Parameters

The parent key for all of the following parameters is cert_manager.

`namespace`

type	string
default	`syn-cert-manager`

The namespace in which to install cert-manager.

The component always adds label openshift.io/cluster-monitoring=true to the namespace. Additionally, if component prometheus is installed on the cluster, the component registers the namespace to be monitored through the default Prometheus stack managed by that component.

`charts`

type	object
default	`charts: cert_manager: source: https://charts.jetstack.io version: v1.16.2 exoscale_webhook: source: https://github.com/exoscale/cert-manager-webhook-exoscale.git version: v0.3.0`

Specifies the Helm charts sources and versions for certificate-related components.

`images`

type

object

default

images:
  cert_manager:
    registry: quay.io
    repository: jetstack/cert-manager-controller
  cert_webhook:
    registry: quay.io
    repository: jetstack/cert-manager-webhook
  cert_cainjector:
    registry: quay.io
    repository: jetstack/cert-manager-cainjector
  cert_acmesolver:
    registry: quay.io
    repository: jetstack/cert-manager-acmesolver
  cert_startupapi:
    registry: quay.io
    repository: jetstack/cert-manager-startupapicheck
  exoscale_webhook:
    registry: docker.io
    repository: exoscale/cert-manager-webhook-exoscale
  kubectl:
    registry: quay.io
    repository: appuio/oc
    tag: 'v4.16'

Image registry configurations for components.

`component`

Configuration options for certificate-related components.

`component.cert_manager`

type

object

default

component:
  cert_manager:
    httpProxy: '' (1)
    httpsProxy: ''
    noProxy: ''
    email: test@syn.tools (2)
    certificateOwnerRef: false (3)
    recursiveNameservers: '1.1.1.1:53' (4)
    recursiveNameserversOnly: true (5)

1	Proxy configuration for isolated environments.
2	Default email used for lets encrypt certificates.
3	Ensures secrets will be automatically removed when the certificate resource is deleted.
4	Recursive nameservers to use for validating DNS01 challenges.
5	Ensures that only the configured nameservers are used to validate DNS01 challenges.

Configuration options for cert-manager.

See the cert-manager documentation for nameserver config.

`component.exoscale_webhook`

type

object

default

component:
  exoscale_webhook:
    enabled: false (1)
    accessKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_access_key}' (2)
    secretKey: '?{vaultkv:${cluster:tenant}/${cluster:name}/exoscale/cert_webhook/s3_secret_key}' (3)

1	Enable the Exoscale webhook.
2	Exoscale API user access key.
3	Exoscale API user secret key.

Configuration options for exoscale-webhook.

See Exoscale webhook documentation.

`acmeClients`

type	object
default	`{}`

Configuration for ACME DNS clients.

For a detailed explanation of how the self-registration works, see the acme-dns self-registration documentation.

The entries in fqdns must be exact matches the FQDNs for which DNS01 challenges should be presented. The only flexibility is that cert-manager will present a DNS01 challenge for the wildcard FQDN *.example.com, if example.com is listed in fqdns.

Example

acmeClients:
  vshn-default: (1)
    api:
      endpoint: https://acme-dns-api.example.com
      username: vshn-default-username
      password: vshn-default-password
    fqdns:
      - 'api.${cluster:name}.example.com'
      - '*.apps.${cluster:name}.example.com'

1	Name of the ACME client, referenced in `clusterIssuers.acmeClientRefs`.

`solvers`

type	object
default	`solvers: nginx_http01: http01: ingress: class: 'nginx'`

Configuration for acme solvers.

See cert-manager.io/docs/configuration/acme/#configuration for configurable parameters.

Example

solvers:
  openshift_http01: (1)
    http01:
      ingress:
        class: null
        ingressTemplate:
          metadata:
            annotations:
              route.openshift.io/termination: edge

1	Name of the solver, referenced in `clusterIssuers.solverRefs`.

`cluster_issuers`

type	object
default	`cluster_issuers: letsencrypt-staging: solverRefs: - nginx_http01 letsencrypt-production: solverRefs: - nginx_http01`

Configuration for cluster-wide certificate issuers.

If the issuer name starts with letsencrypt-staging or letsencrypt-production, the component will automatically be rendered to use the correct ACME server.

See the cert-manager documentation for how to configure such issuers.

Example

clusterIssuers:
  ~letsencrypt-staging: null (1)
  letsencrypt-production:
    solverRefs:
      - nginx_http01
    acmeClientRefs: (2)
      - vshn-default
  other-issuer: (3)
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        solvers:
          - http01:
              ingressClass: nginx

1	Remove the letsencrypt-staging cluster-ssuer.
2	Add an acmeClient to the cluster-issuer, this will also create a solver.
3	Add a custom issuer directly using CR spec.

`issuers`

type	object
default	`{}`

Configuration for certificate issuers.

See the cert-manager documentation for how to configure such issuers.

Follows the same convention as clusterIssuers for specifying the issuer, but uses namespaced names.

Example

issuers:
  namespace-a/ca-issuer:
    spec:
      ca:
        secretName: ca-key-pair
  ca-issuer:
    metadata:
      namespace: namespace-b
    spec:
      ca:
        secretName: ca-key-pair

`secrets`

type	dictionary
default	`{}`

A dictionary holding secrets, eg. for DNS01 solvers.

See the cert-manager documentation for DNS01 solvers which are supported by cert-manager.

`resources`

type

object

default

resources:
  cert_manager:
    requests:
      cpu: 50m
      memory: 512Mi
  cert_webhook:
    requests:
      cpu: 50m
      memory: 64Mi
  cert_cainjector:
    requests:
      cpu: 50m
      memory: 512Mi
  exoscale_webhook:
    requests:
      cpu: 50m
      memory: 64Mi

Resource requests and limits for the components containers.

`helmValues`

type	object
default	`helmValues: cert_manager: {} exoscale_webhook: {}`

Override configurations for individual components.