Parameters

The parent key for all of the following parameters is cert_manager.

namespace

type

string

default

syn-cert-manager

The namespace in which to install cert-manager.

The component always adds label openshift.io/cluster-monitoring=true to the namespace. Additionally, if component prometheus is installed on the cluster, the component registers the namespace to be monitored through the default Prometheus stack managed by that component.

kubernetes_version

type

string

default

See class/defaults.yml

The Kubernetes version to provide to helm template when rendering the Helm chart.

Set this parameter to ${dynamic_facts:kubernetesVersion:major}.${dynamic_facts:kubernetesVersion.minor} to use the cluster’s reported Kubernetes version when rendering the Helm chart.

charts:cert-manager

type

string

default

see defaults.yml

The version of the Helm chart to use.

letsencrypt_email

type

string

default

``

The email address Let’s Encrypt will use to contact you.

dns01-recursive-nameservers

type

string

default

1.1.1.1:53

Recursive nameservers to use for validating DNS01 challenges. See the cert-manager documentation for more details.

This parameter is injected into parameter helm_values as an extra argument to cert-manager (helm_values.extraArgs).

We additionally also set --dns01-recursive-nameservers-only as an argument to cert-manager. This ensures that only the nameservers configured in this parameter are used to validate DNS01 challenges.

http_proxy

type

string

default

``

The value of http_proxy is passed to cert-manager in environment variable HTTP_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

https_proxy

type

string

default

``

The value of https_proxy is passed to cert-manager in environment variable HTTPS_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

no_proxy

type

string

default

``

The value of no_proxy is passed to cert-manager in environment variable NO_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

letsencrypt_clusterissuers

type

dictionary

default
staging: true
production: true

This parameter allows users to control which Let’s Encrypt cluster issuers are generated by the component. Generally, we recommend deploying both the staging and production cluster issuers.

However, in certain cases it may make sense to not deploy the Let’s Encrypt cluster issuers. If you disable both Let’s Encrypt cluster issuers, you’ll have to setup suitable issuers or cluster issuers manually in order to make use of cert-manager.

solvers

type

dictionary

default

see defaults.yml

A dictionary holding the solvers for the default cluster issuers.

secrets

type

dictionary

default

{}

A dictionary holding secrets for DNS01 solvers. Each key in the dictionary is used as the name of a secret. The value of the key is merged directly into an empty Kubernetes Secret resource. By default, secrets are created in the namespace in which cert-manager is deployed.

See the cert-manager documentation for DNS01 solvers which are supported by cert-manager.

acme_dns_api

type

dictionary

keys

endpoint, username, password, fqdns

default

{}

The component sets up a Job and Cronjob to register and check acme-dns client credentials if key endpoint is present and non-null in this parameter. If key endpoint is missing or null the component doesn’t configure the acme-dns client registration.

For a detailed explanation of how the self-registration works, see the acme-dns self-registration documentation.

If key endpoint is present and non-null, the component expects that the other keys listed above are also present. The keys have the following meaning:

endpoint

The HTTP API endpoint of the acme-dns instance

username

The HTTP basic authorization username for the acme-dns instance /register endpoint

password

The HTTP basic authorization password for the acme-dns instance /register endpoint. We strongly recommend specifying the password as a Vault secret reference.

fqdns

A list of FQDNs for which the acme-dns instance can be used to solve DNS01 challenges. This list must contain at least one entry.

See Using DNS01 challenges for instructions to setup and use the acme-dns self-registration mechanism.

The entries in fqdns must be exact matches the FQDNs for which DNS01 challenges should be presented. The only flexibility is that cert-manager will present a DNS01 challenge for the wildcard FQDN *.example.com, if example.com is listed in fqdns.

helm_values

type

dict

value

See class/defaults.yml

The Helm values which the component uses to render the cert-manager Helm chart.

See the cert-manager Helm chart for all possible configurations.

Example

solvers:
  nginx_http01:
    http01:
      ingress:
        podTemplate:
          metadata:
            labels:
              app: "solver"
  dns01:
    acmeDNS:
      accountSecretRef:
        name: acmedns
          key: acmedns.json
        host: auth.example.com

secrets:
  acmedns:
    stringData:
      acmedns.json: ?{vaultkv:${cluster:tenant}/${cluster:name}/acmedns}