Available in editions:  CE, BE, SE, SE+, EE

The module lifecycle stageGeneral Availability

The module does not have any mandatory parameters.

The module has 3 alerts.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

You may explicitly enable or disable the module in one of the following ways:

  • Via Deckhouse web UI. In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the cert-manager module and enable (or disable) the “Module enabled” toggle. Save changes.

    Example:

    Module enable/disable interface

  • Via Deckhouse CLI (d8).

    Use the d8 system module enable command for enabling, or d8 system module disable command for disabling the module (you need Deckhouse CLI (d8), configured to work with the cluster).

    Example of enabling the module:

    d8 system module enable cert-manager

  • Using ModuleConfig cert-manager.

    Set spec.enabled to true or false in ModuleConfig cert-manager (create it if necessary);

    Example of a manifest to enable module cert-manager:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: true

How to configure the module…

You can configure the module in one of the following ways:

  • Via Deckhouse web UI.

    In the “System” → “System Management” → “Deckhouse” → “Modules” section, open the cert-manager module and enable the “Advanced Settings” switch. Fill in the required fields in the “Configuration” tab or specify the module settings in YAML format on the “YAML” tab, excluding the settings section. Save the changes.

    Example:

    Module Setup Interface

    You can also edit the ModuleConfig object cert-manager on the “YAML” tab in the module settings window (“System” → “System Management” → “Deckhouse” → “Modules”, open the module cert-manager) by specifying the schema version in the spec.version parameter and the necessary module parameters in the spec.settings section.

  • Via Deckhouse CLI (d8) (requires Deckhouse CLI (d8) configured to work with the cluster).

    Edit the existing ModuleConfig cert-manager (for more details on configuring Deckhouse, see the documentation) by executing the following command:

    d8 k edit mc cert-manager

    Make the necessary changes in the spec.settings section. If necessary, specify the schema version in the spec.version parameter. Save the changes.

    You can also create a file with manifest for ModuleConfig cert-manager using the example below. Fill in the spec.settings section with the required module parameters. If necessary, specify the schema version in the spec.version parameter.

    Apply the manifest using the following command (indicate the manifest file name):

    d8 k apply -f <FILENAME>

    Example of a manifest for ModuleConfig cert-manager:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  version: 1
  enabled: true
  settings: # Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.cleanupOrphanSecrets
      boolean

      Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.

      Default: false

      Examples:

      cleanupOrphanSecrets: true

      cleanupOrphanSecrets: false
    • settings.cloudDNSServiceAccount
      string

      The Service Account for Google Cloud for the same project that has the DNS Administrator role.

      Example:

      cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0=
    • settings.cloudflareAPIToken
      string

      API Tokens allow application-scoped keys bound to specific DNS zones.

      API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.

      It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

      Example:

      cloudflareAPIToken: token
    • settings.cloudflareEmail
      string

      The email used for accessing the Cloudflare platform.

      Example:

      cloudflareEmail: example@example.com
    • settings.cloudflareGlobalAPIKey
      string

      The Cloudflare Global API key for managing DNS records

      It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider.

      Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

      Example:

      cloudflareGlobalAPIKey: key
    • settings.digitalOceanCredentials
      string

      The Access Token for the Digital Ocean API (you can create it in the API section).

      Example:

      digitalOceanCredentials: creds
    • settings.disableLetsencrypt
      boolean

      Disable letsencrypt and letsencrypt-staging ClusterIssuer objects (if set to true).

      Examples:

      disableLetsencrypt: true

      disableLetsencrypt: false
    • settings.email
      string

      The email used for sending notifications by LetsEncrypt.

      Example:

      email: example@example.com
    • settings.enableCAInjector
      boolean

      Enable CAInjector. It only needs to inject CA certs into ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition and APIService. Deckhouse does not use CAInjector, so you have to enable it only if you use custom CA injections in your services.

      Default: false

      Examples:

      enableCAInjector: true

      enableCAInjector: false
    • settings.ingressClassHttp01
      string

      The name of the ingressClass used to confirm ownership of domain using the ACME HTTP-01 challenges method. If the parameter is omitted, the default ingressClass is used.

      Example:

      ingressClassHttp01: nginx
    • settings.maxConcurrentChallenges
      integer

      The maximum number of challenges that can be scheduled as ‘processing’ at once. (default 60)

      Allowed values: 0 <= X

      Example:

      maxConcurrentChallenges: 25
    • settings.nodeSelector
      object

      The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      nodeSelector:
  has-gpu: 'true'
    • settings.recursiveSettings
      object

      Parameters for using recursive DNS servers, which are used to check the existence of a DNS record, before initiating the domain ownership verification process using the ACME DNS-01 method.

      Example:

      recursiveSettings:
  nameservers:
  - 8.8.8.8:53
  - https://1.1.1.1
  useOnlyRecursive: true
      • settings.recursiveSettings.nameservers
        array of strings

        List of recursive DNS servers (IP:port or HTTPS URLs).

        • Element of the array
          string

          Pattern: ^(?:[0-9]{1,3}(?:\.[0-9]{1,3}){3}:\d{1,5}|https?://[^\s]+)$

      • settings.recursiveSettings.useOnlyRecursive
        boolean

        When set to true, only the specified recursive DNS servers will be used to check for the existence of a record in the DNS before starting the domain ownership verification process.

        Default: false

    • settings.route53AccessKeyID
      string

      The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.

      Example:

      route53AccessKeyID: key_id
    • settings.route53SecretAccessKey
      string

      The Secret Access Key of the user with privileges to manage domain records.

      Example:

      route53SecretAccessKey: secret
    • settings.tolerations
      array of objects

      The same as in the pods’ spec.tolerations parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      tolerations:
- key: dedicated.deckhouse.io
  operator: Equal
  value: cert-manager
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string