This is a cache of https://docs.openshift.com/container-platform/4.17/security/cert_manager_operator/cert-manager-customizing-api-fields.html. It is a snapshot of the page at 2024-11-28T06:32:22.259+0000.
Customizing cert-manager by using the cert-manager Operator API fields - cert-manager Operator for Red Hat OpenShift | Security and compliance | OpenShift Container Platform 4.17
×

You can customize the cert-manager Operator for Red Hat OpenShift API fields by overriding environment variables and arguments.

To override unsupported arguments, you can add spec.unsupportedConfigOverrides section in the CertManager resource, but using spec.unsupportedConfigOverrides is unsupported.

Customizing cert-manager by overriding environment variables from the cert-manager Operator API

You can override the supported environment variables for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource.

Prerequisites
  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

Procedure
  1. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
  2. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
      ...
    spec:
      ...
      controllerConfig:
        overrideEnv:
          - name: HTTP_PROXY
            value: http://<proxy_url> (1)
          - name: HTTPS_PROXY
            value: https://<proxy_url> (1)
          - name: NO_PROXY
            value: <ignore_proxy_domains> (2)
    1 Replace <proxy_url> with the proxy server URL.
    2 Replace <ignore_proxy_domains> with a comma separated list of domains. These domains are ignored by the proxy server.
  3. Save your changes and quit the text editor to apply your changes.

Verification
  1. Verify that the cert-manager controller pod is redeployed by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Example output
    NAME                          READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          39s
  2. Verify that environment variables are updated for the cert-manager pod by running the following command:

    $ oc get pod <redeployed_cert-manager_controller_pod> -n cert-manager -o yaml
    Example output
        env:
        ...
        - name: HTTP_PROXY
          value: http://<PROXY_URL>
        - name: HTTPS_PROXY
          value: https://<PROXY_URL>
        - name: NO_PROXY
          value: <IGNORE_PROXY_DOMAINS>

Customizing cert-manager by overriding arguments from the cert-manager Operator API

You can override the supported arguments for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource.

Prerequisites
  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

Procedure
  1. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
  2. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
      ...
    spec:
      ...
      controllerConfig:
        overrideArgs:
          - '--dns01-recursive-nameservers=<server_address>' (1)
          - '--dns01-recursive-nameservers-only' (2)
          - '--acme-http01-solver-nameservers=<host>:<port>' (3)
          - '--v=<verbosity_level>' (4)
          - '--metrics-listen-address=<host>:<port>' (5)
          - '--issuer-ambient-credentials' (6)
      webhookConfig:
        overrideArgs:
          - '--v=4' (4)
      cainjectorConfig:
        overrideArgs:
          - '--v=2' (4)
    1 Provide a comma-separated list of nameservers to query for the DNS-01 self check. The nameservers can be specified either as <host>:<port>, for example, 1.1.1.1:53, or use DNS over HTTPS (DoH), for example, https://1.1.1.1/dns-query.
    2 Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
    3 Provide a comma-separated list of <host>:<port> nameservers to query for the Automated Certificate Management Environment (ACME) HTTP01 self check. For example, --acme-http01-solver-nameservers=1.1.1.1:53.
    4 Specify to set the log level verbosity to determine the verbosity of log messages.
    5 Specify the host and port for the metrics endpoint. The default value is --metrics-listen-address=0.0.0.0:9402.
    6 You must use the --issuer-ambient-credentials argument when configuring an ACME Issuer to solve DNS-01 challenges by using ambient credentials.

    DNS over HTTPS (DoH) is supported starting only from cert-manager Operator for Red Hat OpenShift version 1.13.0 and later.

  3. Save your changes and quit the text editor to apply your changes.

Verification
  • Verify that arguments are updated for cert-manager pods by running the following command:

    $ oc get pods -n cert-manager -o yaml
    Example output
    ...
      metadata:
        name: cert-manager-6d4b5d4c97-kldwl
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          - --acme-http01-solver-nameservers=1.1.1.1:53
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --dns01-recursive-nameservers=1.1.1.1:53
          - --dns01-recursive-nameservers-only
          - --leader-election-namespace=kube-system
          - --max-concurrent-challenges=60
          - --metrics-listen-address=0.0.0.0:9042
          - --v=6
    ...
      metadata:
        name: cert-manager-cainjector-866c4fd758-ltxxj
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          - --leader-election-namespace=kube-system
          - --v=2
    ...
      metadata:
        name: cert-manager-webhook-6d48f88495-c88gd
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          ...
          - --v=4

Deleting a TLS secret automatically upon Certificate removal

You can enable the --enable-certificate-owner-ref flag for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource. The --enable-certificate-owner-ref flag sets the certificate resource as an owner of the secret where the TLS certificate is stored.

If you uninstall the cert-manager Operator for Red Hat OpenShift or delete certificate resources from the cluster, the secret is deleted automatically. This might cause network connectivity issues depending upon where the certificate TLS secret is being used.

Prerequisites
  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

  • You have installed version 1.12.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure
  1. Check that the Certificate object and its secret are available by running the following command:

    $ oc get certificate
    Example output
    NAME                                             READY   secret                                           AGE
    certificate-from-clusterissuer-route53-ambient   True    certificate-from-clusterissuer-route53-ambient   8h
  2. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
  3. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
    # ...
    spec:
    # ...
      controllerConfig:
        overrideArgs:
          - '--enable-certificate-owner-ref'
  4. Save your changes and quit the text editor to apply your changes.

Verification
  • Verify that the --enable-certificate-owner-ref flag is updated for cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager -o yaml
    Example output
    # ...
      metadata:
        name: cert-manager-6e4b4d7d97-zmdnb
        namespace: cert-manager
    # ...
      spec:
        containers:
        - args:
          - --enable-certificate-owner-ref

Overriding CPU and memory limits for the cert-manager components

After installing the cert-manager Operator for Red Hat OpenShift, you can configure the CPU and memory limits from the cert-manager Operator for Red Hat OpenShift API for the cert-manager components such as cert-manager controller, CA injector, and Webhook.

Prerequisites
  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

  • You have installed version 1.12.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure
  1. Check that the deployments of the cert-manager controller, CA injector, and Webhook are available by entering the following command:

    $ oc get deployment -n cert-manager
    Example output
    NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
    cert-manager              1/1     1            1           53m
    cert-manager-cainjector   1/1     1            1           53m
    cert-manager-webhook      1/1     1            1           53m
  2. Before setting the CPU and memory limit, check the existing configuration for the cert-manager controller, CA injector, and Webhook by entering the following command:

    $ oc get deployment -n cert-manager -o yaml
    Example output
    # ...
      metadata:
        name: cert-manager
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-controller
              resources: {} (1)
    # ...
      metadata:
        name: cert-manager-cainjector
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-cainjector
              resources: {} (1)
    # ...
      metadata:
        name: cert-manager-webhook
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-webhook
              resources: {} (1)
    # ...
    1 The spec.resources field is empty by default. The cert-manager components do not have CPU and memory limits.
  3. To configure the CPU and memory limits for the cert-manager controller, CA injector, and Webhook, enter the following command:

    $ oc patch certmanager.operator cluster --type=merge -p="
    spec:
      controllerConfig:
        overrideResources:
          limits: (1)
            cpu: 200m (2)
            memory: 64Mi (3)
          requests: (4)
            cpu: 10m (2)
            memory: 16Mi (3)
      webhookConfig:
        overrideResources:
          limits: (5)
            cpu: 200m (6)
            memory: 64Mi (7)
          requests: (8)
            cpu: 10m (6)
            memory: 16Mi (7)
      cainjectorConfig:
        overrideResources:
          limits: (9)
            cpu: 200m (10)
            memory: 64Mi (11)
          requests: (12)
            cpu: 10m (10)
            memory: 16Mi (11)
    "
    1 Defines the maximum amount of CPU and memory that a single container in a cert-manager controller pod can request.
    2 You can specify the CPU limit that a cert-manager controller pod can request. The default value is 10m.
    3 You can specify the memory limit that a cert-manager controller pod can request. The default value is 32Mi.
    4 Defines the amount of CPU and memory set by scheduler for the cert-manager controller pod.
    5 Defines the maximum amount of CPU and memory that a single container in a CA injector pod can request.
    6 You can specify the CPU limit that a CA injector pod can request. The default value is 10m.
    7 You can specify the memory limit that a CA injector pod can request. The default value is 32Mi.
    8 Defines the amount of CPU and memory set by scheduler for the CA injector pod.
    9 Defines the maximum amount of CPU and memory Defines the maximum amount of CPU and memory that a single container in a Webhook pod can request.
    10 You can specify the CPU limit that a Webhook pod can request. The default value is 10m.
    11 You can specify the memory limit that a Webhook pod can request. The default value is 32Mi.
    12 Defines the amount of CPU and memory set by scheduler for the Webhook pod.
    Example output
    certmanager.operator.openshift.io/cluster patched
Verification
  1. Verify that the CPU and memory limits are updated for the cert-manager components:

    $ oc get deployment -n cert-manager -o yaml
    Example output
    # ...
      metadata:
        name: cert-manager
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-controller
              resources:
                limits:
                  cpu: 200m
                  memory: 64Mi
                requests:
                  cpu: 10m
                  memory: 16Mi
    # ...
      metadata:
        name: cert-manager-cainjector
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-cainjector
              resources:
                limits:
                  cpu: 200m
                  memory: 64Mi
                requests:
                  cpu: 10m
                  memory: 16Mi
    # ...
      metadata:
        name: cert-manager-webhook
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-webhook
              resources:
                limits:
                  cpu: 200m
                  memory: 64Mi
                requests:
                  cpu: 10m
                  memory: 16Mi
    # ...