|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * security/cert_manager_operator/cert-manager-customizing-api-fields.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="cert-manager-override-arguments_{context}"] |
| 7 | += Customizing cert-manager by overriding arguments from the cert-manager Operator API |
| 8 | + |
| 9 | +You can override the supported arguments for the {cert-manager-operator} by adding a `spec.controllerConfig` section in the `CertManager` resource. |
| 10 | + |
| 11 | +.Prerequisites |
| 12 | + |
| 13 | +* You have access to the {product-title} cluster as a user with the `cluster-admin` role. |
| 14 | +
|
| 15 | +.Procedure |
| 16 | + |
| 17 | +. Edit the `CertManager` resource by running the following command: |
| 18 | ++ |
| 19 | +[source,terminal] |
| 20 | +---- |
| 21 | +$ oc edit certmanager cluster |
| 22 | +---- |
| 23 | + |
| 24 | +. Add a `spec.controllerConfig` section with the following override arguments: |
| 25 | ++ |
| 26 | +[source,yaml] |
| 27 | +---- |
| 28 | +apiVersion: operator.openshift.io/v1alpha1 |
| 29 | +kind: CertManager |
| 30 | +metadata: |
| 31 | + name: cluster |
| 32 | + ... |
| 33 | +spec: |
| 34 | + ... |
| 35 | + controllerConfig: |
| 36 | + overrideArgs: |
| 37 | + - '--dns01-recursive-nameservers=<host>:<port>' <1> |
| 38 | + - '--dns01-recursive-nameservers-only' <2> |
| 39 | + - '--acme-http01-solver-nameservers=<host>:<port>' <3> |
| 40 | + - '--v=<verbosity_level>' <4> |
| 41 | + - '--metrics-listen-address=<host>:<port>' <5> |
| 42 | + webhookConfig: |
| 43 | + overrideArgs: |
| 44 | + - '--v=4' <4> |
| 45 | + cainjectorConfig: |
| 46 | + overrideArgs: |
| 47 | + - '--v=2' <4> |
| 48 | +---- |
| 49 | +<1> Provide a comma-separated list of `<host>:<port>` nameservers to query for the DNS-01 self check. For example, `--dns01-recursive-nameservers=1.1.1.1:53`. |
| 50 | +<2> Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain. |
| 51 | +<3> Provide a comma-separated list of `<host>:<port>` nameservers to query for the ACME HTTP01 self check. For example, `--acme-http01-solver-nameservers=1.1.1.1:53`. |
| 52 | +<4> Specify to set the log level verbosity to determine the verbosity of log messages. |
| 53 | +<5> Specify the host and port for the metrics endpoint. The default value is `--metrics-listen-address=0.0.0.0:9402`. |
| 54 | + |
| 55 | +. Save your changes and quit the text editor to apply your changes. |
| 56 | + |
| 57 | +.Verification |
| 58 | + |
| 59 | +* Verify that arguments are updated for cert-manager pods by running the following command: |
| 60 | ++ |
| 61 | +[source,terminal] |
| 62 | +---- |
| 63 | +$ oc get pods -n cert-manager -o yaml |
| 64 | +---- |
| 65 | ++ |
| 66 | +.Example output |
| 67 | +[source,yaml] |
| 68 | +---- |
| 69 | +... |
| 70 | + metadata: |
| 71 | + name: cert-manager-6d4b5d4c97-kldwl |
| 72 | + namespace: cert-manager |
| 73 | +... |
| 74 | + spec: |
| 75 | + containers: |
| 76 | + - args: |
| 77 | + - --acme-http01-solver-nameservers=1.1.1.1:53 |
| 78 | + - --cluster-resource-namespace=$(POD_NAMESPACE) |
| 79 | + - --dns01-recursive-nameservers=1.1.1.1:53 |
| 80 | + - --dns01-recursive-nameservers-only |
| 81 | + - --leader-election-namespace=kube-system |
| 82 | + - --max-concurrent-challenges=60 |
| 83 | + - --metrics-listen-address=0.0.0.0:9042 |
| 84 | + - --v=6 |
| 85 | +... |
| 86 | + metadata: |
| 87 | + name: cert-manager-cainjector-866c4fd758-ltxxj |
| 88 | + namespace: cert-manager |
| 89 | +... |
| 90 | + spec: |
| 91 | + containers: |
| 92 | + - args: |
| 93 | + - --leader-election-namespace=kube-system |
| 94 | + - --v=2 |
| 95 | +... |
| 96 | + metadata: |
| 97 | + name: cert-manager-webhook-6d48f88495-c88gd |
| 98 | + namespace: cert-manager |
| 99 | +... |
| 100 | + spec: |
| 101 | + containers: |
| 102 | + - args: |
| 103 | + ... |
| 104 | + - --v=4 |
| 105 | +---- |
0 commit comments