From 95e6586b5c416d268f78854231ea160e7e3fd722 Mon Sep 17 00:00:00 2001 From: xenolinux Date: Mon, 25 Sep 2023 14:18:08 +0530 Subject: [PATCH] OSDOCS#7888: Document support for the enable-certificate-owner-ref flag --- ...cert-manager-override-flag-controller.adoc | 84 +++++++++++++++++++ .../cert-manager-customizing-api-fields.adoc | 4 +- 2 files changed, 87 insertions(+), 1 deletion(-) create mode 100644 modules/cert-manager-override-flag-controller.adoc diff --git a/modules/cert-manager-override-flag-controller.adoc b/modules/cert-manager-override-flag-controller.adoc new file mode 100644 index 0000000000..995c4fd81c --- /dev/null +++ b/modules/cert-manager-override-flag-controller.adoc @@ -0,0 +1,84 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-customizing-api-fields.adoc + +:_content-type: PROCEDURE +[id="cert-manager-override-flag-controller_{context}"] += Deleting a TLS secret automatically upon Certificate removal + +You can enable the `--enable-certificate-owner-ref` flag for the {cert-manager-operator} by adding a `spec.controllerConfig` section in the `CertManager` resource. The `--enable-certificate-owner-ref` flag sets the certificate resource as an owner of the secret where the TLS certificate is stored. ++ +[WARNING] +==== +If you uninstall the {cert-manager-operator} or delete certificate resources from the cluster, the secret is deleted automatically. This might cause network connectivity issues depending upon where the certificate TLS secret is being used. +==== + +.Prerequisites + +* You have access to the {product-title} cluster as a user with the `cluster-admin` role. +* You have installed the {cert-manager-operator} 1.12.0 or later. + + +.Procedure + +. Check that the `Certificate` object and its secret are available by running the following command: ++ +[source,terminal] +---- +$ oc get certificate +---- ++ +.Example output +[source,terminal] +---- +NAME READY SECRET AGE +certificate-from-clusterissuer-route53-ambient True certificate-from-clusterissuer-route53-ambient 8h +---- + +. Edit the `CertManager` resource by running the following command: ++ +[source,terminal] +---- +$ oc edit certmanager cluster +---- + +. Add a `spec.controllerConfig` section with the following override arguments: ++ +[source,yaml] +---- +apiVersion: operator.openshift.io/v1alpha1 +kind: CertManager +metadata: + name: cluster +# ... +spec: +# ... + controllerConfig: + overrideArgs: + - '--enable-certificate-owner-ref' +---- + +. Save your changes and quit the text editor to apply your changes. + +.Verification + +* Verify that the `--enable-certificate-owner-ref` flag is updated for cert-manager controller pod by running the following command: ++ +[source,terminal] +---- +$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager -o yaml +---- ++ +.Example output +[source,yaml] +---- +# ... + metadata: + name: cert-manager-6e4b4d7d97-zmdnb + namespace: cert-manager +# ... + spec: + containers: + - args: + - --enable-certificate-owner-ref +---- diff --git a/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc b/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc index 553d4b0ccb..b5072e8ed4 100644 --- a/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc +++ b/security/cert_manager_operator/cert-manager-customizing-api-fields.adoc @@ -15,4 +15,6 @@ To override unsupported arguments, you can add `spec.unsupportedConfigOverrides` include::modules/cert-manager-override-environment-variables.adoc[leveloffset=+1] -include::modules/cert-manager-override-arguments.adoc[leveloffset=+1] \ No newline at end of file +include::modules/cert-manager-override-arguments.adoc[leveloffset=+1] + +include::modules/cert-manager-override-flag-controller.adoc[leveloffset=+1]