$ oc edit certmanager cluster
You can customize the cert-manager Operator for Red Hat OpenShift API fields by overriding environment variables and arguments.
To override unsupported arguments, you can add |
You can override the supported environment variables for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig
section in the CertManager
resource.
You have access to the OpenShift Container Platform cluster as a user with the cluster-admin
role.
Edit the CertManager
resource by running the following command:
$ oc edit certmanager cluster
Add a spec.controllerConfig
section with the following override arguments:
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
...
spec:
...
controllerConfig:
overrideEnv:
- name: HTTP_PROXY
value: http://<proxy_url> (1)
- name: HTTPS_PROXY
value: https://<proxy_url> (1)
- name: NO_PROXY
value: <ignore_proxy_domains> (2)
1 | Replace <proxy_url> with the proxy server URL. |
2 | Replace <ignore_proxy_domains> with a comma separated list of domains. These domains are ignored by the proxy server. |
Save your changes and quit the text editor to apply your changes.
Verify that the cert-manager controller pod is redeployed by running the following command:
$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 39s
Verify that environment variables are updated for the cert-manager pod by running the following command:
$ oc get pod <redeployed_cert-manager_controller_pod> -n cert-manager -o yaml
env:
...
- name: HTTP_PROXY
value: http://<PROXY_URL>
- name: HTTPS_PROXY
value: https://<PROXY_URL>
- name: NO_PROXY
value: <IGNORE_PROXY_DOMAINS>
You can override the supported arguments for the cert-manager Operator for Red Hat OpenShift by adding a spec.controllerConfig
section in the CertManager
resource.
You have access to the OpenShift Container Platform cluster as a user with the cluster-admin
role.
Edit the CertManager
resource by running the following command:
$ oc edit certmanager cluster
Add a spec.controllerConfig
section with the following override arguments:
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
name: cluster
...
spec:
...
controllerConfig:
overrideArgs:
- '--dns01-recursive-nameservers=<host>:<port>' (1)
- '--dns01-recursive-nameservers-only' (2)
- '--acme-http01-solver-nameservers=<host>:<port>' (3)
- '--v=<verbosity_level>' (4)
- '--metrics-listen-address=<host>:<port>' (5)
- '--issuer-ambient-credentials' (6)
webhookConfig:
overrideArgs:
- '--v=4' (4)
cainjectorConfig:
overrideArgs:
- '--v=2' (4)
1 | Provide a comma-separated list of <host>:<port> nameservers to query for the DNS-01 self check. For example, --dns01-recursive-nameservers=1.1.1.1:53 . |
2 | Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain. |
3 | Provide a comma-separated list of <host>:<port> nameservers to query for the Automated Certificate Management Environment (ACME) HTTP01 self check. For example, --acme-http01-solver-nameservers=1.1.1.1:53 . |
4 | Specify to set the log level verbosity to determine the verbosity of log messages. |
5 | Specify the host and port for the metrics endpoint. The default value is --metrics-listen-address=0.0.0.0:9402 . |
6 | You must use the --issuer-ambient-credentials argument when configuring an ACME Issuer to solve DNS-01 challenges by using ambient credentials. |
Save your changes and quit the text editor to apply your changes.
Verify that arguments are updated for cert-manager pods by running the following command:
$ oc get pods -n cert-manager -o yaml
...
metadata:
name: cert-manager-6d4b5d4c97-kldwl
namespace: cert-manager
...
spec:
containers:
- args:
- --acme-http01-solver-nameservers=1.1.1.1:53
- --cluster-resource-namespace=$(POD_NAMESPACE)
- --dns01-recursive-nameservers=1.1.1.1:53
- --dns01-recursive-nameservers-only
- --leader-election-namespace=kube-system
- --max-concurrent-challenges=60
- --metrics-listen-address=0.0.0.0:9042
- --v=6
...
metadata:
name: cert-manager-cainjector-866c4fd758-ltxxj
namespace: cert-manager
...
spec:
containers:
- args:
- --leader-election-namespace=kube-system
- --v=2
...
metadata:
name: cert-manager-webhook-6d48f88495-c88gd
namespace: cert-manager
...
spec:
containers:
- args:
...
- --v=4