openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/cert-manager-istio-csr-config-ca-cert.adoc
xenolinux 84120d60ea OSDOCS#17173: CQA 2.0 cert-manager Operator
2026-01-22 08:46:02 +00:00

56 lines
2.1 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * security/cert_manager_operator/cert-manager-operator-integrating-istio.adoc
:_mod-docs-content-type: PROCEDURE
[id="cert-manager-istio-csr-config-ca-cert_{context}"]
= Configuring the CA certificate for the Istio server
[role="_abstract"]
You can configure the `ConfigMap` that contains the CA bundle used by Istio workloads to verify the Istio server certificate. If not configured, the {cert-manager-operator} looks for the CA certificate in the configured issuer and in the Kubernetes Secret that contains the Istio certificates.
.Prerequisites
* You have access to the cluster with `cluster-admin` privileges.
* You have created the `IstioCSR` custom resource (CR).
.Procedure
. Edit the `IstioCSR` CR by running the following command:
+
[source,terminal]
----
$ oc edit istiocsrs.operator.openshift.io default -n <istio_csr_project_name>
----
+
Replace `<istio_csr_project_name>` with the namespace where you created the `IstioCSR` CR.
. Configure the CA bundle by editing the `spec.istioCSRConfig.certManager` section. See the following example:
+
[source,yaml]
----
apiVersion: operator.openshift.io/v1alpha1
kind: IstioCSR
...
spec:
istioCSRConfig:
certManager:
istioCACertificate:
key: <key_in_the_configmap>
name: <configmap_name>
namespace: <configmap_namespace>
----
+
where:
+
`<key_in_the_configmap>`:: Specifies the key name in the `ConfigMap` that contains the CA bundle.
`<configmap_name>`:: Specifies the name of the `ConfigMap`. Ensure that the referenced `ConfigMap` and key exist before you update this field.
`<configmap_namespace>`:: Optional. Specifies the namespace where the `ConfigMap` exists. If you do not set this field, the {cert-manager-operator} searches for the `ConfigMap` in the namespace where you have installed the `IstioCSR` CR.
+
[NOTE]
====
Whenever the CA certificate is rotated, you must manually update the `ConfigMap` with the latest certificate.
====
. Save and close the editor to apply your changes. After the changes are applied, the cert-manager Operator updates the CA bundle for the `istio-csr` operand.
View Git Blame Copy Permalink