Este conteúdo não está disponível no idioma selecionado.

Chapter 9. cert-manager Operator for Red Hat OpenShift


9.1. cert-manager Operator for Red Hat OpenShift overview

The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management. The cert-manager Operator for Red Hat OpenShift allows you to integrate with external certificate authorities and provides certificate provisioning, renewal, and retirement.

9.1.1. About the cert-manager Operator for Red Hat OpenShift

The cert-manager project introduces certificate authorities and certificates as resource types in the Kubernetes API, which makes it possible to provide certificates on demand to developers working within your cluster. The cert-manager Operator for Red Hat OpenShift provides a supported way to integrate cert-manager into your OpenShift Container Platform cluster.

The cert-manager Operator for Red Hat OpenShift provides the following features:

  • Support for integrating with external certificate authorities
  • Tools to manage certificates
  • Ability for developers to self-serve certificates
  • Automatic certificate renewal
Important

Do not attempt to use both cert-manager Operator for Red Hat OpenShift for OpenShift Container Platform and the community cert-manager Operator at the same time in your cluster.

Also, you should not install cert-manager Operator for Red Hat OpenShift for OpenShift Container Platform in multiple namespaces within a single OpenShift cluster.

9.1.2. cert-manager Operator for Red Hat OpenShift issuer providers

The cert-manager Operator for Red Hat OpenShift has been tested with the following issuer types:

9.1.2.1. Testing issuer types

The following table outlines the test coverage for each tested issuer type:

Expand
Issuer TypeTest StatusNotes

ACME

Fully Tested

Verified with standard ACME implementations.

CA

Fully Tested

Ensures basic CA functionality.

Self-signed

Fully Tested

Ensures basic self-signed functionality.

Vault

Fully Tested

Limited to standard Vault setups due to infrastructure access constraints.

Venafi

Partially tested

Subject to provider-specific limitations.

NCM

Partially Tested

Subject to provider-specific limitations.

Google CAS

Partially Tested

Compatible with common CA configurations.

Note

OpenShift Container Platform does not test all factors associated with third-party cert-manager Operator for Red Hat OpenShift provider functionality. For more information about third-party support, see the OpenShift Container Platform third-party support policy.

9.1.3. Certificate request methods

There are two ways to request a certificate using the cert-manager Operator for Red Hat OpenShift:

Using the cert-manager.io/CertificateRequest object
With this method a service developer creates a CertificateRequest object with a valid issuerRef pointing to a configured issuer (configured by a service infrastructure administrator). A service infrastructure administrator then accepts or denies the certificate request. Only accepted certificate requests create a corresponding certificate.
Using the cert-manager.io/Certificate object
With this method, a service developer creates a Certificate object with a valid issuerRef and obtains a certificate from a secret that they pointed to the Certificate object.

9.1.4. Supported cert-manager Operator for Red Hat OpenShift versions

For the list of supported versions of the cert-manager Operator for Red Hat OpenShift across different OpenShift Container Platform releases, see the "Platform Agnostic Operators" section in the OpenShift Container Platform update and support policy.

9.1.5. About FIPS compliance for cert-manager Operator for Red Hat OpenShift

Starting with version 1.14.0, cert-manager Operator for Red Hat OpenShift is designed for FIPS compliance. When running on OpenShift Container Platform in FIPS mode, it uses the RHEL cryptographic libraries submitted to NIST for FIPS validation on the x86_64, ppc64le, and s390X architectures. For more information about the NIST validation program, see Cryptographic module validation program. For the latest NIST status for the individual versions of the RHEL cryptographic libraries submitted for validation, see Compliance activities and government standards.

To enable FIPS mode, you must install cert-manager Operator for Red Hat OpenShift on an OpenShift Container Platform cluster configured to operate in FIPS mode. For more information, see "Do you need extra security for your cluster?"

9.2. cert-manager Operator for Red Hat OpenShift release notes

The cert-manager Operator for Red Hat OpenShift is a cluster-wide service that provides application certificate lifecycle management.

These release notes track the development of cert-manager Operator for Red Hat OpenShift.

For more information, see About the cert-manager Operator for Red Hat OpenShift.

9.2.1. cert-manager Operator for Red Hat OpenShift 1.17.0

Issued: 2025-08-06

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.17.0:

Version 1.17.0 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.17.4. For more information, see the cert-manager project release notes for v1.17.4.

9.2.1.1. Bug fixes

  • Previously, the status field in the IstioCSR custom resource (CR) was not set to Ready even after the successful deployment of Istio‑CSR. With this fix, the status field is correctly set to Ready, ensuring consistent and reliable status reporting. (CM-546)

9.2.1.2. New features and enhancements

Support to configure resource requests and limits for ACME HTTP‑01 solver pods

With this release, the cert-manager Operator for Red Hat OpenShift supports configuring CPU and memory resource requests and limits for ACME HTTP‑01 solver pods. You can configure the CPU and memory resource requests and limits by using the following overridable arguments in the CertManager custom resource (CR):

  • --acme-http01-solver-resource-limits-cpu
  • --acme-http01-solver-resource-limits-memory
  • --acme-http01-solver-resource-request-cpu
  • --acme-http01-solver-resource-request-memory

For more information, see Overridable arguments for the cert‑manager components.

9.2.1.3. CVEs

9.2.2. cert-manager Operator for Red Hat OpenShift 1.16.2

Issued: 2025-10-16

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.16.2:

Version 1.16.2 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.16.5. For more information, see the cert-manager project release notes for v1.16.5.

9.2.2.1. CVEs

9.2.3. cert-manager Operator for Red Hat OpenShift 1.16.1

Issued: 2025-07-10

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.16.1:

Version 1.16.1 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.16.5. For more information, see the cert-manager project release notes for v1.16.5.

9.2.3.1. Bug fixes

Previously, cert-manager Operator for Red Hat OpenShift failed to create the cert-manager-tokenrequest role due to insufficient RBAC permissions. This resulted in RoleCreateFailed errors and a degraded static-resource controller. With this release, the issue is resolved by adding the necessary serviceaccounts/token create permission to the RBAC configuration. As a result, the cert-manager-tokenrequest role and role binding are now successfully created, and RoleCreateFailed errors no longer appear in the operator logs. (OCPBUGS-56758)

9.2.3.2. CVEs

9.2.4. cert-manager Operator for Red Hat OpenShift 1.16.0

Issued: 2025-05-27

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.16.0:

Version 1.16.0 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.16.4. For more information, see the cert-manager project release notes for v1.16.4.

9.2.4.1. New features and enhancements

Disconnected environment support

With this release, the cert-manager Operator for Red Hat OpenShift has been verified to be mirrored to and installed in a disconnected environment.

The Operator has also been validated to work with the following issuer types in disconnected environments: ACME, CA, Self-signed, and Vault. Specifically, private or self-hosted ACME servers have been validated, as Let’s Encrypt or other public ACME services are not feasible options in disconnected environments. The oc-mirror plugin v2 is the preferred method to mirror Operator images. For more information, see Mirroring images for a disconnected installation by using the oc-mirror plugin v2.

Extended operand metrics support

With this release, cert-manager webhook and cainjector operands now expose Prometheus metrics on port 9402 by default via the /metrics service endpoint. You can configure OpenShift Monitoring to collect metrics from all cert-manager operands by enabling the built-in user workload monitoring stack. For more information, see Monitoring cert-manager Operator for Red Hat OpenShift.

Streaming Lists enablement

With this release, the cert-manager Operator for Red Hat OpenShift now uses the new upstream WatchListClient feature. This enables use of the Streaming Lists feature of the Kubernetes API server, which reduces the load on the API server. The peak memory use of the cert-manager components when they start up is optimized on OpenShift Container Platform 4.14 and later.

9.2.4.2. CVEs

9.2.4.3. Known Issues

When using the Venafi issuer with username and password authentication in cert-manager version 1.16.0, the default client ID is hard-coded as cert-manager.io and cannot be customized. This limitation can affect users requiring a specific client ID for authentication with the Venafi platform.

9.2.5. cert-manager Operator for Red Hat OpenShift 1.15.1

Issued: 2025-03-13

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.15.1:

Version 1.15.1 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.15.5. For more information, see the cert-manager project release notes for v1.15.5.

9.2.5.1. New features and enhancements

Integrating the cert-manager Operator for Red Hat OpenShift with Istio-CSR (Technology Preview)

The cert-manager Operator for Red Hat OpenShift now supports the Istio-CSR. With this integration, cert-manager Operator’s issuers can issue, sign, and renew certificates for mutual TLS (mTLS) communication. Red Hat OpenShift Service Mesh and Istio can now request these certificates directly from the cert-manager Operator.

For more information, see Integrating the cert-manager Operator with Istio-CSR.

9.2.5.2. CVEs

9.2.6. cert-manager Operator for Red Hat OpenShift 1.15.0

Issued: 2025-01-22

The following advisories are available for the cert-manager Operator for Red Hat OpenShift 1.15.0:

Version 1.15.0 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.15.4. For more information, see the cert-manager project release notes for v1.15.4.

9.2.6.1. New features and enhancements

Scheduling overrides for cert-manager Operator for Red Hat OpenShift

With this release, you can configure scheduling overrides for cert-manager Operator for Red Hat OpenShift, including the cert-manager controller, webhook, and CA injector.

Google CAS issuer

The cert-manager Operator for Red Hat OpenShift now supports the Google Certificate Authority Service (CAS) issuer. The google-cas-issuer is an external issuer for cert-manager that automates certificate lifecycle management, including issuance and renewal, with CAS-managed private certificate authorities.

Note

The Google CAS issuer is validated only with version 0.9.0 and cert-manager Operator for Red Hat OpenShift version 1.15.0. These versions support tasks such as issuing, renewing, and managing certificates for the API server and ingress controller in OpenShift Container Platform clusters.

Default installMode updated to AllNamespaces

Starting from version 1.15.0, the default and recommended Operator Lifecycle Manager (OLM) installMode is AllNamespaces. Previously, the default was SingleNamespace. This change aligns with best practices for multi-namespace Operator management. For more information, see OCPBUGS-23406.

Redundant kube-rbac-proxy sidecar removed

The Operator no longer includes the redundant kube-rbac-proxy sidecar container, reducing resource usage and complexity. For more information, see CM-436.

9.2.6.2. CVEs

9.2.7. cert-manager Operator for Red Hat OpenShift 1.14.0

Issued: 2024-07-08

The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.14.0:

Version 1.14.0 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.14.5. For more information, see the cert-manager project release notes for v1.14.5.

9.2.7.1. New features and enhancements

FIPS compliance support

With this release, FIPS mode is now automatically enabled for cert-manager Operator for Red Hat OpenShift. When installed on an OpenShift Container Platform cluster in FIPS mode, cert-manager Operator for Red Hat OpenShift ensures compatibility without affecting the cluster’s FIPS support status.

Securing routes with cert-manager managed certificates (Technology Preview)

With this release, you can manage certificates referenced in Route resources by using the cert-manager Operator for Red Hat OpenShift. For more information, see Securing routes with the cert-manager Operator for Red Hat OpenShift.

NCM issuer

The cert-manager Operator for Red Hat OpenShift now supports the Nokia NetGuard Certificate Manager (NCM) issuer. The ncm-issuer is a cert-manager external issuer that integrates with the NCM PKI system using a Kubernetes controller to sign certificate requests. This integration streamlines the process of obtaining non-self-signed certificates for applications, ensuring their validity and keeping them updated.

Note

The NCM issuer is validated only with version 1.1.1 and the cert-manager Operator for Red Hat OpenShift version 1.14.0. This version handles tasks such as issuance, renewal, and managing certificates for the API server and ingress controller of OpenShift Container Platform clusters.

9.2.7.2. CVEs

9.2.8. cert-manager Operator for Red Hat OpenShift 1.13.1

Issued: 2024-05-15

The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.13.1:

Version 1.13.1 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.13.6. For more information, see the cert-manager project release notes for v1.13.6.

9.2.8.1. CVEs

9.2.9. cert-manager Operator for Red Hat OpenShift 1.13.0

Issued: 2024-01-16

The following advisory is available for the cert-manager Operator for Red Hat OpenShift 1.13.0:

Version 1.13.0 of the cert-manager Operator for Red Hat OpenShift is based on the upstream cert-manager version v1.13.3. For more information, see the cert-manager project release notes for v1.13.0.

9.2.9.1. New features and enhancements

  • You can now manage certificates for API Server and Ingress Controller by using the cert-manager Operator for Red Hat OpenShift. For more information, see Configuring certificates with an issuer.
  • With this release, the scope of the cert-manager Operator for Red Hat OpenShift, which was previously limited to the OpenShift Container Platform on AMD64 architecture, has now been expanded to include support for managing certificates on OpenShift Container Platform running on IBM Z® (s390x), IBM Power® (ppc64le) and ARM64 architectures.
  • With this release, you can use DNS over HTTPS (DoH) for performing the self-checks during the ACME DNS-01 challenge verification. The DNS self-check method can be controlled by using the command-line flags, --dns01-recursive-nameservers-only and --dns01-recursive-nameservers. For more information, see Customizing cert-manager by overriding arguments from the cert-manager Operator API.

9.2.9.2. CVEs

9.3. Installing the cert-manager Operator for Red Hat OpenShift

Important

The cert-manager Operator for Red Hat OpenShift version 1.15 or later supports the AllNamespaces, SingleNamespace, and OwnNamespace installation modes. Earlier versions, such as 1.14, support only the SingleNamespace and OwnNamespace installation modes.

The cert-manager Operator for Red Hat OpenShift is not installed in OpenShift Container Platform by default. You can install the cert-manager Operator for Red Hat OpenShift by using the web console.

9.3.1. Installing the cert-manager Operator for Red Hat OpenShift

You can use the web console to install the cert-manager Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. Navigate to Operators OperatorHub.
  3. Enter cert-manager Operator for Red Hat OpenShift into the filter box.
  4. Select the cert-manager Operator for Red Hat OpenShift
  5. Select the cert-manager Operator for Red Hat OpenShift version from Version drop-down list, and click Install.

    Note

    See supported cert-manager Operator for Red Hat OpenShift versions in the following "Additional resources" section.

  6. On the Install Operator page:

    1. Update the Update channel, if necessary. The channel defaults to stable-v1, which installs the latest stable release of the cert-manager Operator for Red Hat OpenShift.
    2. Choose the Installed Namespace for the Operator. The default Operator namespace is cert-manager-operator.

      If the cert-manager-operator namespace does not exist, it is created for you.

      Note

      During the installation, the OpenShift Container Platform web console allows you to select between AllNamespaces and SingleNamespace installation modes. For installations with cert-manager Operator for Red Hat OpenShift version 1.15.0 or later, it is recommended to choose the AllNamespaces installation mode. SingleNamespace and OwnNamespace support will remain for earlier versions but will be deprecated in future versions.

    3. Select an Update approval strategy.

      • The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.
    4. Click Install.

Verification

  1. Navigate to Operators Installed Operators.
  2. Verify that cert-manager Operator for Red Hat OpenShift is listed with a Status of Succeeded in the cert-manager-operator namespace.
  3. Verify that cert-manager pods are up and running by entering the following command:

    $ oc get pods -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                       READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt               1/1     Running   0          3m39s
    cert-manager-cainjector-56cc5f9868-7g9z7   1/1     Running   0          4m5s
    cert-manager-webhook-d4f79d7f7-9dg9w       1/1     Running   0          4m9s
    Copy to Clipboard Toggle word wrap

    You can use the cert-manager Operator for Red Hat OpenShift only after cert-manager pods are up and running.

9.3.1.2. Installing the cert-manager Operator for Red Hat OpenShift by using the CLI

Prerequisites

  • You have access to the cluster with cluster-admin privileges.

Procedure

  1. Create a new project named cert-manager-operator by running the following command:

    $ oc new-project cert-manager-operator
    Copy to Clipboard Toggle word wrap
  2. Create an OperatorGroup object:

    1. Create a YAML file, for example, operatorGroup.yaml, with the following content:

      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      metadata:
        name: openshift-cert-manager-operator
        namespace: cert-manager-operator
      spec:
        targetNamespaces:
        - "cert-manager-operator"
      Copy to Clipboard Toggle word wrap
    2. For cert-manager Operator for Red Hat OpenShift v1.15.0 or later, create a YAML file with the following content:

      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      metadata:
        name: openshift-cert-manager-operator
        namespace: cert-manager-operator
      spec:
        targetNamespaces: []
        spec: {}
      Copy to Clipboard Toggle word wrap
      Note

      Starting from cert-manager Operator for Red Hat OpenShift version 1.15.0, it is recommended to install the Operator using the AllNamespaces OLM installMode. Older versions can continue using the SingleNamespace or OwnNamespace OLM installMode. Support for SingleNamespace and OwnNamespace will be deprecated in future versions.

    3. Create the OperatorGroup object by running the following command:

      $ oc create -f operatorGroup.yaml
      Copy to Clipboard Toggle word wrap
  3. Create a Subscription object:

    1. Create a YAML file, for example, subscription.yaml, that defines the Subscription object:

      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: openshift-cert-manager-operator
        namespace: cert-manager-operator
      spec:
        channel: stable-v1
        name: openshift-cert-manager-operator
        source: redhat-operators
        sourceNamespace: openshift-marketplace
        installPlanApproval: Automatic
      Copy to Clipboard Toggle word wrap
    2. Create the Subscription object by running the following command:

      $ oc create -f subscription.yaml
      Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the OLM subscription is created by running the following command:

    $ oc get subscription -n cert-manager-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                              PACKAGE                           SOURCE             CHANNEL
    openshift-cert-manager-operator   openshift-cert-manager-operator   redhat-operators   stable-v1
    Copy to Clipboard Toggle word wrap

  2. Verify whether the Operator is successfully installed by running the following command:

    $ oc get csv -n cert-manager-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                            DISPLAY                                       VERSION   REPLACES                        PHASE
    cert-manager-operator.v1.13.0   cert-manager Operator for Red Hat OpenShift   1.13.0    cert-manager-operator.v1.12.1   Succeeded
    Copy to Clipboard Toggle word wrap

  3. Verify that the status cert-manager Operator for Red Hat OpenShift is Running by running the following command:

    $ oc get pods -n cert-manager-operator
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                                        READY   STATUS    RESTARTS   AGE
    cert-manager-operator-controller-manager-695b4d46cb-r4hld   2/2     Running   0          7m4s
    Copy to Clipboard Toggle word wrap

  4. Verify that the status of cert-manager pods is Running by running the following command:

    $ oc get pods -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                       READY   STATUS    RESTARTS   AGE
    cert-manager-58b7f649c4-dp6l4              1/1     Running   0          7m1s
    cert-manager-cainjector-5565b8f897-gx25h   1/1     Running   0          7m37s
    cert-manager-webhook-9bc98cbdd-f972x       1/1     Running   0          7m40s
    Copy to Clipboard Toggle word wrap

Update channels are the mechanism by which you can declare the version of your cert-manager Operator for Red Hat OpenShift in your cluster. The cert-manager Operator for Red Hat OpenShift offers the following update channels:

  • stable-v1
  • stable-v1.y

9.3.2.1. stable-v1 channel

The stable-v1 channel installs and updates the latest release version of the cert-manager Operator for Red Hat OpenShift. Select the stable-v1 channel if you want to use the latest stable release of the cert-manager Operator for Red Hat OpenShift.

Note

The stable-v1 channel is the default and suggested channel while installing the cert-manager Operator for Red Hat OpenShift.

The stable-v1 channel offers the following update approval strategies:

Automatic
If you choose automatic updates for an installed cert-manager Operator for Red Hat OpenShift, a new version of the cert-manager Operator for Red Hat OpenShift is available in the stable-v1 channel. The Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without human intervention.
Manual
If you select manual updates, when a newer version of the cert-manager Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version.

9.3.2.2. stable-v1.y channel

The y-stream version of the cert-manager Operator for Red Hat OpenShift installs updates from the stable-v1.y channels such as stable-v1.10, stable-v1.11, and stable-v1.12. Select the stable-v1.y channel if you want to use the y-stream version and stay updated to the z-stream version of the cert-manager Operator for Red Hat OpenShift.

The stable-v1.y channel offers the following update approval strategies:

Automatic
If you choose automatic updates for an installed cert-manager Operator for Red Hat OpenShift, a new z-stream version of the cert-manager Operator for Red Hat OpenShift is available in the stable-v1.y channel. OLM automatically upgrades the running instance of your Operator without human intervention.
Manual
If you select manual updates, when a newer version of the cert-manager Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version of the z-stream releases.

If a cluster-wide egress proxy is configured in OpenShift Container Platform, Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. OLM automatically updates all of the Operator’s deployments with the HTTP_PROXY, HTTPS_PROXY, NO_PROXY environment variables.

You can inject any CA certificates that are required for proxying HTTPS connections into the cert-manager Operator for Red Hat OpenShift.

If your OpenShift Container Platform cluster has the cluster-wide proxy enabled, you can inject any CA certificates that are required for proxying HTTPS connections into the cert-manager Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have enabled the cluster-wide proxy for OpenShift Container Platform.

Procedure

  1. Create a config map in the cert-manager namespace by running the following command:

    $ oc create configmap trusted-ca -n cert-manager
    Copy to Clipboard Toggle word wrap
  2. Inject the CA bundle that is trusted by OpenShift Container Platform into the config map by running the following command:

    $ oc label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true -n cert-manager
    Copy to Clipboard Toggle word wrap
  3. Update the deployment for the cert-manager Operator for Red Hat OpenShift to use the config map by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}]}}}'
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the deployments have finished rolling out by running the following command:

    $ oc rollout status deployment/cert-manager-operator-controller-manager -n cert-manager-operator && \
    oc rollout status deployment/cert-manager -n cert-manager && \
    oc rollout status deployment/cert-manager-webhook -n cert-manager && \
    oc rollout status deployment/cert-manager-cainjector -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    deployment "cert-manager-operator-controller-manager" successfully rolled out
    deployment "cert-manager" successfully rolled out
    deployment "cert-manager-webhook" successfully rolled out
    deployment "cert-manager-cainjector" successfully rolled out
    Copy to Clipboard Toggle word wrap

  2. Verify that the CA bundle was mounted as a volume by running the following command:

    $ oc get deployment cert-manager -n cert-manager -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'}
    Copy to Clipboard Toggle word wrap

    Example output

    [{"mountPath":"/etc/pki/tls/certs/cert-manager-tls-ca-bundle.crt","name":"trusted-ca","subPath":"ca-bundle.crt"}]
    Copy to Clipboard Toggle word wrap

  3. Verify that the source of the CA bundle is the trusted-ca config map by running the following command:

    $ oc get deployment cert-manager -n cert-manager -o=jsonpath={.spec.template.spec.volumes}
    Copy to Clipboard Toggle word wrap

    Example output

    [{"configMap":{"defaultMode":420,"name":"trusted-ca"},"name":"trusted-ca"}]
    Copy to Clipboard Toggle word wrap

9.5. Customizing the cert-manager Operator by using the CertManager custom resource

After installing the cert-manager Operator for Red Hat OpenShift, you can perform the following actions by configuring the CertManager custom resource (CR):

  • Configure the arguments to modify the behavior of the cert-manager components, such as the cert-manager controller, CA injector, and Webhook.
  • Set environment variables for the controller pod.
  • Define resource requests and limits to manage CPU and memory usage.
  • Configure scheduling rules to control where pods run in your cluster.

Example CertManager CR YAML file

apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
  name: cluster
spec:
  controllerConfig:
    overrideArgs:
      - "--dns01-recursive-nameservers=8.8.8.8:53,1.1.1.1:53"
    overrideEnv:
      - name: HTTP_PROXY
        value: http://proxy.example.com:8080
    overrideResources:
      limits:
        cpu: "200m"
        memory: "512Mi"
      requests:
        cpu: "100m"
        memory: "256Mi"
    overrideScheduling:
      nodeSelector:
        custom: "label"
      tolerations:
        - key: "key1"
          operator: "Equal"
          value: "value1"
          effect: "NoSchedule"

  webhookConfig:
    overrideArgs:
#...
    overrideResources:
#...
    overrideScheduling:
#...

  cainjectorConfig:
    overrideArgs:
#...
    overrideResources:
#...
    overrideScheduling:
#...
Copy to Clipboard Toggle word wrap

Warning

To override unsupported arguments, you can add spec.unsupportedConfigOverrides section in the CertManager resource, but using spec.unsupportedConfigOverrides is unsupported.

9.5.1. Explanation of fields in the CertManager custom resource

You can use the CertManager custom resource (CR) to configure the following core components of the cert-manager Operator for Red Hat OpenShift:

  • Cert-manager controller: You can use the spec.controllerConfig field to configure the cert‑manager controller pod.
  • Webhook: You can use the spec.webhookConfig field to configure the webhook pod, which handles validation and mutation requests.
  • CA injector: You can use the spec.cainjectorConfig field to configure the CA injector pod.

The following table lists the common fields that you can configure in the spec.controllerConfig, spec.webhookConfig, and spec.cainjectorConfig sections in the CertManager CR.

Expand
Table 9.1. Common configurable fields in the CertManager CR for the cert-manager components
FieldTypeDescription

overrideArgs

string

You can override the supported arguments for the cert-manager components.

overrideEnv

dict

You can override the supported environment variables for the cert-manager controller. This field is only supported for the cert-manager controller component.

overrideResources

object

You can configure the CPU and memory limits for the cert-manager components.

overrideScheduling

object

You can configure the pod scheduling constraints for the cert-manager components.

9.5.1.2. Overridable arguments for the cert-manager components

You can configure the overridable arguments for the cert-manager components in the spec.controllerConfig, spec.webhookConfig, and spec.cainjectorConfig sections in the CertManager CR.

The following table describes the overridable arguments for the cert-manager components:

Expand
Table 9.2. Overridable arguments the cert-manager components
ArgumentComponentDescription

--dns01-recursive-nameservers=<server_address>

Controller

Provide a comma-separated list of nameservers to query for the DNS-01 self check. The nameservers can be specified either as <host>:<port>, for example, 1.1.1.1:53, or use DNS over HTTPS (DoH), for example, https://1.1.1.1/dns-query.

Note

DNS over HTTPS (DoH) is supported starting only from cert-manager Operator for Red Hat OpenShift version 1.13.0 and later.

--dns01-recursive-nameservers-only

Controller

Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.

--acme-http01-solver-nameservers=<host>:<port>

Controller

Provide a comma-separated list of <host>:<port> nameservers to query for the Automated Certificate Management Environment (ACME) HTTP01 self check. For example, --acme-http01-solver-nameservers=1.1.1.1:53.

--metrics-listen-address=<host>:<port>

Controller

Specify the host and port for the metrics endpoint. The default value is --metrics-listen-address=0.0.0.0:9402.

--issuer-ambient-credentials

Controller

You can use this argument to configure an ACME Issuer to solve DNS-01 challenges by using ambient credentials.

--enable-certificate-owner-ref

Controller

This argument sets the certificate resource as an owner of the secret where the TLS certificate is stored. For more information, see "Deleting a TLS secret automatically upon Certificate removal".

--acme-http01-solver-resource-limits-cpu

Controller

Defines the maximum CPU limit for ACME HTTP‑01 solver pods. The default value is 100m.

--acme-http01-solver-resource-limits-memory

Controller

Defines the maximum memory limit for ACME HTTP‑01 solver pods. The default value is 64Mi.

--acme-http01-solver-resource-request-cpu

Controller

Defines the minimum CPU request for ACME HTTP‑01 solver pods. The default value is 10m.

--acme-http01-solver-resource-request-memory

Controller

Defines the minimum memory request for ACME HTTP‑01 solver pods. The default value is 64Mi.

--v=<verbosity_level>

Controller, Webhook, CA injector

Specify the log level verbosity to determine the verbosity of log messages.

9.5.1.3. Overridable environment variables for the cert-manager controller

You can configure the overridable environment variables for the cert-manager controller in the spec.controllerConfig.overrideEnv field in the CertManager CR.

The following table describes the overridable environment variables for the cert-manager controller:

Expand
Table 9.3. Overridable environment variables for the cert-manager controller
Environment variableDescription

HTTP_PROXY

Proxy server for outgoing HTTP requests.

HTTPS_PROXY

Proxy server for outgoing HTTPS requests.

NO_PROXY

Comma‑separated list of hosts that bypass the proxy.

9.5.1.4. Overridable resource parameters for the cert-manager components

You can configure the CPU and memory limits for the cert-manager components in the spec.controllerConfig, spec.webhookConfig, and spec.cainjectorConfig sections in the CertManager CR.

The following table describes the overridable resource parameters for the cert-manager components:

Expand
Table 9.4. Overridable resource parameters for the cert-manager components
FieldDescription

overrideResources.limits.cpu

Defines the maximum amount of CPU that a component pod can use.

overrideResources.limits.memory

Defines the maximum amount of memory that a component pod can use.

overrideResources.requests.cpu

Defines the minimum amount of CPU requested by the scheduler for a component pod.

overrideResources.requests.memory

Defines the minimum amount of memory requested by the scheduler for a component pod.

9.5.1.5. Overridable scheduling parameters for the cert-manager components

You can configure the pod scheduling constrainsts for the cert-manager components in the spec.controllerConfig, spec.webhookConfig field, and spec.cainjectorConfig sections in the CertManager CR.

The following table describes the pod scheduling parameters for the cert-manager components:

Expand
Table 9.5. Overridable scheduling parameters for the cert-manager components
FieldDescription

overrideScheduling.nodeSelector

Key‑value pairs to constrain pods to specific nodes.

overrideScheduling.tolerations

List of tolerations to schedule pods on tainted nodes.

You can override the supported environment variables for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource.

Prerequisites

  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

Procedure

  1. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
    Copy to Clipboard Toggle word wrap
  2. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
      ...
    spec:
      ...
      controllerConfig:
        overrideEnv:
          - name: HTTP_PROXY
            value: http://<proxy_url> 
    1
    
          - name: HTTPS_PROXY
            value: https://<proxy_url> 
    2
    
          - name: NO_PROXY
            value: <ignore_proxy_domains> 
    3
    Copy to Clipboard Toggle word wrap
    1 2
    Replace <proxy_url> with the proxy server URL.
    3
    Replace <ignore_proxy_domains> with a comma separated list of domains. These domains are ignored by the proxy server.
    Note

    For more information about the overridable environment variables, see "Overridable environment variables for the cert-manager components" in "Explanation of fields in the CertManager custom resource".

  3. Save your changes and quit the text editor to apply your changes.

Verification

  1. Verify that the cert-manager controller pod is redeployed by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                          READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          39s
    Copy to Clipboard Toggle word wrap

  2. Verify that environment variables are updated for the cert-manager pod by running the following command:

    $ oc get pod <redeployed_cert-manager_controller_pod> -n cert-manager -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

        env:
        ...
        - name: HTTP_PROXY
          value: http://<PROXY_URL>
        - name: HTTPS_PROXY
          value: https://<PROXY_URL>
        - name: NO_PROXY
          value: <IGNORE_PROXY_DOMAINS>
    Copy to Clipboard Toggle word wrap

You can override the supported arguments for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource.

Prerequisites

  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

Procedure

  1. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
    Copy to Clipboard Toggle word wrap
  2. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
      ...
    spec:
      ...
      controllerConfig:
        overrideArgs:
          - '--dns01-recursive-nameservers=<server_address>' 
    1
    
          - '--dns01-recursive-nameservers-only'
          - '--acme-http01-solver-nameservers=<host>:<port>'
          - '--v=<verbosity_level>'
          - '--metrics-listen-address=<host>:<port>'
          - '--issuer-ambient-credentials'
          - '--acme-http01-solver-resource-limits-cpu=<quantity>'
          - '--acme-http01-solver-resource-limits-memory=<quantity>'
          - '--acme-http01-solver-resource-request-cpu=<quantity>'
          - '--acme-http01-solver-resource-request-memory=<quantity>'
      webhookConfig:
        overrideArgs:
          - '--v=<verbosity_level>'
      cainjectorConfig:
        overrideArgs:
          - '--v=<verbosity_level>'
    Copy to Clipboard Toggle word wrap
    1
    For information about the overridable aruguments, see "Overridable arguments for the cert-manager components" in "Explanation of fields in the CertManager custom resource".
  3. Save your changes and quit the text editor to apply your changes.

Verification

  • Verify that arguments are updated for cert-manager pods by running the following command:

    $ oc get pods -n cert-manager -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    ...
      metadata:
        name: cert-manager-6d4b5d4c97-kldwl
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          - --acme-http01-solver-nameservers=1.1.1.1:53
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --dns01-recursive-nameservers=1.1.1.1:53
          - --dns01-recursive-nameservers-only
          - --leader-election-namespace=kube-system
          - --max-concurrent-challenges=60
          - --metrics-listen-address=0.0.0.0:9042
          - --v=6
    ...
      metadata:
        name: cert-manager-cainjector-866c4fd758-ltxxj
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          - --leader-election-namespace=kube-system
          - --v=2
    ...
      metadata:
        name: cert-manager-webhook-6d48f88495-c88gd
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          ...
          - --v=4
    Copy to Clipboard Toggle word wrap

9.5.4. Deleting a TLS secret automatically upon Certificate removal

You can enable the --enable-certificate-owner-ref flag for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource. The --enable-certificate-owner-ref flag sets the certificate resource as an owner of the secret where the TLS certificate is stored.

Warning

If you uninstall the cert-manager Operator for Red Hat OpenShift or delete certificate resources from the cluster, the secret is deleted automatically. This might cause network connectivity issues depending upon where the certificate TLS secret is being used.

Prerequisites

  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.
  • You have installed version 1.12.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure

  1. Check that the Certificate object and its secret are available by running the following command:

    $ oc get certificate
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                             READY   SECRET                                           AGE
    certificate-from-clusterissuer-route53-ambient   True    certificate-from-clusterissuer-route53-ambient   8h
    Copy to Clipboard Toggle word wrap

  2. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
    Copy to Clipboard Toggle word wrap
  3. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
    # ...
    spec:
    # ...
      controllerConfig:
        overrideArgs:
          - '--enable-certificate-owner-ref'
    Copy to Clipboard Toggle word wrap
  4. Save your changes and quit the text editor to apply your changes.

Verification

  • Verify that the --enable-certificate-owner-ref flag is updated for cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    # ...
      metadata:
        name: cert-manager-6e4b4d7d97-zmdnb
        namespace: cert-manager
    # ...
      spec:
        containers:
        - args:
          - --enable-certificate-owner-ref
    Copy to Clipboard Toggle word wrap

9.5.5. Overriding CPU and memory limits for the cert-manager components

After installing the cert-manager Operator for Red Hat OpenShift, you can configure the CPU and memory limits from the cert-manager Operator for Red Hat OpenShift API for the cert-manager components, such as the cert-manager controller, CA injector, and Webhook.

Prerequisites

  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.
  • You have installed version 1.12.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure

  1. Check that the deployments of the cert-manager controller, CA injector, and Webhook are available by entering the following command:

    $ oc get deployment -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                      READY   UP-TO-DATE   AVAILABLE   AGE
    cert-manager              1/1     1            1           53m
    cert-manager-cainjector   1/1     1            1           53m
    cert-manager-webhook      1/1     1            1           53m
    Copy to Clipboard Toggle word wrap

  2. Before setting the CPU and memory limit, check the existing configuration for the cert-manager controller, CA injector, and Webhook by entering the following command:

    $ oc get deployment -n cert-manager -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    # ...
      metadata:
        name: cert-manager
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-controller
              resources: {} 
    1
    
    # ...
      metadata:
        name: cert-manager-cainjector
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-cainjector
              resources: {} 
    2
    
    # ...
      metadata:
        name: cert-manager-webhook
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-webhook
              resources: {} 
    3
    
    # ...
    Copy to Clipboard Toggle word wrap

    1 2 3
    The spec.resources field is empty by default. The cert-manager components do not have CPU and memory limits.
  3. To configure the CPU and memory limits for the cert-manager controller, CA injector, and Webhook, enter the following command:

    $ oc patch certmanager.operator cluster --type=merge -p="
    spec:
      controllerConfig:
        overrideResources: 
    1
    
          limits:
            cpu: 200m
            memory: 64Mi
          requests:
            cpu: 10m
            memory: 16Mi
      webhookConfig:
        overrideResources:
          limits:
            cpu: 200m
            memory: 64Mi
          requests:
            cpu: 10m
            memory: 16Mi
      cainjectorConfig:
        overrideResources:
          limits:
            cpu: 200m
            memory: 64Mi
          requests:
            cpu: 10m
            memory: 16Mi
    "
    Copy to Clipboard Toggle word wrap
    1
    For information about the overridable resource parameters, see "Overridable resource parameters for the cert-manager components" in "Explanation of fields in the CertManager custom resource".

    Example output

    certmanager.operator.openshift.io/cluster patched
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the CPU and memory limits are updated for the cert-manager components:

    $ oc get deployment -n cert-manager -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    # ...
      metadata:
        name: cert-manager
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-controller
              resources:
                limits:
                  cpu: 200m
                  memory: 64Mi
                requests:
                  cpu: 10m
                  memory: 16Mi
    # ...
      metadata:
        name: cert-manager-cainjector
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-cainjector
              resources:
                limits:
                  cpu: 200m
                  memory: 64Mi
                requests:
                  cpu: 10m
                  memory: 16Mi
    # ...
      metadata:
        name: cert-manager-webhook
        namespace: cert-manager
    # ...
      spec:
        template:
          spec:
            containers:
            - name: cert-manager-webhook
              resources:
                limits:
                  cpu: 200m
                  memory: 64Mi
                requests:
                  cpu: 10m
                  memory: 16Mi
    # ...
    Copy to Clipboard Toggle word wrap

9.5.6. Configuring scheduling overrides for cert-manager components

You can configure the pod scheduling from the cert-manager Operator for Red Hat OpenShift API for the cert-manager Operator for Red Hat OpenShift components, such as the cert-manager controller, CA injector, and Webhook.

Prerequisites

  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.
  • You have installed version 1.15.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure

  • Update the certmanager.operator custom resource to configure pod scheduling overrides for the desired components by running the following command. Use the overrideScheduling field under the controllerConfig, webhookConfig, or cainjectorConfig sections to define nodeSelector and tolerations settings.

    $ oc patch certmanager.operator cluster --type=merge -p="
    spec:
      controllerConfig:
        overrideScheduling: 
    1
    
          nodeSelector:
            node-role.kubernetes.io/control-plane: ''
          tolerations:
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule
      webhookConfig:
        overrideScheduling:
          nodeSelector:
            node-role.kubernetes.io/control-plane: ''
          tolerations:
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule
      cainjectorConfig:
        overrideScheduling:
          nodeSelector:
            node-role.kubernetes.io/control-plane: ''
          tolerations:
            - key: node-role.kubernetes.io/master
              operator: Exists
              effect: NoSchedule"
    "
    Copy to Clipboard Toggle word wrap
    1
    For information about the overridable scheduling parameters, see "Overridable scheduling parameters for the cert-manager components" in "Explanation of fields in the CertManager custom resource".

Verification

  1. Verify pod scheduling settings for cert-manager pods:

    1. Check the deployments in the cert-manager namespace to confirm they have the correct nodeSelector and tolerations by running the following command:

      $ oc get pods -n cert-manager -o wide
      Copy to Clipboard Toggle word wrap

      Example output

      NAME                                       READY   STATUS    RESTARTS   AGE   IP            NODE                         NOMINATED NODE   READINESS GATES
      cert-manager-58d9c69db4-78mzp              1/1     Running   0          10m   10.129.0.36   ip-10-0-1-106.ec2.internal   <none>           <none>
      cert-manager-cainjector-85b6987c66-rhzf7   1/1     Running   0          11m   10.128.0.39   ip-10-0-1-136.ec2.internal   <none>           <none>
      cert-manager-webhook-7f54b4b858-29bsp      1/1     Running   0          11m   10.129.0.35   ip-10-0-1-106.ec2.internal   <none>           <none>
      Copy to Clipboard Toggle word wrap

    2. Check the nodeSelector and tolerations settings applied to deployments by running the following command:

      $ oc get deployments -n cert-manager -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{.spec.template.spec.nodeSelector}{"\n"}{.spec.template.spec.tolerations}{"\n\n"}{end}'
      Copy to Clipboard Toggle word wrap

      Example output

      cert-manager
      {"kubernetes.io/os":"linux","node-role.kubernetes.io/control-plane":""}
      [{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]
      
      cert-manager-cainjector
      {"kubernetes.io/os":"linux","node-role.kubernetes.io/control-plane":""}
      [{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]
      
      cert-manager-webhook
      {"kubernetes.io/os":"linux","node-role.kubernetes.io/control-plane":""}
      [{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}]
      Copy to Clipboard Toggle word wrap

  2. Verify pod scheduling events in the cert-manager namespace by running the following command:

    $ oc get events -n cert-manager --field-selector reason=Scheduled
    Copy to Clipboard Toggle word wrap

9.6. Authenticating the cert-manager Operator for Red Hat OpenShift

You can authenticate the cert-manager Operator for Red Hat OpenShift on the cluster by configuring the cloud credentials.

9.6.1. Authenticating on AWS

Prerequisites

  • You have installed version 1.11.1 or later of the cert-manager Operator for Red Hat OpenShift.
  • You have configured the Cloud Credential Operator to operate in mint or passthrough mode.

Procedure

  1. Create a CredentialsRequest resource YAML file, for example, sample-credential-request.yaml, as follows:

    apiVersion: cloudcredential.openshift.io/v1
    kind: CredentialsRequest
    metadata:
      name: cert-manager
      namespace: openshift-cloud-credential-operator
    spec:
      providerSpec:
        apiVersion: cloudcredential.openshift.io/v1
        kind: AWSProviderSpec
        statementEntries:
        - action:
          - "route53:GetChange"
          effect: Allow
          resource: "arn:aws:route53:::change/*"
        - action:
          - "route53:ChangeResourceRecordSets"
          - "route53:ListResourceRecordSets"
          effect: Allow
          resource: "arn:aws:route53:::hostedzone/*"
        - action:
          - "route53:ListHostedZonesByName"
          effect: Allow
          resource: "*"
      secretRef:
        name: aws-creds
        namespace: cert-manager
      serviceAccountNames:
      - cert-manager
    Copy to Clipboard Toggle word wrap
  2. Create a CredentialsRequest resource by running the following command:

    $ oc create -f sample-credential-request.yaml
    Copy to Clipboard Toggle word wrap
  3. Update the subscription object for cert-manager Operator for Red Hat OpenShift by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"aws-creds"}]}}}'
    Copy to Clipboard Toggle word wrap

Verification

  1. Get the name of the redeployed cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                          READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          15m39s
    Copy to Clipboard Toggle word wrap

  2. Verify that the cert-manager controller pod is updated with AWS credential volumes that are mounted under the path specified in mountPath by running the following command:

    $ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    ...
    spec:
      containers:
      - args:
        ...
        - mountPath: /.aws
          name: cloud-credentials
      ...
      volumes:
      ...
      - name: cloud-credentials
        secret:
          ...
          secretName: aws-creds
    Copy to Clipboard Toggle word wrap

9.6.2. Authenticating with AWS Security Token Service

Prerequisites

  • You have extracted and prepared the ccoctl binary.
  • You have configured an OpenShift Container Platform cluster with AWS STS by using the Cloud Credential Operator in manual mode.

Procedure

  1. Create a directory to store a CredentialsRequest resource YAML file by running the following command:

    $ mkdir credentials-request
    Copy to Clipboard Toggle word wrap
  2. Create a CredentialsRequest resource YAML file under the credentials-request directory, such as, sample-credential-request.yaml, by applying the following yaml:

    apiVersion: cloudcredential.openshift.io/v1
    kind: CredentialsRequest
    metadata:
      name: cert-manager
      namespace: openshift-cloud-credential-operator
    spec:
      providerSpec:
        apiVersion: cloudcredential.openshift.io/v1
        kind: AWSProviderSpec
        statementEntries:
        - action:
          - "route53:GetChange"
          effect: Allow
          resource: "arn:aws:route53:::change/*"
        - action:
          - "route53:ChangeResourceRecordSets"
          - "route53:ListResourceRecordSets"
          effect: Allow
          resource: "arn:aws:route53:::hostedzone/*"
        - action:
          - "route53:ListHostedZonesByName"
          effect: Allow
          resource: "*"
      secretRef:
        name: aws-creds
        namespace: cert-manager
      serviceAccountNames:
      - cert-manager
    Copy to Clipboard Toggle word wrap
  3. Use the ccoctl tool to process CredentialsRequest objects by running the following command:

    $ ccoctl aws create-iam-roles \
        --name <user_defined_name> --region=<aws_region> \
        --credentials-requests-dir=<path_to_credrequests_dir> \
        --identity-provider-arn <oidc_provider_arn> --output-dir=<path_to_output_dir>
    Copy to Clipboard Toggle word wrap

    Example output

    2023/05/15 18:10:34 Role arn:aws:iam::XXXXXXXXXXXX:role/<user_defined_name>-cert-manager-aws-creds created
    2023/05/15 18:10:34 Saved credentials configuration to: <path_to_output_dir>/manifests/cert-manager-aws-creds-credentials.yaml
    2023/05/15 18:10:35 Updated Role policy for Role <user_defined_name>-cert-manager-aws-creds
    Copy to Clipboard Toggle word wrap

    Copy the <aws_role_arn> from the output to use in the next step. For example, "arn:aws:iam::XXXXXXXXXXXX:role/<user_defined_name>-cert-manager-aws-creds"

  4. Add the eks.amazonaws.com/role-arn="<aws_role_arn>" annotation to the service account by running the following command:

    $ oc -n cert-manager annotate serviceaccount cert-manager eks.amazonaws.com/role-arn="<aws_role_arn>"
    Copy to Clipboard Toggle word wrap
  5. To create a new pod, delete the existing cert-manager controller pod by running the following command:

    $ oc delete pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Copy to Clipboard Toggle word wrap

    The AWS credentials are applied to a new cert-manager controller pod within a minute.

Verification

  1. Get the name of the updated cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                          READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          39s
    Copy to Clipboard Toggle word wrap

  2. Verify that AWS credentials are updated by running the following command:

    $ oc set env -n cert-manager po/<cert_manager_controller_pod_name> --list
    Copy to Clipboard Toggle word wrap

    Example output

    # pods/cert-manager-57f9555c54-vbcpg, container cert-manager-controller
    # POD_NAMESPACE from field path metadata.namespace
    AWS_ROLE_ARN=XXXXXXXXXXXX
    AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token
    Copy to Clipboard Toggle word wrap

9.6.3. Authenticating on GCP

Prerequisites

  • You have installed version 1.11.1 or later of the cert-manager Operator for Red Hat OpenShift.
  • You have configured the Cloud Credential Operator to operate in mint or passthrough mode.

Procedure

  1. Create a CredentialsRequest resource YAML file, such as, sample-credential-request.yaml by applying the following yaml:

    apiVersion: cloudcredential.openshift.io/v1
    kind: CredentialsRequest
    metadata:
      name: cert-manager
      namespace: openshift-cloud-credential-operator
    spec:
      providerSpec:
        apiVersion: cloudcredential.openshift.io/v1
        kind: GCPProviderSpec
        predefinedRoles:
        - roles/dns.admin
      secretRef:
        name: gcp-credentials
        namespace: cert-manager
      serviceAccountNames:
      - cert-manager
    Copy to Clipboard Toggle word wrap
    Note

    The dns.admin role provides admin privileges to the service account for managing Google Cloud DNS resources. To ensure that the cert-manager runs with the service account that has the least privilege, you can create a custom role with the following permissions:

    • dns.resourceRecordSets.*
    • dns.changes.*
    • dns.managedZones.list
  2. Create a CredentialsRequest resource by running the following command:

    $ oc create -f sample-credential-request.yaml
    Copy to Clipboard Toggle word wrap
  3. Update the subscription object for cert-manager Operator for Red Hat OpenShift by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}'
    Copy to Clipboard Toggle word wrap

Verification

  1. Get the name of the redeployed cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                       READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt               1/1     Running   0          15m39s
    Copy to Clipboard Toggle word wrap

  2. Verify that the cert-manager controller pod is updated with GCP credential volumes that are mounted under the path specified in mountPath by running the following command:

    $ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    spec:
      containers:
      - args:
        ...
        volumeMounts:
        ...
        - mountPath: /.config/gcloud
          name: cloud-credentials
        ....
      volumes:
      ...
      - name: cloud-credentials
        secret:
          ...
          items:
          - key: service_account.json
            path: application_default_credentials.json
          secretName: gcp-credentials
    Copy to Clipboard Toggle word wrap

9.6.4. Authenticating with GCP Workload Identity

Prerequisites

  • You extracted and prepared the ccoctl binary.
  • You have installed version 1.11.1 or later of the cert-manager Operator for Red Hat OpenShift.
  • You have configured an OpenShift Container Platform cluster with GCP Workload Identity by using the Cloud Credential Operator in a manual mode.

Procedure

  1. Create a directory to store a CredentialsRequest resource YAML file by running the following command:

    $ mkdir credentials-request
    Copy to Clipboard Toggle word wrap
  2. In the credentials-request directory, create a YAML file that contains the following CredentialsRequest manifest:

    apiVersion: cloudcredential.openshift.io/v1
    kind: CredentialsRequest
    metadata:
      name: cert-manager
      namespace: openshift-cloud-credential-operator
    spec:
      providerSpec:
        apiVersion: cloudcredential.openshift.io/v1
        kind: GCPProviderSpec
        predefinedRoles:
        - roles/dns.admin
      secretRef:
        name: gcp-credentials
        namespace: cert-manager
      serviceAccountNames:
      - cert-manager
    Copy to Clipboard Toggle word wrap
    Note

    The dns.admin role provides admin privileges to the service account for managing Google Cloud DNS resources. To ensure that the cert-manager runs with the service account that has the least privilege, you can create a custom role with the following permissions:

    • dns.resourceRecordSets.*
    • dns.changes.*
    • dns.managedZones.list
  3. Use the ccoctl tool to process CredentialsRequest objects by running the following command:

    $ ccoctl gcp create-service-accounts \
        --name <user_defined_name> --output-dir=<path_to_output_dir> \
        --credentials-requests-dir=<path_to_credrequests_dir> \
        --workload-identity-pool <workload_identity_pool> \
        --workload-identity-provider <workload_identity_provider> \
        --project <gcp_project_id>
    Copy to Clipboard Toggle word wrap

    Example command

    $ ccoctl gcp create-service-accounts \
        --name abcde-20230525-4bac2781 --output-dir=/home/outputdir \
        --credentials-requests-dir=/home/credentials-requests \
        --workload-identity-pool abcde-20230525-4bac2781 \
        --workload-identity-provider abcde-20230525-4bac2781 \
        --project openshift-gcp-devel
    Copy to Clipboard Toggle word wrap

  4. Apply the secrets generated in the manifests directory of your cluster by running the following command:

    $ ls <path_to_output_dir>/manifests/*-credentials.yaml | xargs -I{} oc apply -f {}
    Copy to Clipboard Toggle word wrap
  5. Update the subscription object for cert-manager Operator for Red Hat OpenShift by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}'
    Copy to Clipboard Toggle word wrap

Verification

  1. Get the name of the redeployed cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                          READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          15m39s
    Copy to Clipboard Toggle word wrap

  2. Verify that the cert-manager controller pod is updated with GCP workload identity credential volumes that are mounted under the path specified in mountPath by running the following command:

    $ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    spec:
      containers:
      - args:
        ...
        volumeMounts:
        - mountPath: /var/run/secrets/openshift/serviceaccount
          name: bound-sa-token
          ...
        - mountPath: /.config/gcloud
          name: cloud-credentials
      ...
      volumes:
      - name: bound-sa-token
        projected:
          ...
          sources:
          - serviceAccountToken:
              audience: openshift
              ...
              path: token
      - name: cloud-credentials
        secret:
          ...
          items:
          - key: service_account.json
            path: application_default_credentials.json
          secretName: gcp-credentials
    Copy to Clipboard Toggle word wrap

9.7. Configuring an ACME issuer

The cert-manager Operator for Red Hat OpenShift supports using Automated Certificate Management Environment (ACME) CA servers, such as Let’s Encrypt, to issue certificates. Explicit credentials are configured by specifying the secret details in the Issuer API object. Ambient credentials are extracted from the environment, metadata services, or local files which are not explicitly configured in the Issuer API object.

Note

The Issuer object is namespace scoped. It can only issue certificates from the same namespace. You can also use the ClusterIssuer object to issue certificates across all namespaces in the cluster.

Example YAML file that defines the ClusterIssuer object

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: acme-cluster-issuer
spec:
  acme:
    ...
Copy to Clipboard Toggle word wrap

Note

By default, you can use the ClusterIssuer object with ambient credentials. To use the Issuer object with ambient credentials, you must enable the --issuer-ambient-credentials setting for the cert-manager controller.

9.7.1. About ACME issuers

The ACME issuer type for the cert-manager Operator for Red Hat OpenShift represents an Automated Certificate Management Environment (ACME) certificate authority (CA) server. ACME CA servers rely on a challenge to verify that a client owns the domain names that the certificate is being requested for. If the challenge is successful, the cert-manager Operator for Red Hat OpenShift can issue the certificate. If the challenge fails, the cert-manager Operator for Red Hat OpenShift does not issue the certificate.

Note

Private DNS zones are not supported with Let’s Encrypt and internet ACME servers.

9.7.1.1. Supported ACME challenges types

The cert-manager Operator for Red Hat OpenShift supports the following challenge types for ACME issuers:

HTTP-01

With the HTTP-01 challenge type, you provide a computed key at an HTTP URL endpoint in your domain. If the ACME CA server can get the key from the URL, it can validate you as the owner of the domain.

For more information, see HTTP01 in the upstream cert-manager documentation.

Note

HTTP-01 requires that the Let’s Encrypt servers can access the route of the cluster. If an internal or private cluster is behind a proxy, the HTTP-01 validations for certificate issuance fail.

The HTTP-01 challenge is restricted to port 80. For more information, see HTTP-01 challenge (Let’s Encrypt).

DNS-01

With the DNS-01 challenge type, you provide a computed key at a DNS TXT record. If the ACME CA server can get the key by DNS lookup, it can validate you as the owner of the domain.

For more information, see DNS01 in the upstream cert-manager documentation.

9.7.1.2. Supported DNS-01 providers

The cert-manager Operator for Red Hat OpenShift supports the following DNS-01 providers for ACME issuers:

  • Amazon Route 53
  • Azure DNS

    Note

    The cert-manager Operator for Red Hat OpenShift does not support using Microsoft Entra ID pod identities to assign a managed identity to a pod.

  • Google Cloud DNS
  • Webhook

    Red Hat tests and supports DNS providers using an external webhook with cert-manager on OpenShift Container Platform. The following DNS providers are tested and supported with OpenShift Container Platform:

    Note

    Using a DNS provider that is not listed might work with OpenShift Container Platform, but the provider was not tested by Red Hat and therefore is not supported by Red Hat.

9.7.2. Configuring an ACME issuer to solve HTTP-01 challenges

You can use cert-manager Operator for Red Hat OpenShift to set up an ACME issuer to solve HTTP-01 challenges. This procedure uses Let’s Encrypt as the ACME CA server.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have a service that you want to expose. In this procedure, the service is named sample-workload.

Procedure

  1. Create an ACME cluster issuer.

    1. Create a YAML file that defines the ClusterIssuer object:

      Example acme-cluster-issuer.yaml file

      apiVersion: cert-manager.io/v1
      kind: ClusterIssuer
      metadata:
        name: letsencrypt-staging                                        
      1
      
      spec:
        acme:
          preferredChain: ""
          privateKeySecretRef:
            name: <secret_for_private_key>                               
      2
      
          server: https://acme-staging-v02.api.letsencrypt.org/directory 
      3
      
          solvers:
          - http01:
              ingress:
                ingressClassName: openshift-default                                 
      4
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the cluster issuer.
      2
      Replace <secret_private_key> with the name of secret to store the ACME account private key in.
      3
      Specify the URL to access the ACME server’s directory endpoint. This example uses the Let’s Encrypt staging environment.
      4
      Specify the Ingress class.
    2. Optional: If you create the object without specifying ingressClassName, use the following command to patch the existing ingress:

      $ oc patch ingress/<ingress-name> --type=merge --patch '{"spec":{"ingressClassName":"openshift-default"}}' -n <namespace>
      Copy to Clipboard Toggle word wrap
    3. Create the ClusterIssuer object by running the following command:

      $ oc create -f acme-cluster-issuer.yaml
      Copy to Clipboard Toggle word wrap
  2. Create an Ingress to expose the service of the user workload.

    1. Create a YAML file that defines a Namespace object:

      Example namespace.yaml file

      apiVersion: v1
      kind: Namespace
      metadata:
        name: my-ingress-namespace 
      1
      Copy to Clipboard Toggle word wrap

      1
      Specify the namespace for the Ingress.
    2. Create the Namespace object by running the following command:

      $ oc create -f namespace.yaml
      Copy to Clipboard Toggle word wrap
    3. Create a YAML file that defines the Ingress object:

      Example ingress.yaml file

      apiVersion: networking.k8s.io/v1
      kind: Ingress
      metadata:
        name: sample-ingress                                           
      1
      
        namespace: my-ingress-namespace                                
      2
      
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-staging          
      3
      
      spec:
        ingressClassName: openshift-default                            
      4
      
        tls:
        - hosts:
          - <hostname>                                                 
      5
      
          secretName: sample-tls                                       
      6
      
        rules:
        - host: <hostname>                                             
      7
      
          http:
            paths:
            - path: /
              pathType: Prefix
              backend:
                service:
                  name: sample-workload                                
      8
      
                  port:
                    number: 80
      Copy to Clipboard Toggle word wrap

      1
      Specify the name of the Ingress.
      2
      Specify the namespace that you created for the Ingress.
      3
      Specify the cluster issuer that you created.
      4
      Specify the Ingress class.
      5
      Replace <hostname> with the Subject Alternative Name (SAN) to be associated with the certificate. This name is used to add DNS names to the certificate.
      6
      Specify the secret that stores the certificate.
      7
      Replace <hostname> with the hostname. You can use the <host_name>.<cluster_ingress_domain> syntax to take advantage of the *.<cluster_ingress_domain> wildcard DNS record and serving certificate for the cluster. For example, you might use apps.<cluster_base_domain>. Otherwise, you must ensure that a DNS record exists for the chosen hostname.
      8
      Specify the name of the service to expose. This example uses a service named sample-workload.
    4. Create the Ingress object by running the following command:

      $ oc create -f ingress.yaml
      Copy to Clipboard Toggle word wrap

9.7.3. Configuring an ACME issuer by using explicit credentials for AWS Route53

You can use cert-manager Operator for Red Hat OpenShift to set up an Automated Certificate Management Environment (ACME) issuer to solve DNS-01 challenges by using explicit credentials on AWS. This procedure uses Let’s Encrypt as the ACME certificate authority (CA) server and shows how to solve DNS-01 challenges with Amazon Route 53.

Prerequisites

  • You must provide the explicit accessKeyID and secretAccessKey credentials. For more information, see Route53 in the upstream cert-manager documentation.

    Note

    You can use Amazon Route 53 with explicit credentials in an OpenShift Container Platform cluster that is not running on AWS.

Procedure

  1. Optional: Override the nameserver settings for the DNS-01 self check.

    This step is required only when the target public-hosted zone overlaps with the cluster’s default private-hosted zone.

    1. Edit the CertManager resource by running the following command:

      $ oc edit certmanager cluster
      Copy to Clipboard Toggle word wrap
    2. Add a spec.controllerConfig section with the following override arguments:

      apiVersion: operator.openshift.io/v1alpha1
      kind: CertManager
      metadata:
        name: cluster
        ...
      spec:
        ...
        controllerConfig:                                
      1
      
          overrideArgs:
            - '--dns01-recursive-nameservers-only'       
      2
      
            - '--dns01-recursive-nameservers=1.1.1.1:53' 
      3
      Copy to Clipboard Toggle word wrap
      1
      Add the spec.controllerConfig section.
      2
      Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
      3
      Provide a comma-separated list of <host>:<port> nameservers to query for the DNS-01 self check. You must use a 1.1.1.1:53 value to avoid the public and private zones overlapping.
    3. Save the file to apply the changes.
  2. Optional: Create a namespace for the issuer:

    $ oc new-project <issuer_namespace>
    Copy to Clipboard Toggle word wrap
  3. Create a secret to store your AWS credentials in by running the following command:

    $ oc create secret generic aws-secret --from-literal=awsSecretAccessKey=<aws_secret_access_key> \ 
    1
    
        -n my-issuer-namespace
    Copy to Clipboard Toggle word wrap
    1
    Replace <aws_secret_access_key> with your AWS secret access key.
  4. Create an issuer:

    1. Create a YAML file that defines the Issuer object:

      Example issuer.yaml file

      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <letsencrypt_staging>                                        
      1
      
        namespace: <issuer_namespace>                                   
      2
      
      spec:
        acme:
          server: https://acme-staging-v02.api.letsencrypt.org/directory 
      3
      
          email: "<email_address>"                                       
      4
      
          privateKeySecretRef:
            name: <secret_private_key>                                   
      5
      
          solvers:
          - dns01:
              route53:
                accessKeyID: <aws_key_id>                                
      6
      
                hostedZoneID: <hosted_zone_id>                           
      7
      
                region: <region_name>                                    
      8
      
                secretAccessKeySecretRef:
                  name: "aws-secret"                                     
      9
      
                  key: "awsSecretAccessKey"                              
      10
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the issuer.
      2
      Specify the namespace that you created for the issuer.
      3
      Specify the URL to access the ACME server’s directory endpoint. This example uses the Let’s Encrypt staging environment.
      4
      Replace <email_address> with your email address.
      5
      Replace <secret_private_key> with the name of the secret to store the ACME account private key in.
      6
      Replace <aws_key_id> with your AWS key ID.
      7
      Replace <hosted_zone_id> with your hosted zone ID.
      8
      Replace <region_name> with the AWS region name. For example, us-east-1.
      9
      Specify the name of the secret you created.
      10
      Specify the key in the secret you created that stores your AWS secret access key.
    2. Create the Issuer object by running the following command:

      $ oc create -f issuer.yaml
      Copy to Clipboard Toggle word wrap

9.7.4. Configuring an ACME issuer by using ambient credentials on AWS

You can use cert-manager Operator for Red Hat OpenShift to set up an ACME issuer to solve DNS-01 challenges by using ambient credentials on AWS. This procedure uses Let’s Encrypt as the ACME CA server and shows how to solve DNS-01 challenges with Amazon Route 53.

Prerequisites

  • If your cluster is configured to use the AWS Security Token Service (STS), you followed the instructions from the Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift for the AWS Security Token Service cluster section.
  • If your cluster does not use the AWS STS, you followed the instructions from the Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift on AWS section.

Procedure

  1. Optional: Override the nameserver settings for the DNS-01 self check.

    This step is required only when the target public-hosted zone overlaps with the cluster’s default private-hosted zone.

    1. Edit the CertManager resource by running the following command:

      $ oc edit certmanager cluster
      Copy to Clipboard Toggle word wrap
    2. Add a spec.controllerConfig section with the following override arguments:

      apiVersion: operator.openshift.io/v1alpha1
      kind: CertManager
      metadata:
        name: cluster
        ...
      spec:
        ...
        controllerConfig:                                
      1
      
          overrideArgs:
            - '--dns01-recursive-nameservers-only'       
      2
      
            - '--dns01-recursive-nameservers=1.1.1.1:53' 
      3
      Copy to Clipboard Toggle word wrap
      1
      Add the spec.controllerConfig section.
      2
      Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
      3
      Provide a comma-separated list of <host>:<port> nameservers to query for the DNS-01 self check. You must use a 1.1.1.1:53 value to avoid the public and private zones overlapping.
    3. Save the file to apply the changes.
  2. Optional: Create a namespace for the issuer:

    $ oc new-project <issuer_namespace>
    Copy to Clipboard Toggle word wrap
  3. Modify the CertManager resource to add the --issuer-ambient-credentials argument:

    $ oc patch certmanager/cluster \
      --type=merge \
      -p='{"spec":{"controllerConfig":{"overrideArgs":["--issuer-ambient-credentials"]}}}'
    Copy to Clipboard Toggle word wrap
  4. Create an issuer:

    1. Create a YAML file that defines the Issuer object:

      Example issuer.yaml file

      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <letsencrypt_staging>                                        
      1
      
        namespace: <issuer_namespace>                                   
      2
      
      spec:
        acme:
          server: https://acme-staging-v02.api.letsencrypt.org/directory 
      3
      
          email: "<email_address>"                                       
      4
      
          privateKeySecretRef:
            name: <secret_private_key>                                   
      5
      
          solvers:
          - dns01:
              route53:
                hostedZoneID: <hosted_zone_id>                           
      6
      
                region: us-east-1
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the issuer.
      2
      Specify the namespace that you created for the issuer.
      3
      Specify the URL to access the ACME server’s directory endpoint. This example uses the Let’s Encrypt staging environment.
      4
      Replace <email_address> with your email address.
      5
      Replace <secret_private_key> with the name of the secret to store the ACME account private key in.
      6
      Replace <hosted_zone_id> with your hosted zone ID.
    2. Create the Issuer object by running the following command:

      $ oc create -f issuer.yaml
      Copy to Clipboard Toggle word wrap

9.7.5. Configuring an ACME issuer by using explicit credentials for GCP Cloud DNS

You can use the cert-manager Operator for Red Hat OpenShift to set up an ACME issuer to solve DNS-01 challenges by using explicit credentials on GCP. This procedure uses Let’s Encrypt as the ACME CA server and shows how to solve DNS-01 challenges with Google CloudDNS.

Prerequisites

  • You have set up Google Cloud service account with a desired role for Google CloudDNS. For more information, see Google CloudDNS in the upstream cert-manager documentation.

    Note

    You can use Google CloudDNS with explicit credentials in an OpenShift Container Platform cluster that is not running on GCP.

Procedure

  1. Optional: Override the nameserver settings for the DNS-01 self check.

    This step is required only when the target public-hosted zone overlaps with the cluster’s default private-hosted zone.

    1. Edit the CertManager resource by running the following command:

      $ oc edit certmanager cluster
      Copy to Clipboard Toggle word wrap
    2. Add a spec.controllerConfig section with the following override arguments:

      apiVersion: operator.openshift.io/v1alpha1
      kind: CertManager
      metadata:
        name: cluster
        ...
      spec:
        ...
        controllerConfig:                                
      1
      
          overrideArgs:
            - '--dns01-recursive-nameservers-only'       
      2
      
            - '--dns01-recursive-nameservers=1.1.1.1:53' 
      3
      Copy to Clipboard Toggle word wrap
      1
      Add the spec.controllerConfig section.
      2
      Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
      3
      Provide a comma-separated list of <host>:<port> nameservers to query for the DNS-01 self check. You must use a 1.1.1.1:53 value to avoid the public and private zones overlapping.
    3. Save the file to apply the changes.
  2. Optional: Create a namespace for the issuer:

    $ oc new-project my-issuer-namespace
    Copy to Clipboard Toggle word wrap
  3. Create a secret to store your GCP credentials by running the following command:

    $ oc create secret generic clouddns-dns01-solver-svc-acct --from-file=service_account.json=<path/to/gcp_service_account.json> -n my-issuer-namespace
    Copy to Clipboard Toggle word wrap
  4. Create an issuer:

    1. Create a YAML file that defines the Issuer object:

      Example issuer.yaml file

      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <acme_dns01_clouddns_issuer> 
      1
      
        namespace: <issuer_namespace> 
      2
      
      spec:
        acme:
          preferredChain: ""
          privateKeySecretRef:
            name: <secret_private_key> 
      3
      
          server: https://acme-staging-v02.api.letsencrypt.org/directory 
      4
      
          solvers:
          - dns01:
              cloudDNS:
                project: <project_id> 
      5
      
                serviceAccountSecretRef:
                  name: clouddns-dns01-solver-svc-acct 
      6
      
                  key: service_account.json 
      7
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the issuer.
      2
      Replace <issuer_namespace> with your issuer namespace.
      3
      Replace <secret_private_key> with the name of the secret to store the ACME account private key in.
      4
      Specify the URL to access the ACME server’s directory endpoint. This example uses the Let’s Encrypt staging environment.
      5
      Replace <project_id> with the name of the GCP project that contains the Cloud DNS zone.
      6
      Specify the name of the secret you created.
      7
      Specify the key in the secret you created that stores your GCP secret access key.
    2. Create the Issuer object by running the following command:

      $ oc create -f issuer.yaml
      Copy to Clipboard Toggle word wrap

9.7.6. Configuring an ACME issuer by using ambient credentials on GCP

You can use the cert-manager Operator for Red Hat OpenShift to set up an ACME issuer to solve DNS-01 challenges by using ambient credentials on GCP. This procedure uses Let’s Encrypt as the ACME CA server and shows how to solve DNS-01 challenges with Google CloudDNS.

Prerequisites

  • If your cluster is configured to use GCP Workload Identity, you followed the instructions from the Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift with GCP Workload Identity section.
  • If your cluster does not use GCP Workload Identity, you followed the instructions from the Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift on GCP section.

Procedure

  1. Optional: Override the nameserver settings for the DNS-01 self check.

    This step is required only when the target public-hosted zone overlaps with the cluster’s default private-hosted zone.

    1. Edit the CertManager resource by running the following command:

      $ oc edit certmanager cluster
      Copy to Clipboard Toggle word wrap
    2. Add a spec.controllerConfig section with the following override arguments:

      apiVersion: operator.openshift.io/v1alpha1
      kind: CertManager
      metadata:
        name: cluster
        ...
      spec:
        ...
        controllerConfig:                                
      1
      
          overrideArgs:
            - '--dns01-recursive-nameservers-only'       
      2
      
            - '--dns01-recursive-nameservers=1.1.1.1:53' 
      3
      Copy to Clipboard Toggle word wrap
      1
      Add the spec.controllerConfig section.
      2
      Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
      3
      Provide a comma-separated list of <host>:<port> nameservers to query for the DNS-01 self check. You must use a 1.1.1.1:53 value to avoid the public and private zones overlapping.
    3. Save the file to apply the changes.
  2. Optional: Create a namespace for the issuer:

    $ oc new-project <issuer_namespace>
    Copy to Clipboard Toggle word wrap
  3. Modify the CertManager resource to add the --issuer-ambient-credentials argument:

    $ oc patch certmanager/cluster \
      --type=merge \
      -p='{"spec":{"controllerConfig":{"overrideArgs":["--issuer-ambient-credentials"]}}}'
    Copy to Clipboard Toggle word wrap
  4. Create an issuer:

    1. Create a YAML file that defines the Issuer object:

      Example issuer.yaml file

      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <acme_dns01_clouddns_issuer> 
      1
      
        namespace: <issuer_namespace>
      spec:
        acme:
          preferredChain: ""
          privateKeySecretRef:
            name: <secret_private_key> 
      2
      
          server: https://acme-staging-v02.api.letsencrypt.org/directory 
      3
      
          solvers:
          - dns01:
              cloudDNS:
                project: <gcp_project_id> 
      4
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the issuer.
      2
      Replace <secret_private_key> with the name of the secret to store the ACME account private key in.
      3
      Specify the URL to access the ACME server’s directory endpoint. This example uses the Let’s Encrypt staging environment.
      4
      Replace <gcp_project_id> with the name of the GCP project that contains the Cloud DNS zone.
    2. Create the Issuer object by running the following command:

      $ oc create -f issuer.yaml
      Copy to Clipboard Toggle word wrap

You can use cert-manager Operator for Red Hat OpenShift to set up an ACME issuer to solve DNS-01 challenges by using explicit credentials on Microsoft Azure. This procedure uses Let’s Encrypt as the ACME CA server and shows how to solve DNS-01 challenges with Azure DNS.

Prerequisites

  • You have set up a service principal with desired role for Azure DNS. For more information, see Azure DNS in the upstream cert-manager documentation.

    Note

    You can follow this procedure for an OpenShift Container Platform cluster that is not running on Microsoft Azure.

Procedure

  1. Optional: Override the nameserver settings for the DNS-01 self check.

    This step is required only when the target public-hosted zone overlaps with the cluster’s default private-hosted zone.

    1. Edit the CertManager resource by running the following command:

      $ oc edit certmanager cluster
      Copy to Clipboard Toggle word wrap
    2. Add a spec.controllerConfig section with the following override arguments:

      apiVersion: operator.openshift.io/v1alpha1
      kind: CertManager
      metadata:
        name: cluster
        ...
      spec:
        ...
        controllerConfig:                                
      1
      
          overrideArgs:
            - '--dns01-recursive-nameservers-only'       
      2
      
            - '--dns01-recursive-nameservers=1.1.1.1:53' 
      3
      Copy to Clipboard Toggle word wrap
      1
      Add the spec.controllerConfig section.
      2
      Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
      3
      Provide a comma-separated list of <host>:<port> nameservers to query for the DNS-01 self check. You must use a 1.1.1.1:53 value to avoid the public and private zones overlapping.
    3. Save the file to apply the changes.
  2. Optional: Create a namespace for the issuer:

    $ oc new-project my-issuer-namespace
    Copy to Clipboard Toggle word wrap
  3. Create a secret to store your Azure credentials in by running the following command:

    $ oc create secret generic <secret_name> --from-literal=<azure_secret_access_key_name>=<azure_secret_access_key_value> \ 
    1
     
    2
     
    3
    
        -n my-issuer-namespace
    Copy to Clipboard Toggle word wrap
    1
    Replace <secret_name> with your secret name.
    2
    Replace <azure_secret_access_key_name> with your Azure secret access key name.
    3
    Replace <azure_secret_access_key_value> with your Azure secret key.
  4. Create an issuer:

    1. Create a YAML file that defines the Issuer object:

      Example issuer.yaml file

      apiVersion: cert-manager.io/v1
      kind: Issuer
      metadata:
        name: <acme-dns01-azuredns-issuer>   
      1
      
        namespace: <issuer_namespace>   
      2
      
      spec:
        acme:
          preferredChain: ""
          privateKeySecretRef:
            name: <secret_private_key> 
      3
      
          server: https://acme-staging-v02.api.letsencrypt.org/directory 
      4
      
          solvers:
          - dns01:
              azureDNS:
                clientID: <azure_client_id> 
      5
      
                clientSecretSecretRef:
                  name: <secret_name> 
      6
      
                  key: <azure_secret_access_key_name> 
      7
      
                subscriptionID: <azure_subscription_id> 
      8
      
                tenantID: <azure_tenant_id> 
      9
      
                resourceGroupName: <azure_dns_zone_resource_group> 
      10
      
                hostedZoneName: <azure_dns_zone> 
      11
      
                environment: AzurePublicCloud
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the issuer.
      2
      Replace <issuer_namespace> with your issuer namespace.
      3
      Replace <secret_private_key> with the name of the secret to store the ACME account private key in.
      4
      Specify the URL to access the ACME server’s directory endpoint. This example uses the Let’s Encrypt staging environment.
      5
      Replace <azure_client_id> with your Azure client ID.
      6
      Replace <secret_name> with a name of the client secret.
      7
      Replace <azure_secret_access_key_name> with the client secret key name.
      8
      Replace <azure_subscription_id> with your Azure subscription ID.
      9
      Replace <azure_tenant_id> with your Azure tenant ID.
      10
      Replace <azure_dns_zone_resource_group> with the name of the Azure DNS zone resource group.
      11
      Replace <azure_dns_zone> with the name of Azure DNS zone.
    2. Create the Issuer object by running the following command:

      $ oc create -f issuer.yaml
      Copy to Clipboard Toggle word wrap

9.8. Configuring certificates with an issuer

By using the cert-manager Operator for Red Hat OpenShift, you can manage certificates, handling tasks such as renewal and issuance, for workloads within the cluster, as well as components interacting externally to the cluster.

9.8.1. Creating certificates for user workloads

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have installed the cert-manager Operator for Red Hat OpenShift.

Procedure

  1. Create an issuer. For more information, see "Configuring an issuer" in the "Additional resources" section.
  2. Create a certificate:

    1. Create a YAML file, for example, certificate.yaml, that defines the Certificate object:

      Example certificate.yaml file

      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <tls_cert> 
      1
      
        namespace: <issuer_namespace> 
      2
      
      spec:
        isCA: false
        commonName: '<common_name>' 
      3
      
        secretName: <secret_name> 
      4
      
        dnsNames:
        - "<domain_name>" 
      5
      
        issuerRef:
          name: <issuer_name> 
      6
      
          kind: Issuer
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the certificate.
      2
      Specify the namespace of the issuer.
      3
      Specify the common name (CN).
      4
      Specify the name of the secret to create that contains the certificate.
      5
      Specify the domain name.
      6
      Specify the name of the issuer.
    2. Create the Certificate object by running the following command:

      $ oc create -f certificate.yaml
      Copy to Clipboard Toggle word wrap

Verification

  • Verify that the certificate is created and ready to use by running the following command:

    $ oc get certificate -w -n <issuer_namespace>
    Copy to Clipboard Toggle word wrap

    Once certificate is in Ready status, workloads on your cluster can start using the generated certificate secret.

9.8.2. Creating certificates for the API server

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have installed version 1.13.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure

  1. Create an issuer. For more information, see "Configuring an issuer" in the "Additional resources" section.
  2. Create a certificate:

    1. Create a YAML file, for example, certificate.yaml, that defines the Certificate object:

      Example certificate.yaml file

      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <tls_cert> 
      1
      
        namespace: openshift-config
      spec:
        isCA: false
        commonName: "api.<cluster_base_domain>" 
      2
      
        secretName: <secret_name> 
      3
      
        dnsNames:
        - "api.<cluster_base_domain>" 
      4
      
        issuerRef:
          name: <issuer_name> 
      5
      
          kind: Issuer
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the certificate.
      2
      Specify the common name (CN).
      3
      Specify the name of the secret to create that contains the certificate.
      4
      Specify the DNS name of the API server.
      5
      Specify the name of the issuer.
    2. Create the Certificate object by running the following command:

      $ oc create -f certificate.yaml
      Copy to Clipboard Toggle word wrap
  3. Add the API server named certificate. For more information, see "Adding an API server named certificate" section in the "Additional resources" section.
Note

To ensure the certificates are updated, run the oc login command again after the certificate is created.

Verification

  • Verify that the certificate is created and ready to use by running the following command:

    $ oc get certificate -w -n openshift-config
    Copy to Clipboard Toggle word wrap

    Once certificate is in Ready status, API server on your cluster can start using the generated certificate secret.

9.8.3. Creating certificates for the Ingress Controller

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have installed version 1.13.0 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure

  1. Create an issuer. For more information, see "Configuring an issuer" in the "Additional resources" section.
  2. Create a certificate:

    1. Create a YAML file, for example, certificate.yaml, that defines the Certificate object:

      Example certificate.yaml file

      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: <tls_cert> 
      1
      
        namespace: openshift-ingress
      spec:
        isCA: false
        commonName: "apps.<cluster_base_domain>" 
      2
      
        secretName: <secret_name> 
      3
      
        dnsNames:
        - "apps.<cluster_base_domain>" 
      4
      
        - "*.apps.<cluster_base_domain>" 
      5
      
        issuerRef:
          name: <issuer_name> 
      6
      
          kind: Issuer
      Copy to Clipboard Toggle word wrap

      1
      Provide a name for the certificate.
      2
      Specify the common name (CN).
      3
      Specify the name of the secret to create that contains the certificate.
      4 5
      Specify the DNS name of the ingress.
      6
      Specify the name of the issuer.
    2. Create the Certificate object by running the following command:

      $ oc create -f certificate.yaml
      Copy to Clipboard Toggle word wrap
  3. Replace the default ingress certificate. For more information, see "Replacing the default ingress certificate" section in the "Additional resources" section.

Verification

  • Verify that the certificate is created and ready to use by running the following command:

    $ oc get certificate -w -n openshift-ingress
    Copy to Clipboard Toggle word wrap

    Once certificate is in Ready status, Ingress Controller on your cluster can start using the generated certificate secret.

9.9. Securing routes with the cert-manager Operator for Red Hat OpenShift

In the OpenShift Container Platform, the route API is extended to provide a configurable option to reference TLS certificates via secrets. With externally managed certificates enabled, you can minimize errors from manual intervention, streamline the certificate management process, and enable the OpenShift Container Platform router to promptly serve the referenced certificate.

Important

Securing routes with the cert-manager Operator for Red Hat OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

9.9.1. Configuring certificates to secure routes in your cluster

The following steps demonstrate the process of utilizing the cert-manager Operator for Red Hat OpenShift with the Let’s Encrypt ACME HTTP-01 challenge type to secure the route resources in your OpenShift Container Platform cluster.

Prerequisites

  • You have installed version 1.14.0 or later of the cert-manager Operator for Red Hat OpenShift.
  • You have enabled the RouteExternalCertificate feature gate.
  • You have create permission on the routes/custom-host sub-resource, which is used for both creating and updating routes.
  • You have a Service resource that you want to expose.

Procedure

  1. Create an Issuer to configure the HTTP-01 solver by running the following command. For other ACME issuer types, see "Configuring ACME an issuer".

    Example Issuer.yaml file

    $ oc create -f - << EOF
    apiVersion: cert-manager.io/v1
    kind: Issuer
    metadata:
      name: letsencrypt-acme
      namespace: <namespace> 
    1
    
    spec:
      acme:
        server: https://acme-v02.api.letsencrypt.org/directory
        privateKeySecretRef:
          name: letsencrypt-acme-account-key
        solvers:
          - http01:
              ingress:
                ingressClassName: openshift-default
    EOF
    Copy to Clipboard Toggle word wrap

    1
    Specify the namespace where the Issuer is located. It should be the same as your route’s namespace.
  2. Create a Certificate object for the route by running the following command. The secretName specifies the TLS secret that is going to be issued and managed by cert-manager and will also be referenced in your route in the following steps.

    $ oc create -f - << EOF
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: example-route-cert
      namespace: <namespace> 
    1
    
    spec:
      commonName: <hostname> 
    2
    
      dnsNames:
        - <hostname> 
    3
    
      usages:
        - server auth
      issuerRef:
        kind: Issuer
        name: letsencrypt-acme
      secretName: <secret_name> 
    4
    
    EOF
    Copy to Clipboard Toggle word wrap
    1
    Specify the namespace where the Certificate resource is located. It should be the same as your route’s namespace.
    2
    Specify the certificate’s common name using the hostname of the route.
    3
    Add the hostname of your route to the certificate’s DNS names.
    4
    Specify the name of the secret that contains the certificate.
  3. Create a Role to provide the router service account permissions to read the referenced secret by using the following command:

    $ oc create role secret-reader \
      --verb=get,list,watch \
      --resource=secrets \
      --resource-name=<secret_name> \ 
    1
    
      --namespace=<namespace> 
    2
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the secret that you want to grant access to. It should be consistent with your secretName specified in the Certificate resource.
    2
    Specify the namespace where both your secret and route are located.
  4. Create a RoleBinding resource to bind the router service account with the newly created Role resource by using the following command:

    $ oc create rolebinding secret-reader-binding \
      --role=secret-reader \
      --serviceaccount=openshift-ingress:router \
      --namespace=<namespace> 
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the namespace where both your secret and route are located.
  5. Create a route for your service resource, that uses edge TLS termination and a custom hostname, by running the following command. The hostname is used when creating a Certificate resource in the next step.

    $ oc create route edge <route_name> \ 
    1
    
      --service=<service_name> \ 
    2
    
      --hostname=<hostname> \ 
    3
    
      --namespace=<namespace> 
    4
    Copy to Clipboard Toggle word wrap
    1
    Specify your route’s name.
    2
    Specify the service you want to expose.
    3
    Specify the hostname of your route.
    4
    Specify the namespace where your route is located.
  6. Update your route’s .spec.tls.externalCertificate field to reference the previously created secret and use the certificate issued by cert-manager by using the following command:

    $ oc patch route <route_name> \ 
    1
    
      -n <namespace> \ 
    2
    
      --type=merge \
      -p '{"spec":{"tls":{"externalCertificate":{"name":"<secret_name>"}}}}' 
    3
    Copy to Clipboard Toggle word wrap
    1
    Specify the route name.
    2
    Specify the namespace where both your secret and route are located.
    3
    Specify the name of the secret that contains the certificate.

Verification

  • Verify that the certificate is created and ready to use by running the following command:

    $ oc get certificate -n <namespace> 
    1
    
    $ oc get secret -n <namespace> 
    2
    Copy to Clipboard Toggle word wrap
    1 2
    Specify the namespace where both your secret and route reside.
  • Verify that the router is using the referenced external certificate by running the following command. The command should return with the status code 200 OK.

    $ curl -IsS https://<hostname> 
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the hostname of your route.
  • Verify the server certificate’s subject, subjectAltName and issuer are all as expected from the curl verbose outputs by running the following command:

    $ curl -v https://<hostname> 
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the hostname of your route.

    The route is now successfully secured by the certificate from the referenced secret issued by cert-manager. cert-manager will automatically manage the certificate’s lifecycle.

9.10. Integrating the cert-manager Operator for Red Hat OpenShift with Istio-CSR

Important

Istio-CSR integration for cert-manager Operator for Red Hat OpenShift is a Technology Preview feature only. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend using them in production. These features provide early access to upcoming product features, enabling customers to test functionality and provide feedback during the development process.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

The cert-manager Operator for Red Hat OpenShift provides enhanced support for securing workloads and control plane components in Red Hat OpenShift Service Mesh or Istio. This includes support for certificates enabling mutual TLS (mTLS), which are signed, delivered, and renewed using cert-manager issuers. You can secure Istio workloads and control plane components by using the cert-manager Operator for Red Hat OpenShift managed Istio-CSR agent.

With this Istio-CSR integration, Istio can now obtain certificates from the cert-manager Operator for Red Hat OpenShift, simplifying security and certificate management.

9.10.1.1. Enabling the Istio-CSR feature

Use this procedure to enable the Istio-CSR feature in cert-manager Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  • Update the deployment for the cert-manager Operator for Red Hat OpenShift to use the config map by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"UNSUPPORTED_ADDON_FEATURES","value":"IstioCSR=true"}]}}}'
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the deployments have finished rolling out by running the following command:

    $ oc rollout status deployment/cert-manager-operator-controller-manager -n cert-manager-operator
    Copy to Clipboard Toggle word wrap

    Example output

    deployment "cert-manager-operator-controller-manager" successfully rolled out
    Copy to Clipboard Toggle word wrap

9.10.1.2. Creating a root CA issuer for the Istio-CSR agent

Use this procedure to create the root CA issuer for Istio-CSR agent.

Note

Other supported issuers can be used, except for the ACME issuer, which is not supported. For more information, see "cert-manager Operator for Red Hat OpenShift issuer providers".

Procedure

  1. Create a YAML file that defines the Issuer and Certificate objects:

    Example issuer.yaml file

    apiVersion: cert-manager.io/v1
    kind: Issuer 
    1
    
    metadata:
      name: selfsigned
      namespace: <istio_project_name> 
    2
    
    spec:
      selfSigned: {}
    ---
    apiVersion: cert-manager.io/v1
    kind: Certificate
    metadata:
      name: istio-ca
      namespace: <istio_project_name>
    spec:
      isCA: true
      duration: 87600h # 10 years
      secretName: istio-ca
      commonName: istio-ca
      privateKey:
        algorithm: ECDSA
        size: 256
      subject:
        organizations:
          - cluster.local
          - cert-manager
      issuerRef:
        name: selfsigned
        kind: Issuer 
    3
    
        group: cert-manager.io
    ---
    apiVersion: cert-manager.io/v1
    kind: Issuer 
    4
    
    metadata:
      name: istio-ca
      namespace: <istio_project_name> 
    5
    
    spec:
      ca:
        secretName: istio-ca
    Copy to Clipboard Toggle word wrap

    1 3 4
    Specify the Issuer or ClusterIssuer.
    2 5
    Specify the name of the Istio project.

Verification

  • Verify that the Issuer is created and ready to use by running the following command:

    $ oc get issuer istio-ca -n <istio_project_name>
    Copy to Clipboard Toggle word wrap

    Example output

    NAME       READY   AGE
    istio-ca   True    3m
    Copy to Clipboard Toggle word wrap

9.10.1.3. Creating the IstioCSR custom resource

Use this procedure to install the Istio-CSR agent through cert-manager Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have enabled the Istio-CSR feature.
  • You have created the Issuer or ClusterIssuer resources required for generating certificates for the Istio-CSR agent.

    Note

    If you are using Issuer resource, create the Issuer and Certificate resources in the Red Hat OpenShift Service Mesh or Istiod namespace. Certificate requests are generated in the same namespace, and role-based access control (RBAC) is configured accordingly.

Procedure

  1. Create a new project for installing Istio-CSR by running the following command. If you have an existing project for installing Istio-CSR, skip this step.

    $ oc new-project <istio_csr_project_name>
    Copy to Clipboard Toggle word wrap
  2. Create the IstioCSR custom resource to enable Istio-CSR agent managed by the cert-manager Operator for Red Hat OpenShift for processing Istio workload and control plane certificate signing requests.

    Note

    Only one IstioCSR custom resource (CR) is supported at a time. If multiple IstioCSR CRs are created, only one will be active. Use the status sub-resource of IstioCSR to check if a resource is unprocessed.

    • If multiple IstioCSR CRs are created simultaneously, none will be processed.
    • If multiple IstioCSR CRs are created sequentially, only the first one will be processed.
    • To prevent new requests from being rejected, delete any unprocessed IstioCSR CRs.
    • The Operator does not automatically remove objects created for IstioCSR. If an active IstioCSR resource is deleted and a new one is created in a different namespace without removing the previous deployments, multiple istio-csr deployments may remain active. This behavior is not recommended and is not supported.
    1. Create a YAML file that defines the IstioCSR object:

      Example IstioCSR CR

      apiVersion: operator.openshift.io/v1alpha1
      kind: IstioCSR
      metadata:
        name: default
        namespace: <istio_csr_project_name>
      spec:
        istioCSRConfig:
          certManager:
            issuerRef:
              name: istio-ca  
      1
      
              kind: Issuer 
      2
      
              group: cert-manager.io
          istiodTLSConfig:
            trustDomain: cluster.local
          istio:
            namespace: <istio_project_name>
      Copy to Clipboard Toggle word wrap

      1
      Specify the Issuer or ClusterIssuer name. It should be the same name as the CA issuer defined in the issuer.yaml file.
      2
      Specify the Issuer or ClusterIssuer kind. It should be the same kind as the CA issuer defined in the issuer.yaml file.
    2. Create the IstioCSR custom resource by running the following command:

      $ oc create -f IstioCSR.yaml
      Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the Istio-CSR deployment is ready by running the following command:

    $ oc get deployment -n <istio_csr_project_name>
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                     READY   UP-TO-DATE   AVAILABLE   AGE
    cert-manager-istio-csr   1/1     1            1           24s
    Copy to Clipboard Toggle word wrap

  2. Verify that the Istio-CSR pods are running by running the following command:

    $ oc get pod -n <istio_csr_project_name>
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                  	 READY   STATUS	  RESTARTS    AGE
    cert-manager-istio-csr-5c979f9b7c-bv57w  1/1     Running  0           45s
    Copy to Clipboard Toggle word wrap

    • Verify that the Istio-CSR pod is not reporting any errors in the logs by running the following command:

      $ oc -n <istio_csr_project_name> logs <istio_csr_pod_name>
      Copy to Clipboard Toggle word wrap
    • Verify that the cert-manager Operator for Red Hat OpenShift pod is not reporting any errors by running the following command:

      $ oc -n cert-manager-operator logs <cert_manager_operator_pod_name>
      Copy to Clipboard Toggle word wrap

Use this procedure to uninstall the Istio-CSR agent managed by cert-manager Operator for Red Hat OpenShift.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have enabled the Istio-CSR feature.
  • You have created the IstioCSR custom resource.

Procedure

  1. Remove the IstioCSR custom resource by running the following command:

    $ oc -n <istio_csr_project_name> delete istiocsrs.operator.openshift.io default
    Copy to Clipboard Toggle word wrap
  2. Remove related resources:

    Important

    To avoid disrupting any Red Hat OpenShift Service Mesh or Istio components, ensure that no component is referencing the Istio-CSR service or the certificates issued for Istio before removing the following resources.

    1. List the cluster scoped-resources by running the following command and save the names of the listed resources for later reference:

      $ oc get clusterrolebindings,clusterroles -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr"
      Copy to Clipboard Toggle word wrap
    2. List the resources in Istio-csr deployed namespace by running the following command and save the names of the listed resources for later reference:

      $ oc get certificate,deployments,services,serviceaccounts -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" -n <istio_csr_project_name>
      Copy to Clipboard Toggle word wrap
    3. List the resources in Red Hat OpenShift Service Mesh or Istio deployed namespaces by running the following command and save the names of the listed resources for later reference:

      $ oc get roles,rolebindings -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" -n <istio_csr_project_name>
      Copy to Clipboard Toggle word wrap
    4. For each resource listed in previous steps, delete the resource by running the following command:

      $ oc -n <istio_csr_project_name> delete <resource_type>/<resource_name>
      Copy to Clipboard Toggle word wrap

      Repeat this process until all of the related resources have been deleted.

When the Istio-CSR TechPreview feature gate is enabled, the Operator cannot be upgraded. To use to the next available version, you must uninstall the cert-manager Operator for Red Hat OpenShift and remove all Istio-CSR resources before reinstalling it.

9.11. Monitoring cert-manager Operator for Red Hat OpenShift

By default, the cert-manager Operator for Red Hat OpenShift exposes metrics for the three core components: controller, cainjector, and webhook. You can configure OpenShift Monitoring to collect these metrics by using the Prometheus Operator format.

9.11.1. Enabling user workload monitoring

You can enable monitoring for user-defined projects by configuring user workload monitoring in the cluster. For more information, see "Setting up metrics collection for user-defined projects".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.

Procedure

  1. Create the cluster-monitoring-config.yaml YAML file:

    apiVersion: v1
    kind: ConfigMap
    metadata:
      name: cluster-monitoring-config
      namespace: openshift-monitoring
    data:
      config.yaml: |
        enableUserWorkload: true
    Copy to Clipboard Toggle word wrap
  2. Apply the ConfigMap by running the following command:

    $ oc apply -f cluster-monitoring-config.yaml
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the monitoring components for user workloads are running in the openshift-user-workload-monitoring namespace by running the following command:

    $ oc -n openshift-user-workload-monitoring get pod
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                   READY   STATUS    RESTARTS   AGE
    prometheus-operator-6cb6bd9588-dtzxq   2/2     Running   0          50s
    prometheus-user-workload-0             6/6     Running   0          48s
    prometheus-user-workload-1             6/6     Running   0          48s
    thanos-ruler-user-workload-0           4/4     Running   0          42s
    thanos-ruler-user-workload-1           4/4     Running   0          42s
    Copy to Clipboard Toggle word wrap

    The status of the pods such as prometheus-operator, prometheus-user-workload, and thanos-ruler-user-workload must be Running.

The cert-manager Operator for Red Hat OpenShift operands exposes metrics by default on port 9402 at the /metrics service endpoint. You can configure metrics collection for the cert-manager operands by creating a ServiceMonitor custom resource (CR) that enables Prometheus Operator to collect custom metrics. For more information, see "Configuring user workload monitoring".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the cert-manager Operator for Red Hat OpenShift.
  • You have enabled the user workload monitoring.

Procedure

  1. Create the ServiceMonitor CR:

    1. Create the YAML file that defines the ServiceMonitor CR:

      Example servicemonitor-cert-manager.yaml file

      apiVersion: monitoring.coreos.com/v1
      kind: ServiceMonitor
      metadata:
        labels:
          app: cert-manager
          app.kubernetes.io/instance: cert-manager
          app.kubernetes.io/name: cert-manager
        name: cert-manager
        namespace: cert-manager
      spec:
        endpoints:
          - honorLabels: false
            interval: 60s
            path: /metrics
            scrapeTimeout: 30s
            targetPort: 9402
        selector:
          matchExpressions:
            - key: app.kubernetes.io/name
              operator: In
              values:
                - cainjector
                - cert-manager
                - webhook
            - key: app.kubernetes.io/instance
              operator: In
              values:
                - cert-manager
            - key: app.kubernetes.io/component
              operator: In
              values:
                - cainjector
                - controller
                - webhook
      Copy to Clipboard Toggle word wrap

    2. Create the ServiceMonitor CR by running the following command:

      $ oc apply -f servicemonitor-cert-manager.yaml
      Copy to Clipboard Toggle word wrap

      After the ServiceMonitor CR is created, the user workload Prometheus instance begins metrics collection from the cert-manager Operator for Red Hat OpenShift operands. The collected metrics are labeled with job="cert-manager",job="cert-manager-cainjector", and job="cert-manager-webhook".

Verification

  1. In the OpenShift Container Platform web console, navigate to Observe Targets.
  2. In the Label filter field, enter the following labels to filter the metrics targets for each operand:

    $ service=cert-manager
    Copy to Clipboard Toggle word wrap
    $ service=cert-manager-webhook
    Copy to Clipboard Toggle word wrap
    $ service=cert-manager-cainjector
    Copy to Clipboard Toggle word wrap
  3. Confirm that the Status column shows Up for the cert-manager, cert-manager-webhook, and cert-manager-cainjector entries.

As a cluster administrator, or as a user with view access to all namespaces, you can query cert-manager Operator for Red Hat OpenShift operands metrics by using the OpenShift Container Platform web console or the command-line interface (CLI). For more information, see "Accessing metrics".

Prerequisites

  • You have access to the cluster as a user with the cluster-admin role.
  • You have installed the cert-manager Operator for Red Hat OpenShift.
  • You have enabled monitoring and metrics collection by creating ServiceMonitor object.

Procedure

  1. In the OpenShift Container Platform web console, navigate to Observe Metrics.
  2. In the query field, enter the following PromQL expressions to query the cert-manager Operator for Red Hat OpenShift operands metric for each operand:

    {job="cert-manager"}
    Copy to Clipboard Toggle word wrap
    {job="cert-manager-webhook"}
    Copy to Clipboard Toggle word wrap
    {job="cert-manager-cainjector"}
    Copy to Clipboard Toggle word wrap

To troubleshoot issues with the cert-manager components and the cert-manager Operator for Red Hat OpenShift, you can configure the log level verbosity.

Note

To use different log levels for different cert-manager components, see Customizing cert-manager Operator API fields.

9.12.1. Setting a log level for cert-manager

You can set a log level for cert-manager to determine the verbosity of log messages.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have installed version 1.11.1 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure

  1. Edit the CertManager resource by running the following command:

    $ oc edit certmanager.operator cluster
    Copy to Clipboard Toggle word wrap
  2. Set the log level value by editing the spec.logLevel section:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    ...
    spec:
      logLevel: <log_level> 
    1
    Copy to Clipboard Toggle word wrap
    1
    The valid log level values for the CertManager resource are Normal, Debug, Trace, and TraceAll. To audit logs and perform common operations when there are no issues, set logLevel to Normal . To troubleshoot a minor issue by viewing verbose logs, set logLevel to Debug . To troubleshoot a major issue by viewing more verbose logs, you can set logLevel to Trace. To troubleshoot serious issues, set logLevel to TraceAll. The default logLevel is Normal.
    Note

    TraceAll generates huge amount of logs. After setting logLevel to TraceAll, you might experience performance issues.

  3. Save your changes and quit the text editor to apply your changes.

    After applying the changes, the verbosity level for the cert-manager components controller, CA injector, and webhook is updated.

9.12.2. Setting a log level for the cert-manager Operator for Red Hat OpenShift

You can set a log level for the cert-manager Operator for Red Hat OpenShift to determine the verbosity of the operator log messages.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have installed version 1.11.1 or later of the cert-manager Operator for Red Hat OpenShift.

Procedure

  • Update the subscription object for cert-manager Operator for Red Hat OpenShift to provide the verbosity level for the operator logs by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"OPERATOR_LOG_LEVEL","value":"v"}]}}}' 
    1
    Copy to Clipboard Toggle word wrap
    1
    Replace v with the desired log level number. The valid values for v can range from 1`to `10. The default value is 2.

Verification

  1. The cert-manager Operator pod is redeployed. Verify that the log level of the cert-manager Operator for Red Hat OpenShift is updated by running the following command:

    $ oc set env deploy/cert-manager-operator-controller-manager -n cert-manager-operator --list | grep -e OPERATOR_LOG_LEVEL -e container
    Copy to Clipboard Toggle word wrap

    Example output

    # deployments/cert-manager-operator-controller-manager, container kube-rbac-proxy
    OPERATOR_LOG_LEVEL=9
    # deployments/cert-manager-operator-controller-manager, container cert-manager-operator
    OPERATOR_LOG_LEVEL=9
    Copy to Clipboard Toggle word wrap

  2. Verify that the log level of the cert-manager Operator for Red Hat OpenShift is updated by running the oc logs command:

    $ oc logs deploy/cert-manager-operator-controller-manager -n cert-manager-operator
    Copy to Clipboard Toggle word wrap

9.13. Uninstalling the cert-manager Operator for Red Hat OpenShift

You can remove the cert-manager Operator for Red Hat OpenShift from OpenShift Container Platform by uninstalling the Operator and removing its related resources.

9.13.1. Uninstalling the cert-manager Operator for Red Hat OpenShift

You can uninstall the cert-manager Operator for Red Hat OpenShift by using the web console.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.
  • The cert-manager Operator for Red Hat OpenShift is installed.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. Uninstall the cert-manager Operator for Red Hat OpenShift Operator.

    1. Navigate to Operators Installed Operators.
    2. Click the Options menu kebab next to the cert-manager Operator for Red Hat OpenShift entry and click Uninstall Operator.
    3. In the confirmation dialog, click Uninstall.

9.13.2. Removing cert-manager Operator for Red Hat OpenShift resources

Once you have uninstalled the cert-manager Operator for Red Hat OpenShift, you have the option to eliminate its associated resources from your cluster.

Prerequisites

  • You have access to the cluster with cluster-admin privileges.
  • You have access to the OpenShift Container Platform web console.

Procedure

  1. Log in to the OpenShift Container Platform web console.
  2. Remove the deployments of the cert-manager components, such as cert-manager, cainjector, and webhook, present in the cert-manager namespace.

    1. Click the Project drop-down menu to see a list of all available projects, and select the cert-manager project.
    2. Navigate to Workloads Deployments.
    3. Select the deployment that you want to delete.
    4. Click the Actions drop-down menu, and select Delete Deployment to see a confirmation dialog box.
    5. Click Delete to delete the deployment.
    6. Alternatively, delete deployments of the cert-manager components such as cert-manager, cainjector and webhook present in the cert-manager namespace by using the command-line interface (CLI).

      $ oc delete deployment -n cert-manager -l app.kubernetes.io/instance=cert-manager
      Copy to Clipboard Toggle word wrap
  3. Optional: Remove the custom resource definitions (CRDs) that were installed by the cert-manager Operator for Red Hat OpenShift:

    1. Navigate to Administration CustomResourceDefinitions.
    2. Enter certmanager in the Name field to filter the CRDs.
    3. Click the Options menu kebab next to each of the following CRDs, and select Delete Custom Resource Definition:

      • Certificate
      • CertificateRequest
      • CertManager (operator.openshift.io)
      • Challenge
      • ClusterIssuer
      • Issuer
      • Order
  4. Optional: Remove the cert-manager-operator namespace.

    1. Navigate to Administration Namespaces.
    2. Click the Options menu kebab next to the cert-manager-operator and select Delete Namespace.
    3. In the confirmation dialog, enter cert-manager-operator in the field and click Delete.
Voltar ao topo
Red Hat logoGithubredditYoutubeTwitter

Aprender

Experimente, compre e venda

Comunidades

Sobre a documentação da Red Hat

Ajudamos os usuários da Red Hat a inovar e atingir seus objetivos com nossos produtos e serviços com conteúdo em que podem confiar. Explore nossas atualizações recentes.

Tornando o open source mais inclusivo

A Red Hat está comprometida em substituir a linguagem problemática em nosso código, documentação e propriedades da web. Para mais detalhes veja o Blog da Red Hat.

Sobre a Red Hat

Fornecemos soluções robustas que facilitam o trabalho das empresas em plataformas e ambientes, desde o data center principal até a borda da rede.

Theme

© 2025 Red Hat