The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management. The cert-manager Operator for Red Hat OpenShift allows you to integrate with external certificate authorities and provides certificate provisioning, renewal, and retirement.
The cert-manager project introduces certificate authorities and certificates as resource types in the Kubernetes API, which makes it possible to provide certificates on demand to developers working within your cluster. The cert-manager Operator for Red Hat OpenShift provides a supported way to integrate cert-manager into your OpenShift Container Platform cluster.
The cert-manager Operator for Red Hat OpenShift provides the following features:
Support for integrating with external certificate authorities
Tools to manage certificates
Ability for developers to self-serve certificates
Automatic certificate renewal
Do not attempt to use both cert-manager Operator for Red Hat OpenShift for OpenShift Container Platform and the community cert-manager Operator at the same time in your cluster. Also, you should not install cert-manager Operator for Red Hat OpenShift for OpenShift Container Platform in multiple namespaces within a single OpenShift cluster. |
The cert-manager Operator for Red Hat OpenShift supports the following issuer types:
Automated certificate Management Environment (ACME)
certificate authority (CA)
Self-signed
There are two ways to request a certificate using the cert-manager Operator for Red Hat OpenShift:
cert-manager.io/certificateRequest
objectWith this method a service developer creates a certificateRequest
object with a valid issuerRef
pointing to a configured issuer (configured by a service infrastructure administrator). A service infrastructure administrator then accepts or denies the certificate request. Only accepted certificate requests create a corresponding certificate.
cert-manager.io/certificate
objectWith this method, a service developer creates a certificate
object with a valid issuerRef
and obtains a certificate from a secret that they pointed to the certificate
object.
OpenShift Container Platform 4.17 supports the following versions of cert-manager Operator for Red Hat OpenShift:
cert-manager Operator for Red Hat OpenShift 1.13
Starting with version 1.14.0, cert-manager Operator for Red Hat OpenShift is designed for FIPS compliance. When running on OpenShift Container Platform in FIPS mode, it uses the RHEL cryptographic libraries submitted to NIST for FIPS validation on the x86_64, ppc64le, and s390X architectures. For more information about the NIST validation program, see Cryptographic module validation program. For the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance activities and government standards.
To enable FIPS mode, you must install cert-manager Operator for Red Hat OpenShift on an OpenShift Container Platform cluster configured to operate in FIPS mode. For more information, see "Do you need extra security for your cluster?"