager resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module enable cert-manager

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec deploy/deckhouse -c deckhouse -- deckhouse-controller module disable cert-manager

The module is configured using the ModuleConfig custom resource named cert-manager (learn more about setting up Deckhouse…).

Example of the ModuleConfig/cert-manager resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • cleanupOrphanSecretsboolean

    Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.

    Default: false

    Examples:

    cleanupOrphanSecrets: true

    cleanupOrphanSecrets: false
  • cloudDNSServiceAccountstring

    The Service Account for Google Cloud for the same project that has the DNS Administrator role.

    Example:

    cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0=
  • cloudflareAPITokenstring

    API Tokens allow application-scoped keys bound to specific DNS zones.

    API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.

    It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

    Example:

    cloudflareAPIToken: token
  • cloudflareEmailstring

    The email used for accessing the Cloudflare platform.

    Example:

    cloudflareEmail: example@example.com
  • cloudflareGlobalAPIKeystring

    The Cloudflare Global API key for managing DNS records

    It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider.

    Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

    Example:

    cloudflareGlobalAPIKey: key
  • digitalOceanCredentialsstring

    The Access Token for the Digital Ocean API (you can create it in the API section).

    Example:

    digitalOceanCredentials: creds
  • disableLetsencryptboolean

    Disable letsencrypt and letsencrypt-staging ClusterIssuer objects (if set to true).

    Examples:

    disableLetsencrypt: true

    disableLetsencrypt: false
  • emailstring

    The email used for sending notifications by LetsEncrypt.

    Example:

    email: example@example.com
  • enableCAInjectorboolean

    Enable CAInjector. It only needs to inject CA certs into ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition and APIService. Deckhouse does not use CAInjector, so you have to enable it only if you use custom CA injections in your services.

    Default: false

    Examples:

    enableCAInjector: true

    enableCAInjector: false
  • maxConcurrentChallengesinteger

    The maximum number of challenges that can be scheduled as ‘processing’ at once. (default 60)

    Allowed values: 0 <= X

    Example:

    maxConcurrentChallenges: 25
  • nodeSelectorobject

    The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    nodeSelector:
  has-gpu: 'true'
  • route53AccessKeyIDstring

    The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.

    Example:

    route53AccessKeyID: key_id
  • route53SecretAccessKeystring

    The Secret Access Key of the user with privileges to manage domain records.

    Example:

    route53SecretAccessKey: secret
  • tolerationsarray of objects

    The same as in the pods’ spec.tolerations parameter in Kubernetes.

    If the parameter is omitted or false, it will be determined automatically.

    Example:

    tolerations:
- key: dedicated.deckhouse.io
  operator: Equal
  value: cert-manager
    • tolerations.effectstring
    • tolerations.keystring
    • tolerations.operatorstring
    • tolerations.tolerationSecondsinteger
    • tolerations.valuestring