openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

OSDOCS#7888: Document support for the enable-certificate-owner-ref flag

Browse Source
This commit is contained in:
xenolinux
2023-09-25 14:18:08 +05:30
committed by openshift-cherrypick-robot
parent a8f89d39b0
commit 95e6586b5c
2 changed files with 87 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

84
modules/cert-manager-override-flag-controller.adoc Normal file
View File

@@ -0,0 +1,84 @@
// Module included in the following assemblies:
//
// * security/cert_manager_operator/cert-manager-customizing-api-fields.adoc
:_content-type: PROCEDURE
[id="cert-manager-override-flag-controller_{context}"]
= Deleting a TLS secret automatically upon Certificate removal
You can enable the `--enable-certificate-owner-ref` flag for the {cert-manager-operator} by adding a `spec.controllerConfig` section in the `CertManager` resource. The `--enable-certificate-owner-ref` flag sets the certificate resource as an owner of the secret where the TLS certificate is stored.
+
[WARNING]
====
If you uninstall the {cert-manager-operator} or delete certificate resources from the cluster, the secret is deleted automatically. This might cause network connectivity issues depending upon where the certificate TLS secret is being used.
====
.Prerequisites
* You have access to the {product-title} cluster as a user with the `cluster-admin` role.
* You have installed the {cert-manager-operator} 1.12.0 or later.
.Procedure
. Check that the `Certificate` object and its secret are available by running the following command:
+
[source,terminal]
----
$ oc get certificate
----
+
.Example output
[source,terminal]
----
NAME READY SECRET AGE
certificate-from-clusterissuer-route53-ambient True certificate-from-clusterissuer-route53-ambient 8h
----
. Edit the `CertManager` resource by running the following command:
+
[source,terminal]
----
$ oc edit certmanager cluster
----
. Add a `spec.controllerConfig` section with the following override arguments:
+
[source,yaml]
----
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
# ...
spec:
# ...
controllerConfig:
overrideArgs:
- '--enable-certificate-owner-ref'
----
. Save your changes and quit the text editor to apply your changes.
.Verification
* Verify that the `--enable-certificate-owner-ref` flag is updated for cert-manager controller pod by running the following command:
+
[source,terminal]
----
$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager -o yaml
----
+
.Example output
[source,yaml]
----
# ...
metadata:
name: cert-manager-6e4b4d7d97-zmdnb
namespace: cert-manager
# ...
spec:
containers:
- args:
- --enable-certificate-owner-ref
----

4
security/cert_manager_operator/cert-manager-customizing-api-fields.adoc
View File

@@ -15,4 +15,6 @@ To override unsupported arguments, you can add `spec.unsupportedConfigOverrides`
include::modules/cert-manager-override-environment-variables.adoc[leveloffset=+1]
include::modules/cert-manager-override-arguments.adoc[leveloffset=+1]
include::modules/cert-manager-override-arguments.adoc[leveloffset=+1]
include::modules/cert-manager-override-flag-controller.adoc[leveloffset=+1]