clusterIssuer: {}
# name: letsencrypt-dns-prod
# server: https://acme-v02.api.letsencrypt.org/directory
# email: admin@example.com
# solvers:
#   - dns01:
#       route53:
#         region: us-west-2
#         hostedZoneID: 1234567890

localCA:
  enabled: false
  # If selfsigning is false you must provide the ca key and crt below
  selfsigning: true
  #ca:
  #  key: <pem-key-material>
  #  crt: <pem-crt-material>

cert-manager:
  enabled: true

  crds:
    enabled: true

  global:
    leaderElection:
      namespace: "cert-manager"

  # remove secrets if the cert is deleted
  enableCertificateOwnerRef: true

  extraArgs:
    - "--logging-format=json"
    - "--leader-elect=false"
    - "--dns01-recursive-nameservers-only"
    # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted
    # - --enable-certificate-owner-ref=true

  #enableCertificateOwnerRef: true

  # On AWS enable Projected Service Accounts to assume IAM role
  #extraEnv:
  #- name: AWS_ROLE_ARN
  #  value: "<cert-manager IAM ROLE ARN>"
  #- name: AWS_WEB_IDENTITY_TOKEN_FILE
  #  value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token"
  #- name: AWS_STS_REGIONAL_ENDPOINTS
  #  value: regional

  #volumes:
  #- name: aws-token
  #  projected:
  #    sources:
  #    - serviceAccountToken:
  #        path: token
  #        expirationSeconds: 86400
  #        audience: "sts.amazonaws.com"

  #volumeMounts:
  #- name: aws-token
  #  mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/"
  #  readOnly: true

  ingressShim:
    defaultIssuerName: letsencrypt-dns-prod
    defaultIssuerKind: ClusterIssuer

  webhook:
    extraArgs:
      - "--logging-format=json"

  cainjector:
    extraArgs:
      - "--logging-format=json"
      - "--leader-elect=false"

  prometheus:
    servicemonitor:
      enabled: false

  # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn"

  startupapicheck:
    enabled: false