SupportConsoleDevelopersStart a trialContact

Chapter 7. cert-manager Operator for Red Hat OpenShift

7.1. cert-manager Operator for Red Hat OpenShift overview

The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management. The cert-manager Operator for Red Hat OpenShift allows you to integrate with external certificate authorities and provides certificate provisioning, renewal, and retirement.

Important

The cert-manager Operator for Red Hat OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

7.1.1. About the cert-manager Operator for Red Hat OpenShift

The cert-manager project introduces certificate authorities and certificates as resource types in the Kubernetes API, which makes it possible to provide certificates on demand to developers working within your cluster. The cert-manager Operator for Red Hat OpenShift provides a supported way to integrate cert-manager into your OpenShift Container Platform cluster.

The cert-manager Operator for Red Hat OpenShift provides the following features:

  • Support for integrating with external certificate authorities
  • Tools to manage certificates
  • Ability for developers to self-serve certificates
  • Automatic certificate renewal
Important

Do not attempt to use more than one cert-manager Operator in your cluster. If you have a community cert-manager Operator installed in your cluster, you must uninstall it before installing the cert-manager Operator for Red Hat OpenShift.

7.1.2. Certificate request methods

There are two ways to request a certificate using the cert-manager Operator for Red Hat OpenShift:

Using the cert-manager.io/CertificateRequest object
With this method a service developer creates a CertificateRequest object with a valid issuerRef pointing to a configured issuer (configured by a service infrastructure administrator). A service infrastructure administrator then accepts or denies the certificate request. Only accepted certificate requests create a corresponding certificate.
Using the cert-manager.io/Certificate object
With this method, a service developer creates a Certificate object with a valid issuerRef and obtains a certificate from a secret that they pointed to the Certificate object.

7.1.3. Additional resources

7.2. cert-manager Operator for Red Hat OpenShift release notes

The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management.

These release notes track the development of cert-manager Operator for Red Hat OpenShift.

Important

The cert-manager Operator for Red Hat OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

For more information, see About the cert-manager Operator for Red Hat OpenShift.

7.2.1. Release notes for cert-manager Operator for Red Hat OpenShift 1.7.1-1 (Technology Preview)

Issued: 2022-04-11

The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.7.1-1:

For more information, see the cert-manager project release notes for v1.7.1.

7.2.1.1. New features and enhancements

  • This is the initial, Technology Preview release of the cert-manager Operator for Red Hat OpenShift.

7.2.1.2. Known issues

  • Using Route objects is not fully supported. Currently, cert-manager Operator for Red Hat OpenShift integrates with Route objects by creating Ingress objects through the Ingress Controller. (CM-16)

7.3. Installing the cert-manager Operator for Red Hat OpenShift

The cert-manager Operator for Red Hat OpenShift is not installed in OpenShift Container Platform by default. You can install the cert-manager Operator for Red Hat OpenShift by using the web console.

Important

The cert-manager Operator for Red Hat OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

7.3.1. Installing the cert-manager Operator for Red Hat OpenShift using the web console

You can use the web console to install the cert-manager Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. Navigate to Operators OperatorHub.
  3. Enter cert-manager Operator for Red Hat OpenShift into the filter box.
  4. Select the cert-manager Operator for Red Hat OpenShift and click Install.

  5. On the Install Operator page:

    1. The Update channel is set to tech-preview, which installs the latest Technology Preview release of the cert-manager Operator for Red Hat OpenShift.
    2. The Installation Mode is set to All namespaces on the cluster (default). This mode installs the Operator in the Operator-recommended openshift-cert-manager-operator namespace to watch and be made available to all namespaces in the cluster.

    3. Choose the Installed Namespace for the Operator. The default Operator recommended namespace is openshift-cert-manager-operator.

      If the openshift-cert-manager-operator namespace does not exist, it is created for you.

    4. Click the Enable Operator recommended cluster monitoring on the Namespace checkbox to enable cluster monitoring for the Operator.

    5. Select an Update approval strategy.

      • The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.
    6. Click Install.

Verification

  1. Navigate to Operators Installed Operators.
  2. Verify that cert-manager Operator for Red Hat OpenShift is listed with a Status of Succeeded.

7.3.2. Understanding update channels of the cert-manager Operator for Red Hat OpenShift

Update channels are the mechanism by which you can declare the version of your cert-manager Operator for Red Hat OpenShift in your cluster. The cert-manager Operator for Red Hat OpenShift offers the following update channels:

  • stable-v1
  • stable-v1.y

7.3.2.1. stable-v1 channel

The stable-v1 channel is the default and suggested channel while installing the cert-manager Operator for Red Hat OpenShift. The stable-v1 channel installs and updates the latest release version of the cert-manager Operator for Red Hat OpenShift. Select the stable-v1 channel if you want to use the latest stable release of the cert-manager Operator for Red Hat OpenShift.

The stable-v1 channel offers the following update approval strategies:

Automatic
If you choose automatic updates for an installed cert-manager Operator for Red Hat OpenShift, a new version of the cert-manager Operator for Red Hat OpenShift is available in the stable-v1 channel. The Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without human intervention.
Manual
If you select manual updates, when a newer version of the cert-manager Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version.

7.3.2.2. stable-v1.y channel

The y-stream version of the cert-manager Operator for Red Hat OpenShift installs updates from the stable-v1.y channels such as stable-v1.10, stable-v1.11, and stable-v1.12. Select the stable-v1.y channel if you want to use the y-stream version and stay updated to the z-stream version of the cert-manager Operator for Red Hat OpenShift.

The stable-v1.y channel offers the following update approval strategies:

Automatic
If you choose automatic updates for an installed cert-manager Operator for Red Hat OpenShift, a new z-stream version of the cert-manager Operator for Red Hat OpenShift is available in the stable-v1.y channel. OLM automatically upgrades the running instance of your Operator without human intervention.
Manual
If you select manual updates, when a newer version of the cert-manager Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version of the z-stream releases.

7.3.3. Additional resources

7.4. Uninstalling the cert-manager Operator for Red Hat OpenShift

You can remove the cert-manager Operator for Red Hat OpenShift from OpenShift Container Platform by uninstalling the Operator and removing its related resources.

Important

The cert-manager Operator for Red Hat OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

7.4.1. Uninstalling the cert-manager Operator for Red Hat OpenShift

You can uninstall the cert-manager Operator for Red Hat OpenShift by using the web console.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.
  • The cert-manager Operator for Red Hat OpenShift is installed.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Uninstall the cert-manager Operator for Red Hat OpenShift Operator.

    1. Navigate to Operators Installed Operators.
    2. Click the Options menu kebab next to the cert-manager Operator for Red Hat OpenShift entry and click Uninstall Operator.
    3. In the confirmation dialog, click Uninstall.

7.4.2. Removing cert-manager Operator for Red Hat OpenShift resources

Optionally, after uninstalling the cert-manager Operator for Red Hat OpenShift, you can remove its related resources from your cluster.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.

  2. Remove CRDs that were installed by the cert-manager Operator for Red Hat OpenShift:

    1. Navigate to Administration CustomResourceDefinitions.
    2. Enter certmanager in the Name field to filter the CRDs.

    3. Click the Options menu kebab next to each of the following CRDs, and select Delete Custom Resource Definition:

      • Certificate
      • CertificateRequest
      • CertManager (config.openshift.io)
      • CertManager (operator.openshift.io)
      • Challenge
      • ClusterIssuer
      • Issuer
      • Order

  3. Remove the openshift-cert-manager-operator namespace.

    1. Navigate to Administration Namespaces.
    2. Click the Options menu kebab next to the openshift-cert-manager-operator and select Delete Namespace.
    3. In the confirmation dialog, enter openshift-cert-manager-operator in the field and click Delete.
Red Hat logoGithubRedditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

© 2024 Red Hat, Inc.