Parameters

The parent key for all of the following parameters is cert_manager.

namespace

type

string
default

syn-cert-manager

The namespace in which to install cert-manager.

The component always adds label openshift.io/cluster-monitoring=true to the namespace. Additionally, if component prometheus is installed on the cluster, the component registers the namespace to be monitored through the default Prometheus stack managed by that component.

charts

type

object
default 
charts:
  cert_manager:
    source: https://charts.jetstack.io
    version: v1.16.2
  exoscale_webhook:
    source: https://github.com/exoscale/cert-manager-webhook-exoscale.git
    version: v0.3.0

Specifies the Helm charts sources and versions for certificate-related components.

images

type

object
default 
images:
  cert_manager:
    registry: quay.io
    repository: jetstack/cert-manager-controller
  cert_webhook:
    registry: quay.io
    repository: jetstack/cert-manager-webhook
  cert_cainjector:
    registry: quay.io
    repository: jetstack/cert-manager-cainjector
  cert_acmesolver:
    registry: quay.io
    repository: jetstack/cert-manager-acmesolver
  cert_startupapi:
    registry: quay.io
    repository: jetstack/cert-manager-startupapicheck
  exoscale_webhook:
    registry: docker.io
    repository: exoscale/cert-manager-webhook-exoscale
  kubectl:
    registry: quay.io
    repository: appuio/oc
    tag: 'v4.16'

Image registry configurations for components.

component

Configuration options for certificate-related components.

component.cert_manager

type

object
default 
component:
  cert_manager:
    httpProxy: '' (1)
    httpsProxy: ''
    noProxy: ''
    email: test@syn.tools (2)
    certificateOwnerRef: false (3)
    recursiveNameservers: '1.1.1.1:53' (4)
    recursiveNameserversOnly: true (5)
1 Proxy configuration for isolated environments.
2 Default email used for lets encrypt certificates.
3 Ensures secrets will be automatically removed when the certificate resource is deleted.
4 Recursive nameservers to use for validating DNS01 challenges.
5 Ensures that only the configured nameservers are used to validate DNS01 challenges.

Configuration options for cert-manager.

See the cert-manager documentation for nameserver config.

component.exoscale_webhook

type

object
default 
component:
  exoscale_webhook:
    enabled: false (1)
    accessKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_access_key}' (2)
    secretKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_secret_key}' (3)
1 Enable the Exoscale webhook.
2 Exoscale API user access key.
3 Exoscale API user secret key.

Configuration options for exoscale-webhook.

See Exoscale webhook documentation.

acmeClients

type

object
default

{}

Configuration for ACME DNS clients.

For a detailed explanation of how the self-registration works, see the acme-dns self-registration documentation.

The entries in fqdns must be exact matches the FQDNs for which DNS01 challenges should be presented. The only flexibility is that cert-manager will present a DNS01 challenge for the wildcard FQDN *.example.com, if example.com is listed in fqdns.

Example

acmeClients:
  vshn-default: (1)
    api:
      endpoint: https://acme-dns-api.example.com
      username: vshn-default-username
      password: vshn-default-password
    fqdns:
      - 'api.${cluster:name}.example.com'
      - '*.apps.${cluster:name}.example.com'
1 Name of the ACME client, referenced in clusterIssuers.acmeClientRefs.

solvers

type

object
default 
solvers:
  nginx_http01:
    http01:
      ingress:
        class: 'nginx'

Configuration for acme solvers.

See cert-manager.io/docs/configuration/acme/#configuration for configurable parameters.

Example

solvers:
  openshift_http01: (1)
    http01:
      ingress:
        class: null
        ingressTemplate:
          metadata:
            annotations:
              route.openshift.io/termination: edge
1 Name of the solver, referenced in clusterIssuers.solverRefs.

cluster_issuers

type

object
default 
cluster_issuers:
  letsencrypt-staging:
    solverRefs:
      - nginx_http01
  letsencrypt-production:
    solverRefs:
      - nginx_http01

Configuration for cluster-wide certificate issuers.

If the issuer name starts with letsencrypt-staging or letsencrypt-production, the component will automatically be rendered to use the correct ACME server.

See the cert-manager documentation for how to configure such issuers.

Example

clusterIssuers:
  ~letsencrypt-staging: null (1)
  letsencrypt-production:
    solverRefs:
      - nginx_http01
    acmeClientRefs: (2)
      - vshn-default
  other-issuer: (3)
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        solvers:
          - http01:
              ingressClass: nginx
1 Remove the letsencrypt-staging cluster-ssuer.
2 Add an acmeClient to the cluster-issuer, this will also create a solver.
3 Add a custom issuer directly using CR spec.

issuers

type

object
default

{}

Configuration for certificate issuers.

See the cert-manager documentation for how to configure such issuers.

Follows the same convention as clusterIssuers for specifying the issuer, but uses namespaced names.

Example

issuers:
  namespace-a/ca-issuer:
    spec:
      ca:
        secretName: ca-key-pair
  ca-issuer:
    metadata:
      namespace: namespace-b
    spec:
      ca:
        secretName: ca-key-pair

secrets

type

dictionary
default

{}

A dictionary holding secrets, eg. for DNS01 solvers.

See the cert-manager documentation for DNS01 solvers which are supported by cert-manager.

resources

type

object
default 
resources:
  cert_manager:
    requests:
      cpu: 50m
      memory: 512Mi
  cert_webhook:
    requests:
      cpu: 50m
      memory: 64Mi
  cert_cainjector:
    requests:
      cpu: 50m
      memory: 512Mi
  exoscale_webhook:
    requests:
      cpu: 50m
      memory: 64Mi

Resource requests and limits for the components containers.

helmValues

type

object
default 
helmValues:
  cert_manager: {}
  exoscale_webhook: {}

Override configurations for individual components.

The component will patch the cert-manager pod template with an annotation whose value is the hash of the contents of helmValues.cert_manager.config. This ensures that the cert-manager pod is restarted every time the config is changed.