Skip to content

Configuration

component "cert-manager" {
  namespace = "cert-manager" # optional

  # Params default values

  letsencrypt = {
    email = ""              # required, the email to associate with the Let's Encrypt account

    route53 = {
      enable = false        # enable Route53 DNS01 challenge
      region = "eu-west-1"  # AWS region of the Route53 zone
      domains = []          # optional, domains that match this list will use the DNS01 challenge
      zoneId = ""           # optional, the Route53 zone ID to match
      eksRole = ""          # When running on EKS, the IAM role cert-manager will use to invoke the Route53 API
      iamRole = ""          # When running on EC2, the IAM role cert-manager will use to invoke the Route53 API
    }

    cloudflare = {
      enable = false        # enable CloudFlare DNS01 challenge
      email = ""            # required, CloudFlare email associated with the account
      domains = []          # optional, domains that match this list will use the DNS01 challenge

      # External Secrets configuration for pulling the CloudFlare API token from the storage service
      secret = {
        # override this section only if you are not using the default store from the external-secrets component
        store = {
          name = "default"
          kind = "ClusterSecretStore"
        }
        key = ""            # required, should be the store-specific key to the secret, e.g. the Vault or AWS Secrets Manager key
        property = ""       # optional, should be the store-specific property inside the secret containing the token if the secret is structured (e.g. a JSON document)
      }
    }
  }
}

Route53

See cert-manager docs for more information on the permissions required to perform the DNS01 challenge.

CloudFlare

See cert-manager docs for more information on the permissions required to perform the DNS01 challenge.