|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * security/cert_manager_operator/cert-manager-customizing-api-fields.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="cert-manager-override-flag-controller_{context}"] |
| 7 | += Deleting a TLS secret automatically upon Certificate removal |
| 8 | + |
| 9 | +You can enable the `--enable-certificate-owner-ref` flag for the {cert-manager-operator} by adding a `spec.controllerConfig` section in the `CertManager` resource. The `--enable-certificate-owner-ref` flag sets the certificate resource as an owner of the secret where the TLS certificate is stored. |
| 10 | ++ |
| 11 | +[WARNING] |
| 12 | +==== |
| 13 | +If you uninstall the {cert-manager-operator} or delete certificate resources from the cluster, the secret is deleted automatically. This might cause network connectivity issues depending upon where the certificate TLS secret is being used. |
| 14 | +==== |
| 15 | + |
| 16 | +.Prerequisites |
| 17 | + |
| 18 | +* You have access to the {product-title} cluster as a user with the `cluster-admin` role. |
| 19 | +* You have installed the {cert-manager-operator} 1.12.0 or later. |
| 20 | +
|
| 21 | +
|
| 22 | +.Procedure |
| 23 | + |
| 24 | +. Check that the `Certificate` object and its secret are available by running the following command: |
| 25 | ++ |
| 26 | +[source,terminal] |
| 27 | +---- |
| 28 | +$ oc get certificate |
| 29 | +---- |
| 30 | ++ |
| 31 | +.Example output |
| 32 | +[source,terminal] |
| 33 | +---- |
| 34 | +NAME READY SECRET AGE |
| 35 | +certificate-from-clusterissuer-route53-ambient True certificate-from-clusterissuer-route53-ambient 8h |
| 36 | +---- |
| 37 | + |
| 38 | +. Edit the `CertManager` resource by running the following command: |
| 39 | ++ |
| 40 | +[source,terminal] |
| 41 | +---- |
| 42 | +$ oc edit certmanager cluster |
| 43 | +---- |
| 44 | + |
| 45 | +. Add a `spec.controllerConfig` section with the following override arguments: |
| 46 | ++ |
| 47 | +[source,yaml] |
| 48 | +---- |
| 49 | +apiVersion: operator.openshift.io/v1alpha1 |
| 50 | +kind: CertManager |
| 51 | +metadata: |
| 52 | + name: cluster |
| 53 | +# ... |
| 54 | +spec: |
| 55 | +# ... |
| 56 | + controllerConfig: |
| 57 | + overrideArgs: |
| 58 | + - '--enable-certificate-owner-ref' |
| 59 | +---- |
| 60 | + |
| 61 | +. Save your changes and quit the text editor to apply your changes. |
| 62 | + |
| 63 | +.Verification |
| 64 | + |
| 65 | +* Verify that the `--enable-certificate-owner-ref` flag is updated for cert-manager controller pod by running the following command: |
| 66 | ++ |
| 67 | +[source,terminal] |
| 68 | +---- |
| 69 | +$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager -o yaml |
| 70 | +---- |
| 71 | ++ |
| 72 | +.Example output |
| 73 | +[source,yaml] |
| 74 | +---- |
| 75 | +# ... |
| 76 | + metadata: |
| 77 | + name: cert-manager-6e4b4d7d97-zmdnb |
| 78 | + namespace: cert-manager |
| 79 | +# ... |
| 80 | + spec: |
| 81 | + containers: |
| 82 | + - args: |
| 83 | + - --enable-certificate-owner-ref |
| 84 | +---- |
0 commit comments