Parameters

The parent key for all of the following parameters is cert_manager.

`namespace`

type	string
default	`syn-cert-manager`

The namespace in which to install cert-manager.

`charts:cert-manager`

type	string
default	see `defaults.yml`

The version of the Helm chart to use.

`letsencrypt_email`

type	string
default	``

The email address Let’s Encrypt will use to contact you.

`dns01-recursive-nameservers`

type	string
default	`1.1.1.1:53`

Recursive nameservers to use for validating DNS01 challenges. See the cert-manager documentation for more details.

This parameter is injected into parameter helm_values as an extra argument to cert-manager (helm_values.extraArgs).

We additionally also set --dns01-recursive-nameservers-only as an argument to cert-manager. This ensures that only the nameservers configured in this parameter are used to validate DNS01 challenges.

`http_proxy`

type	string
default	``

The value of http_proxy is passed to cert-manager in environment variable HTTP_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

`https_proxy`

type	string
default	``

The value of https_proxy is passed to cert-manager in environment variable HTTPS_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

`no_proxy`

type	string
default	``

The value of no_proxy is passed to cert-manager in environment variable NO_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

`solvers`

type	dictionary
default	see `defaults.yml`

A dictionary holding the solvers for the default cluster issuers.

See cert-manager.io/docs/configuration/acme/#configuration for configurable parameters.

`secrets`

type	dictionary
default	`{}`

A dictionary holding secrets for DNS01 solvers. Each key in the dictionary is used as the name of a secret. The value of the key is merged directly into an empty Kubernetes Secret resource. By default, secrets are created in the namespace in which cert-manager is deployed.

See the cert-manager documentation for DNS01 solvers which are supported by cert-manager.

`acme_dns_api`

type	dictionary
keys	`endpoint`, `username`, `password`, `fqdns`
default	`{}`

The component sets up a Job and Cronjob to register and check acme-dns client credentials if key endpoint is present and non-null in this parameter. If key endpoint is missing or null the component doesn’t configure the acme-dns client registration.

For a detailed explanation of how the self-registration works, see the acme-dns self-registration documentation.

If key endpoint is present and non-null, the component expects that the other keys listed above are also present. The keys have the following meaning:

endpoint: The HTTP API endpoint of the acme-dns instance
username: The HTTP basic authorization username for the acme-dns instance /register endpoint
password: The HTTP basic authorization password for the acme-dns instance /register endpoint. We strongly recommend specifying the password as a Vault secret reference.
fqdns: A list of FQDNs for which the acme-dns instance can be used to solve DNS01 challenges. This list must contain at least one entry.

See Using DNS01 challenges for instructions to setup and use the acme-dns self-registration mechanism.

The entries in fqdns must be exact matches the FQDNs for which DNS01 challenges should be presented. The only flexibility is that cert-manager will present a DNS01 challenge for the wildcard FQDN *.example.com, if example.com is listed in fqdns.

`helm_values`

type	dict
value	See `class/defaults.yml`

The Helm values which the component uses to render the cert-manager Helm chart.

See the cert-manager Helm chart for all possible configurations.

Example

solvers:
  nginx_http01:
    http01:
      ingress:
        podTemplate:
          metadata:
            labels:
              app: "solver"
  dns01:
    acmeDNS:
      accountSecretRef:
        name: acmedns
          key: acmedns.json
        host: auth.example.com

secrets:
  acmedns:
    stringData:
      acmedns.json: ?{vaultkv:${cluster:tenant}/${cluster:name}/acmedns}