×

You can customize the cert-manager Operator for Red Hat OpenShift API fields by overriding environment variables and arguments.

To override unsupported arguments, you can add spec.unsupportedConfigOverrides section in the CertManager resource, but using spec.unsupportedConfigOverrides is unsupported.

Customizing cert-manager by overriding environment variables from the cert-manager Operator API

You can override the supported environment variables for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource.

Prerequisites
  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

Procedure
  1. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
  2. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
      ...
    spec:
      ...
      controllerConfig:
        overrideEnv:
          - name: HTTP_PROXY
            value: http://<proxy_url> (1)
          - name: HTTPS_PROXY
            value: https://<proxy_url> (1)
          - name: NO_PROXY
            value: <ignore_proxy_domains> (2)
    1 Replace <proxy_url> with the proxy server URL.
    2 Replace <ignore_proxy_domains> with a comma separated list of domains. These domains are ignored by the proxy server.
  3. Save your changes and quit the text editor to apply your changes.

Verification
  1. Verify that the cert-manager controller pod is redeployed by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Example output
    NAME                          READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          39s
  2. Verify that environment variables are updated for the cert-manager pod by running the following command:

    $ oc get pod <redeployed_cert-manager_controller_pod> -n cert-manager -o yaml
    Example output
        env:
        ...
        - name: HTTP_PROXY
          value: http://<PROXY_URL>
        - name: HTTPS_PROXY
          value: https://<PROXY_URL>
        - name: NO_PROXY
          value: <IGNORE_PROXY_DOMAINS>

Customizing cert-manager by overriding arguments from the cert-manager Operator API

You can override the supported arguments for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig section in the CertManager resource.

Prerequisites
  • You have access to the OpenShift Container Platform cluster as a user with the cluster-admin role.

Procedure
  1. Edit the CertManager resource by running the following command:

    $ oc edit certmanager cluster
  2. Add a spec.controllerConfig section with the following override arguments:

    apiVersion: operator.openshift.io/v1alpha1
    kind: CertManager
    metadata:
      name: cluster
      ...
    spec:
      ...
      controllerConfig:
        overrideArgs:
          - '--dns01-recursive-nameservers=<host>:<port>' (1)
          - '--dns01-recursive-nameservers-only' (2)
          - '--acme-http01-solver-nameservers=<host>:<port>' (3)
          - '--v=<verbosity_level>' (4)
          - '--metrics-listen-address=<host>:<port>' (5)
          - '--issuer-ambient-credentials' (6)
      webhookConfig:
        overrideArgs:
          - '--v=4' (4)
      cainjectorConfig:
        overrideArgs:
          - '--v=2' (4)
    1 Provide a comma-separated list of <host>:<port> nameservers to query for the DNS-01 self check. For example, --dns01-recursive-nameservers=1.1.1.1:53.
    2 Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
    3 Provide a comma-separated list of <host>:<port> nameservers to query for the Automated Certificate Management Environment (ACME) HTTP01 self check. For example, --acme-http01-solver-nameservers=1.1.1.1:53.
    4 Specify to set the log level verbosity to determine the verbosity of log messages.
    5 Specify the host and port for the metrics endpoint. The default value is --metrics-listen-address=0.0.0.0:9402.
    6 You must use the --issuer-ambient-credentials argument when configuring an ACME Issuer to solve DNS-01 challenges by using ambient credentials.
  3. Save your changes and quit the text editor to apply your changes.

Verification
  • Verify that arguments are updated for cert-manager pods by running the following command:

    $ oc get pods -n cert-manager -o yaml
    Example output
    ...
      metadata:
        name: cert-manager-6d4b5d4c97-kldwl
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          - --acme-http01-solver-nameservers=1.1.1.1:53
          - --cluster-resource-namespace=$(POD_NAMESPACE)
          - --dns01-recursive-nameservers=1.1.1.1:53
          - --dns01-recursive-nameservers-only
          - --leader-election-namespace=kube-system
          - --max-concurrent-challenges=60
          - --metrics-listen-address=0.0.0.0:9042
          - --v=6
    ...
      metadata:
        name: cert-manager-cainjector-866c4fd758-ltxxj
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          - --leader-election-namespace=kube-system
          - --v=2
    ...
      metadata:
        name: cert-manager-webhook-6d48f88495-c88gd
        namespace: cert-manager
    ...
      spec:
        containers:
        - args:
          ...
          - --v=4