Available in editions:  CE, BE, SE, SE+, EE

The module does not have any mandatory parameters.

The module has 3 alerts.

The module is enabled by default in the following bundles: Default, Managed. The module is disabled by default in the Minimal bundle.

How to explicitly enable the module…

Set the spec.enabled module parameter to true or false in the ModuleConfig/cert-manager resource (create it, if necessary) to explicitly enable or disable the module, or use the deckhouse-controller module command in the d8-system/deckhouse pod.

Example of enabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: true

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module enable cert-manager

Example of disabling the module:

  • by using the ModuleConfig resource:

    apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  enabled: false

  • by using the deckhouse-controller command (you need a kubectl, configured to work with the cluster):

    kubectl -ti -n d8-system exec svc/deckhouse-leader -c deckhouse -- deckhouse-controller module disable cert-manager

Settings

The module is configured using the ModuleConfig custom resource named cert-manager (learn more about setting up Deckhouse…).

Example of the ModuleConfig/cert-manager resource for configuring the module:

apiVersion: deckhouse.io/v1alpha1
kind: ModuleConfig
metadata:
  name: cert-manager
spec:
  version: 1
  enabled: true
  settings: # <-- Module parameters from the "Parameters" section below.

Parameters

Schema version: 1

  • settings
    object
    • settings.cleanupOrphanSecrets
      boolean

      Delete a secret with a certificate automatically if the corresponding Certificate resource was deleted from the cluster.

      Default: false

      Examples:

      cleanupOrphanSecrets: true

      cleanupOrphanSecrets: false
    • settings.cloudDNSServiceAccount
      string

      The Service Account for Google Cloud for the same project that has the DNS Administrator role.

      Example:

      cloudDNSServiceAccount: eyJzYSI6ICJhYmNkZWZnaEBzZXJ2aWNlYWNjb3VudC5jb20iLCAicHJvamVjdF9pZCI6ImFhYWFhIn0=
    • settings.cloudflareAPIToken
      string

      API Tokens allow application-scoped keys bound to specific DNS zones.

      API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.

      It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider. Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

      Example:

      cloudflareAPIToken: token
    • settings.cloudflareEmail
      string

      The email used for accessing the Cloudflare platform.

      Example:

      cloudflareEmail: example@example.com
    • settings.cloudflareGlobalAPIKey
      string

      The Cloudflare Global API key for managing DNS records

      It allows you to verify that domains specified in the Certificate resource are managed by cert-manager and kept by the Cloudflare DNS provider.

      Verification is performed by adding special TXT records for the ACME DNS01 Challenge Provider domain.

      Example:

      cloudflareGlobalAPIKey: key
    • settings.digitalOceanCredentials
      string

      The Access Token for the Digital Ocean API (you can create it in the API section).

      Example:

      digitalOceanCredentials: creds
    • settings.disableLetsencrypt
      boolean

      Disable letsencrypt and letsencrypt-staging ClusterIssuer objects (if set to true).

      Examples:

      disableLetsencrypt: true

      disableLetsencrypt: false
    • settings.email
      string

      The email used for sending notifications by LetsEncrypt.

      Example:

      email: example@example.com
    • settings.enableCAInjector
      boolean

      Enable CAInjector. It only needs to inject CA certs into ValidatingWebhookConfiguration, MutatingWebhookConfiguration, CustomResourceDefinition and APIService. Deckhouse does not use CAInjector, so you have to enable it only if you use custom CA injections in your services.

      Default: false

      Examples:

      enableCAInjector: true

      enableCAInjector: false
    • settings.ingressClassHttp01
      string

      The name of the ingressClass used to confirm ownership of domain using the ACME HTTP-01 challenges method. If the parameter is omitted, the default ingressClass is used.

      Example:

      ingressClassHttp01: nginx
    • settings.maxConcurrentChallenges
      integer

      The maximum number of challenges that can be scheduled as ‘processing’ at once. (default 60)

      Allowed values: 0 <= X

      Example:

      maxConcurrentChallenges: 25
    • settings.nodeSelector
      object

      The same as in the pods’ spec.nodeSelector parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      nodeSelector:
  has-gpu: 'true'
    • settings.recursiveSettings
      object

      Parameters for using recursive DNS servers, which are used to check the existence of a DNS record, before initiating the domain ownership verification process using the ACME DNS-01 method.

      Example:

      recursiveSettings:
  nameservers:
  - 8.8.8.8:53
  - https://1.1.1.1
  useOnlyRecursive: true
      • settings.recursiveSettings.nameservers
        array of strings

        List of recursive DNS servers (IP:port or HTTPS URLs).

        • Element of the array
          string

          Pattern: ^(?:[0-9]{1,3}(?:\.[0-9]{1,3}){3}:\d{1,5}|https?://[^\s]+)$

      • settings.recursiveSettings.useOnlyRecursive
        boolean

        When set to true, only the specified recursive DNS servers will be used to check for the existence of a record in the DNS before starting the domain ownership verification process.

        Default: false

    • settings.route53AccessKeyID
      string

      The Access Key ID of the user with the attached Amazon Route53 IAM Policy for managing domain records.

      Example:

      route53AccessKeyID: key_id
    • settings.route53SecretAccessKey
      string

      The Secret Access Key of the user with privileges to manage domain records.

      Example:

      route53SecretAccessKey: secret
    • settings.tolerations
      array of objects

      The same as in the pods’ spec.tolerations parameter in Kubernetes.

      If the parameter is omitted or false, it will be determined automatically.

      Example:

      tolerations:
- key: dedicated.deckhouse.io
  operator: Equal
  value: cert-manager
      • settings.tolerations.effect
        string
      • settings.tolerations.key
        string
      • settings.tolerations.operator
        string
      • settings.tolerations.tolerationSeconds
        integer
      • settings.tolerations.value
        string