$ oc edit certmanager cluster
You can customize the cert-manager Operator for Red Hat OpenShift API fields by overriding environment variables and arguments.
To override unsupported arguments, you can add |
You can override the supported environment variables for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig
section in the CertManager
resource.
You have access to the OpenShift Container Platform cluster as a user with the cluster-admin
role.
Edit the CertManager
resource by running the following command:
$ oc edit certmanager cluster
Add a spec.controllerConfig
section with the following override arguments:
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
...
spec:
...
controllerConfig:
overrideEnv:
- name: HTTP_PROXY
value: http://<proxy_url> (1)
- name: HTTPS_PROXY
value: https://<proxy_url> (1)
- name: NO_PROXY
value: <ignore_proxy_domains> (2)
1 | Replace <proxy_url> with the proxy server URL. |
2 | Replace <ignore_proxy_domains> with a comma separated list of domains. These domains are ignored by the proxy server. |
Save your changes and quit the text editor to apply your changes.
Verify that the cert-manager controller pod is redeployed by running the following command:
$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 39s
Verify that environment variables are updated for the cert-manager pod by running the following command:
$ oc get pod <redeployed_cert-manager_controller_pod> -n cert-manager -o yaml
env:
...
- name: HTTP_PROXY
value: http://<PROXY_URL>
- name: HTTPS_PROXY
value: https://<PROXY_URL>
- name: NO_PROXY
value: <IGNORE_PROXY_DOMAINS>
You can override the supported arguments for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig
section in the CertManager
resource.
You have access to the OpenShift Container Platform cluster as a user with the cluster-admin
role.
Edit the CertManager
resource by running the following command:
$ oc edit certmanager cluster
Add a spec.controllerConfig
section with the following override arguments:
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
...
spec:
...
controllerConfig:
overrideArgs:
- '--dns01-recursive-nameservers=<server_address>' (1)
- '--dns01-recursive-nameservers-only' (2)
- '--acme-http01-solver-nameservers=<host>:<port>' (3)
- '--v=<verbosity_level>' (4)
- '--metrics-listen-address=<host>:<port>' (5)
- '--issuer-ambient-credentials' (6)
webhookConfig:
overrideArgs:
- '--v=4' (4)
cainjectorConfig:
overrideArgs:
- '--v=2' (4)
1 | Provide a comma-separated list of nameservers to query for the DNS-01 self check. The nameservers can be specified either as <host>:<port> , for example, 1.1.1.1:53 , or use DNS over HTTPS (DoH), for example, https://1.1.1.1/dns-query . |
2 | Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain. |
3 | Provide a comma-separated list of <host>:<port> nameservers to query for the Automated Certificate Management Environment (ACME) HTTP01 self check. For example, --acme-http01-solver-nameservers=1.1.1.1:53 . |
4 | Specify to set the log level verbosity to determine the verbosity of log messages. |
5 | Specify the host and port for the metrics endpoint. The default value is --metrics-listen-address=0.0.0.0:9402 . |
6 | You must use the --issuer-ambient-credentials argument when configuring an ACME Issuer to solve DNS-01 challenges by using ambient credentials. |
DNS over HTTPS (DoH) is supported starting only from cert-manager Operator for Red Hat OpenShift version 1.13.0 and later. |
Save your changes and quit the text editor to apply your changes.
Verify that arguments are updated for cert-manager pods by running the following command:
$ oc get pods -n cert-manager -o yaml
...
metadata:
name: cert-manager-6d4b5d4c97-kldwl
namespace: cert-manager
...
spec:
containers:
- args:
- --acme-http01-solver-nameservers=1.1.1.1:53
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --dns01-recursive-nameservers=1.1.1.1:53
- --dns01-recursive-nameservers-only
- --leader-election-namespace=kube-system
- --max-concurrent-challenges=60
- --metrics-listen-address=0.0.0.0:9042
- --v=6
...
metadata:
name: cert-manager-cainjector-866c4fd758-ltxxj
namespace: cert-manager
...
spec:
containers:
- args:
- --leader-election-namespace=kube-system
- --v=2
...
metadata:
name: cert-manager-webhook-6d48f88495-c88gd
namespace: cert-manager
...
spec:
containers:
- args:
...
- --v=4
You can enable the --enable-certificate-owner-ref
flag for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig
section in the CertManager
resource. The --enable-certificate-owner-ref
flag sets the certificate resource as an owner of the secret where the TLS certificate is stored.
If you uninstall the cert-manager Operator for Red Hat OpenShift or delete certificate resources from the cluster, the secret is deleted automatically. This might cause network connectivity issues depending upon where the certificate TLS secret is being used. |
You have access to the OpenShift Container Platform cluster as a user with the cluster-admin
role.
You have installed version 1.12.0 or later of the cert-manager Operator for Red Hat OpenShift.
Check that the Certificate
object and its secret are available by running the following command:
$ oc get certificate
NAME READY secret AGE
certificate-from-clusterissuer-route53-ambient True certificate-from-clusterissuer-route53-ambient 8h
Edit the CertManager
resource by running the following command:
$ oc edit certmanager cluster
Add a spec.controllerConfig
section with the following override arguments:
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
# ...
spec:
# ...
controllerConfig:
overrideArgs:
- '--enable-certificate-owner-ref'
Save your changes and quit the text editor to apply your changes.
Verify that the --enable-certificate-owner-ref
flag is updated for cert-manager controller pod by running the following command:
$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager -o yaml
# ...
metadata:
name: cert-manager-6e4b4d7d97-zmdnb
namespace: cert-manager
# ...
spec:
containers:
- args:
- --enable-certificate-owner-ref
After installing the cert-manager Operator for Red Hat OpenShift, you can configure the CPU and memory limits from the cert-manager Operator for Red Hat OpenShift API for the cert-manager components such as cert-manager controller, CA injector, and Webhook.
You have access to the OpenShift Container Platform cluster as a user with the cluster-admin
role.
You have installed version 1.12.0 or later of the cert-manager Operator for Red Hat OpenShift.
Check that the deployments of the cert-manager controller, CA injector, and Webhook are available by entering the following command:
$ oc get deployment -n cert-manager
NAME READY UP-TO-DATE AVAILABLE AGE
cert-manager 1/1 1 1 53m
cert-manager-cainjector 1/1 1 1 53m
cert-manager-webhook 1/1 1 1 53m
Before setting the CPU and memory limit, check the existing configuration for the cert-manager controller, CA injector, and Webhook by entering the following command:
$ oc get deployment -n cert-manager -o yaml
# ...
metadata:
name: cert-manager
namespace: cert-manager
# ...
spec:
template:
spec:
containers:
- name: cert-manager-controller
resources: {} (1)
# ...
metadata:
name: cert-manager-cainjector
namespace: cert-manager
# ...
spec:
template:
spec:
containers:
- name: cert-manager-cainjector
resources: {} (1)
# ...
metadata:
name: cert-manager-webhook
namespace: cert-manager
# ...
spec:
template:
spec:
containers:
- name: cert-manager-webhook
resources: {} (1)
# ...
1 | The spec.resources field is empty by default. The cert-manager components do not have CPU and memory limits. |
To configure the CPU and memory limits for the cert-manager controller, CA injector, and Webhook, enter the following command:
$ oc patch certmanager.operator cluster --type=merge -p="
spec:
controllerConfig:
overrideResources:
limits: (1)
cpu: 200m (2)
memory: 64Mi (3)
requests: (4)
cpu: 10m (2)
memory: 16Mi (3)
webhookConfig:
overrideResources:
limits: (5)
cpu: 200m (6)
memory: 64Mi (7)
requests: (8)
cpu: 10m (6)
memory: 16Mi (7)
cainjectorConfig:
overrideResources:
limits: (9)
cpu: 200m (10)
memory: 64Mi (11)
requests: (12)
cpu: 10m (10)
memory: 16Mi (11)
"
1 | Defines the maximum amount of CPU and memory that a single container in a cert-manager controller pod can request. |
2 | You can specify the CPU limit that a cert-manager controller pod can request. The default value is 10m . |
3 | You can specify the memory limit that a cert-manager controller pod can request. The default value is 32Mi . |
4 | Defines the amount of CPU and memory set by scheduler for the cert-manager controller pod. |
5 | Defines the maximum amount of CPU and memory that a single container in a CA injector pod can request. |
6 | You can specify the CPU limit that a CA injector pod can request. The default value is 10m . |
7 | You can specify the memory limit that a CA injector pod can request. The default value is 32Mi . |
8 | Defines the amount of CPU and memory set by scheduler for the CA injector pod. |
9 | Defines the maximum amount of CPU and memory Defines the maximum amount of CPU and memory that a single container in a Webhook pod can request. |
10 | You can specify the CPU limit that a Webhook pod can request. The default value is 10m . |
11 | You can specify the memory limit that a Webhook pod can request. The default value is 32Mi . |
12 | Defines the amount of CPU and memory set by scheduler for the Webhook pod. |
certmanager.operator.openshift.io/cluster patched
Verify that the CPU and memory limits are updated for the cert-manager components:
$ oc get deployment -n cert-manager -o yaml
# ...
metadata:
name: cert-manager
namespace: cert-manager
# ...
spec:
template:
spec:
containers:
- name: cert-manager-controller
resources:
limits:
cpu: 200m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
# ...
metadata:
name: cert-manager-cainjector
namespace: cert-manager
# ...
spec:
template:
spec:
containers:
- name: cert-manager-cainjector
resources:
limits:
cpu: 200m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
# ...
metadata:
name: cert-manager-webhook
namespace: cert-manager
# ...
spec:
template:
spec:
containers:
- name: cert-manager-webhook
resources:
limits:
cpu: 200m
memory: 64Mi
requests:
cpu: 10m
memory: 16Mi
# ...