9.4. 为 Red Hat OpenShift 配置 cert-manager Operator 的出口代理

流程

1. 运行以下命令，在 cert-manager 命名空间中创建配置映射：

   $ oc create configmap trusted-ca -n cert-manager

2. 运行以下命令，将 OpenShift Container Platform 信任的 CA 捆绑包注入配置映射中：

   $ oc label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true -n cert-manager

3. 运行以下命令，为 Red Hat OpenShift 更新 cert-manager Operator 的部署以使用配置映射：

   $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}]}}}'

验证

1. 运行以下命令验证部署是否已推出：

   $ oc rollout status deployment/cert-manager-operator-controller-manager -n cert-manager-operator && \
   oc rollout status deployment/cert-manager -n cert-manager && \
   oc rollout status deployment/cert-manager-webhook -n cert-manager && \
   oc rollout status deployment/cert-manager-cainjector -n cert-manager

   输出示例

   deployment "cert-manager-operator-controller-manager" successfully rolled out
   deployment "cert-manager" successfully rolled out
   deployment "cert-manager-webhook" successfully rolled out
   deployment "cert-manager-cainjector" successfully rolled out

2. 运行以下命令，验证 CA 捆绑包是否已挂载为卷：

   $ oc get deployment cert-manager -n cert-manager -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'}

   输出示例

   [{"mountPath":"/etc/pki/tls/certs/cert-manager-tls-ca-bundle.crt","name":"trusted-ca","subPath":"ca-bundle.crt"}]

3. 运行以下命令，验证 CA 捆绑包的来源是否为 trusted-ca 配置映射：

   $ oc get deployment cert-manager -n cert-manager -o=jsonpath={.spec.template.spec.volumes}

   输出示例

   [{"configMap":{"defaultMode":420,"name":"trusted-ca"},"name":"trusted-ca"}]