mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
86 lines
2.8 KiB
Plaintext
86 lines
2.8 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/cert_manager_operator/cert-manager-operator-proxy.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="cert-manager-proxy-support_{context}"]
|
|
= Injecting a custom CA certificate for the {cert-manager-operator}
|
|
|
|
[role="_abstract"]
|
|
If your {product-title} cluster has the cluster-wide proxy enabled, you can inject any CA certificates that are required for proxying HTTPS connections into the {cert-manager-operator}.
|
|
|
|
.Prerequisites
|
|
|
|
* You have access to the cluster as a user with the `cluster-admin` role.
|
|
* You have enabled the cluster-wide proxy for {product-title}.
|
|
|
|
.Procedure
|
|
|
|
. Create a config map in the `cert-manager` namespace by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create configmap trusted-ca -n cert-manager
|
|
----
|
|
|
|
. Inject the CA bundle that is trusted by {product-title} into the config map by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc label cm trusted-ca config.openshift.io/inject-trusted-cabundle=true -n cert-manager
|
|
----
|
|
|
|
. Update the deployment for the {cert-manager-operator} to use the config map by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}]}}}'
|
|
----
|
|
|
|
.Verification
|
|
|
|
. Verify that the deployments have finished rolling out by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc rollout status deployment/cert-manager-operator-controller-manager -n cert-manager-operator && \
|
|
oc rollout status deployment/cert-manager -n cert-manager && \
|
|
oc rollout status deployment/cert-manager-webhook -n cert-manager && \
|
|
oc rollout status deployment/cert-manager-cainjector -n cert-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
deployment "cert-manager-operator-controller-manager" successfully rolled out
|
|
deployment "cert-manager" successfully rolled out
|
|
deployment "cert-manager-webhook" successfully rolled out
|
|
deployment "cert-manager-cainjector" successfully rolled out
|
|
----
|
|
|
|
. Verify that the CA bundle was mounted as a volume by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get deployment cert-manager -n cert-manager -o=jsonpath={.spec.template.spec.'containers[0].volumeMounts'}
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
[{"mountPath":"/etc/pki/tls/certs/cert-manager-tls-ca-bundle.crt","name":"trusted-ca","subPath":"ca-bundle.crt"}]
|
|
----
|
|
|
|
. Verify that the source of the CA bundle is the `trusted-ca` config map by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get deployment cert-manager -n cert-manager -o=jsonpath={.spec.template.spec.volumes}
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
[{"configMap":{"defaultMode":420,"name":"trusted-ca"},"name":"trusted-ca"}]
|
|
----
|