mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
88 lines
3.0 KiB
Plaintext
88 lines
3.0 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/external_secrets_operator/external-secrets-log-levels.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="external-secrets-cert-manager-config_{context}"]
|
|
= Configuring cert-manager for the external-secrets certificate requirements
|
|
|
|
[role="_abstract"]
|
|
Configure cert-manager to handle certificate management for the external-secrets webhook and plugins. This optional configuration automates certificate generation for plugins and eliminates the need for manual configuration.
|
|
|
|
When `cert-manager` is not used, `external-secrets` defaults to its own certificate management. In this mode, it automatically generates the required certificates for the webhook, while you are responsible for manually configuring certificates for the plugins.
|
|
|
|
.Prerequisites
|
|
|
|
* You have access to the cluster with `cluster-admin` privileges.
|
|
* You have created the `ExternalSecretsConfig` custom resource.
|
|
* You have installed the {cert-manager-operator}. For more information, see "Installing the {cert-manager-operator}"
|
|
|
|
.Procedure
|
|
|
|
. Edit the `ExternalSecretsConfig` custom resource by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc edit externalsecretsconfigs.operator.openshift.io cluster
|
|
----
|
|
|
|
. Configure `cert-manager` by editing the `spec.controllerConfig.certProvider.certManager` section as follows:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: ExternalSecretsConfig
|
|
...
|
|
spec:
|
|
controllerConfig:
|
|
certProvider:
|
|
certManager:
|
|
injectAnnotations: "true"
|
|
issuerRef:
|
|
name: <issuer_name>
|
|
kind: <issuer_kind>
|
|
group: <issuer_group>
|
|
mode: Enabled
|
|
----
|
|
+
|
|
where:
|
|
|
|
injectAnnotation:: Must be set to `true` when enabled.
|
|
name:: Specifies the name of the issuer object referenced in `ExternalSecretsConfig`.
|
|
kind:: Specifies the API issuer. Can be set to either `Issuer` or `ClusterIssuer`.
|
|
group:: Specifies the API issuer group. The group name must be `cert-manager.io`.
|
|
mode:: Must be set to `Enabled`. This is an immutable field and cannot be modified once it is configured.
|
|
|
|
. Save your changes.
|
|
|
|
. After you update the `cert-manager` configurations in the `externalsecretsconfig.operator.openshift.io` object, you must manually delete `external-secrets-cert-controller` deployment by running the following command. This prevents performance degradation of the `external-secrets` application.
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc delete deployments.apps external-secrets-cert-controller -n external-secrets
|
|
----
|
|
|
|
. Optionally, you can delete other resources created for the `cert-controller` by running the following commands:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc delete clusterrolebindings.rbac.authorization.k8s.io external-secrets-cert-controller
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc delete clusterroles.rbac.authorization.k8s.io external-secrets-cert-controller
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc delete serviceaccounts external-secrets-cert-controller -n external-secrets
|
|
----
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc delete secrets external-secrets-webhook -n external-secrets
|
|
----
|
|
|
|
|