Parameters

The parent key for all of the following parameters is cert_manager.

namespace

type

string

default

syn-cert-manager

The namespace in which to install cert-manager.

charts:cert-manager

type

string

default

see defaults.yml

The version of the Helm chart to use.

letsencrypt_email

type

string

default

``

The email address Let’s Encrypt will use to contact you.

dns01-recursive-nameservers

type

string

default

1.1.1.1:53

Recursive nameservers to use for validating DNS01 challenges. See the cert-manager documentation for more details.

This parameter is injected into parameter helm_values as an extra argument to cert-manager (helm_values.extraArgs).

We additionally also set --dns01-recursive-nameservers-only as an argument to cert-manager. This ensures that only the nameservers configured in this parameter are used to validate DNS01 challenges.

http_proxy

type

string

default

``

The value of http_proxy is passed to cert-manager in environment variable HTTP_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

https_proxy

type

string

default

``

The value of https_proxy is passed to cert-manager in environment variable HTTPS_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

no_proxy

type

string

default

``

The value of no_proxy is passed to cert-manager in environment variable NO_PROXY.

This parameter is injected into parameter helm_values in field extraEnv.

solvers

type

dictionary

default

see defaults.yml

A dictionary holding the solvers for the default cluster issuers.

secrets

type

dictionary

default

{}

A dictionary holding secrets for DNS01 solvers. Each key in the dictionary is used as the name of a secret. The value of the key is merged directly into an empty Kubernetes Secret resource. By default, secrets are created in the namespace in which cert-manager is deployed.

See the cert-manager documentation for DNS01 solvers which are supported by cert-manager.

acme_dns_api

type

dictionary

keys

endpoint, username, password, fqdns

default

{}

The component sets up a Job and Cronjob to register and check acme-dns client credentials if key endpoint is present and non-null in this parameter. If key endpoint is missing or null the component doesn’t configure the acme-dns client registration.

For a detailed explanation of how the self-registration works, see the acme-dns self-registration documentation.

If key endpoint is present and non-null, the component expects that the other keys listed above are also present. The keys have the following meaning:

endpoint

The HTTP API endpoint of the acme-dns instance

username

The HTTP basic authorization username for the acme-dns instance /register endpoint

password

The HTTP basic authorization password for the acme-dns instance /register endpoint. We strongly recommend specifying the password as a Vault secret reference.

fqdns

A list of FQDNs for which the acme-dns instance can be used to solve DNS01 challenges. This list must contain at least one entry.

See Using DNS01 challenges for instructions to setup and use the acme-dns self-registration mechanism.

The entries in fqdns must be exact matches the FQDNs for which DNS01 challenges should be presented. The only flexibility is that cert-manager will present a DNS01 challenge for the wildcard FQDN *.example.com, if example.com is listed in fqdns.

helm_values

type

dict

value

See class/defaults.yml

The Helm values which the component uses to render the cert-manager Helm chart.

See the cert-manager Helm chart for all possible configurations.

Example

solvers:
  nginx_http01:
    http01:
      ingress:
        podTemplate:
          metadata:
            labels:
              app: "solver"
  dns01:
    acmeDNS:
      accountSecretRef:
        name: acmedns
          key: acmedns.json
        host: auth.example.com

secrets:
  acmedns:
    stringData:
      acmedns.json: ?{vaultkv:${cluster:tenant}/${cluster:name}/acmedns}