From 05cf3cdcd6db15d94690cddf6207fba14c04b717 Mon Sep 17 00:00:00 2001 From: subhtk Date: Fri, 17 Jan 2025 17:35:59 +0530 Subject: [PATCH] Added a new section about override scheduling feature for cert-manager --- modules/cert-manager-override-scheduling.adoc | 105 ++++++++++++++++++ .../cert-manager-customizing-api-fields.adoc | 2 + 2 files changed, 107 insertions(+) create mode 100644 modules/cert-manager-override-scheduling.adoc diff --git a/modules/cert-manager-override-scheduling.adoc b/modules/cert-manager-override-scheduling.adoc new file mode 100644 index 0000000000..7aea5c1332 --- /dev/null +++ b/modules/cert-manager-override-scheduling.adoc @@ -0,0 +1,105 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-customizing-api-fields.adoc + +:_mod-docs-content-type: PROCEDURE +[id="cert-manager-override-scheduling_{context}"] += Configuring scheduling overrides for cert-manager components + +You can configure the pod scheduling from the {cert-manager-operator} API for the {cert-manager-operator} components such as cert-manager controller, CA injector, and Webhook. + +.Prerequisites + +* You have access to the {product-title} cluster as a user with the `cluster-admin` role. +* You have installed version 1.15.0 or later of the {cert-manager-operator}. + +.Procedure + +* Update the `certmanager.operator` custom resource to configure pod scheduling overrides for the desired components by running the following command. Use the `overrideScheduling` field under the `controllerConfig`, `webhookConfig`, or `cainjectorConfig` sections to define `nodeSelector` and `tolerations` settings. ++ +[source,terminal] +---- +$ oc patch certmanager.operator cluster --type=merge -p=" +spec: + controllerConfig: + overrideScheduling: + nodeSelector: + node-role.kubernetes.io/control-plane: '' <1> + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule <2> + webhookConfig: + overrideScheduling: + nodeSelector: + node-role.kubernetes.io/control-plane: '' <3> + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule <4> + cainjectorConfig: + overrideScheduling: + nodeSelector: + node-role.kubernetes.io/control-plane: '' <5> + tolerations: + - key: node-role.kubernetes.io/master + operator: Exists + effect: NoSchedule" <6> +---- +<1> Defines the `nodeSelector` for the cert-manager controller deployment. +<2> Defines the `tolerations` for the cert-manager controller deployment. +<3> Defines the `nodeSelector` for the cert-manager webhook deployment. +<4> Defines the `tolerations` for the cert-manager webhook deployment. +<5> Defines the `nodeSelector` for the cert-manager cainjector deployment. +<6> Defines the `tolerations` for the cert-manager cainjector deployment. + + +.Verification + +. Verify pod scheduling settings for `cert-manager` pods: + +.. Check the deployments in the `cert-manager` namespace to confirm they have the correct `nodeSelector` and `tolerations` by running the following command: ++ +[source,terminal] +---- +$ oc get pods -n cert-manager -o wide +---- ++ +.Example output +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES +cert-manager-58d9c69db4-78mzp 1/1 Running 0 10m 10.129.0.36 ip-10-0-1-106.ec2.internal +cert-manager-cainjector-85b6987c66-rhzf7 1/1 Running 0 11m 10.128.0.39 ip-10-0-1-136.ec2.internal +cert-manager-webhook-7f54b4b858-29bsp 1/1 Running 0 11m 10.129.0.35 ip-10-0-1-106.ec2.internal +---- + +.. Check the `nodeSelector` and `tolerations` settings applied to deployments by running the following command: ++ +[source,terminal] +---- +$ oc get deployments -n cert-manager -o jsonpath='{range .items[*]}{.metadata.name}{"\n"}{.spec.template.spec.nodeSelector}{"\n"}{.spec.template.spec.tolerations}{"\n\n"}{end}' +---- ++ +.Example output +[source,terminal] +---- +cert-manager +{"kubernetes.io/os":"linux","node-role.kubernetes.io/control-plane":""} +[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}] + +cert-manager-cainjector +{"kubernetes.io/os":"linux","node-role.kubernetes.io/control-plane":""} +[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}] + +cert-manager-webhook +{"kubernetes.io/os":"linux","node-role.kubernetes.io/control-plane":""} +[{"effect":"NoSchedule","key":"node-role.kubernetes.io/master","operator":"Exists"}] +---- + +. Verify pod scheduling events in the `cert-manager` namespace by running the following command: ++ +[source,terminal] +---- +$ oc get events -n cert-manager --field-selector reason=Scheduled +---- \ No newline at end of file diff --git a/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc b/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc index 35f24a090f..28d6f4c566 100644 --- a/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc +++ b/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc @@ -20,3 +20,5 @@ include::modules/cert-manager-override-arguments.adoc[leveloffset=+1] include::modules/cert-manager-override-flag-controller.adoc[leveloffset=+1] include::modules/cert-manager-configure-cpu-memory.adoc[leveloffset=+1] + +include::modules/cert-manager-override-scheduling.adoc[leveloffset=+1] \ No newline at end of file