clusterIssuer: {}
# name: letsencrypt-dns-prod
# server: https://acme-v02.api.letsencrypt.org/directory
# email: admin@example.com
# solvers:
#   - dns01:
#       route53:
#         region: us-west-2
#         hostedZoneID: 1234567890

localCA:
  enabled: true
  # If selfsigning is false you must provide the ca key and crt below
  selfsigning: true
  #ca:
  #  key: <pem-key-material>
  #  crt: <pem-crt-material>

cert-manager:
  installCRDs: true
  tolerations:
  - key: node-role.kubernetes.io/master
    effect: NoSchedule
  nodeSelector:
    node-role.kubernetes.io/master: ""
  ingressShim:
    defaultIssuerName: letsencrypt-dns-prod
    defaultIssuerKind: ClusterIssuer
  webhook:
    tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/master: ""
  cainjector:
    tolerations:
    - key: node-role.kubernetes.io/master
      effect: NoSchedule
    nodeSelector:
      node-role.kubernetes.io/master: ""
  extraArgs:
    - "--dns01-recursive-nameservers-only"
    # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
    # - --enable-certificate-owner-ref=true
  prometheus:
    servicemonitor:
      enabled: false
  # cert-manager.podAnnotations."iam.amazonaws.com/role" -- IAM role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"
  podAnnotations:
    iam.amazonaws.com/role: ""