clusterIssuer: {} # name: letsencrypt-dns-prod # server: https://acme-v02.api.letsencrypt.org/directory # email: admin@example.com # solvers: # - dns01: # route53: # region: us-west-2 # hostedZoneID: 1234567890 localCA: enabled: false # If selfsigning is false you must provide the ca key and crt below selfsigning: true #ca: # key: # crt: cert-manager: enabled: true global: leaderElection: namespace: "cert-manager" # On AWS enable Projected Service Accounts to assume IAM role #extraEnv: #- name: AWS_ROLE_ARN # value: "" #- name: AWS_WEB_IDENTITY_TOKEN_FILE # value: "/var/run/secrets/sts.amazonaws.com/serviceaccount/token" #- name: AWS_STS_REGIONAL_ENDPOINTS # value: regional #volumes: #- name: aws-token # projected: # sources: # - serviceAccountToken: # path: token # expirationSeconds: 86400 # audience: "sts.amazonaws.com" #volumeMounts: #- name: aws-token # mountPath: "/var/run/secrets/sts.amazonaws.com/serviceaccount/" # readOnly: true tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: node-role.kubernetes.io/control-plane effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" ingressShim: defaultIssuerName: letsencrypt-dns-prod defaultIssuerKind: ClusterIssuer webhook: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: node-role.kubernetes.io/control-plane effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" cainjector: tolerations: - key: node-role.kubernetes.io/master effect: NoSchedule - key: node-role.kubernetes.io/control-plane effect: NoSchedule nodeSelector: node-role.kubernetes.io/control-plane: "" extraArgs: - "--dns01-recursive-nameservers-only" # When this flag is enabled, secrets will be automatically removed when the certificate resource is deleted # - --enable-certificate-owner-ref=true prometheus: servicemonitor: enabled: false # cert-manager.podAnnotations -- "iam.amazonaws.com/roleIAM:" role ARN the cert-manager might use via kiam eg."arn:aws:iam::123456789012:role/certManagerRoleArn" startupapicheck: enabled: false