mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
86 lines
2.4 KiB
Plaintext
86 lines
2.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/cert_manager_operator/cert-manager-customizing-api-fields.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="cert-manager-override-flag-controller_{context}"]
|
|
= Deleting a TLS secret automatically upon Certificate removal
|
|
|
|
[role="_abstract"]
|
|
You can enable the `--enable-certificate-owner-ref` flag for the {cert-manager-operator} by adding a `spec.controllerConfig` section in the `CertManager` resource. The `--enable-certificate-owner-ref` flag sets the certificate resource as an owner of the secret where the TLS certificate is stored.
|
|
|
|
[WARNING]
|
|
====
|
|
If you uninstall the {cert-manager-operator} or delete certificate resources from the cluster, the secret is deleted automatically. This might cause network connectivity issues depending upon where the certificate TLS secret is being used.
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* You have access to the {product-title} cluster as a user with the `cluster-admin` role.
|
|
* You have installed version 1.12.0 or later of the {cert-manager-operator}.
|
|
|
|
|
|
.Procedure
|
|
|
|
. Check that the `Certificate` object and its secret are available by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get certificate
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY SECRET AGE
|
|
certificate-from-clusterissuer-route53-ambient True certificate-from-clusterissuer-route53-ambient 8h
|
|
----
|
|
|
|
. Edit the `CertManager` resource by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc edit certmanager cluster
|
|
----
|
|
|
|
. Add a `spec.controllerConfig` section with the following override arguments:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: CertManager
|
|
metadata:
|
|
name: cluster
|
|
# ...
|
|
spec:
|
|
# ...
|
|
controllerConfig:
|
|
overrideArgs:
|
|
- '--enable-certificate-owner-ref'
|
|
----
|
|
|
|
. Save your changes and quit the text editor to apply your changes.
|
|
|
|
.Verification
|
|
|
|
* Verify that the `--enable-certificate-owner-ref` flag is updated for cert-manager controller pod by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager -o yaml
|
|
----
|
|
+
|
|
.Example output
|
|
[source,yaml]
|
|
----
|
|
# ...
|
|
metadata:
|
|
name: cert-manager-6e4b4d7d97-zmdnb
|
|
namespace: cert-manager
|
|
# ...
|
|
spec:
|
|
containers:
|
|
- args:
|
|
- --enable-certificate-owner-ref
|
|
----
|