Simplify certificate management on OpenShift across multiple architectures

Learn efficient certificate management techniques on Red Hat OpenShift using the cert-manager Operator for OpenShift’s multi-architecture support.

Today, the ability to deploy applications seamlessly across multiple platforms is no longer a luxury, but a necessity. As developers, we are often faced with the challenge of ensuring our applications run efficiently not just on one type of hardware, but on a diverse range of architectures—from x86 servers in a data center to ARM-based IoT devices, and everything in between. With multi-architecture images, we can simplify this process.

In this lesson, you will:

  • Understand the concept and significance of multi-architecture container images.
  • Gain hands-on experience in creating and managing these images across various CPU architectures using Podman.

What is it?

Multi-architecture container images represent a containerization strategy where a reference to a unified container image is crafted to run seamlessly across various CPU architectures (e.g., x86, ARM, s390x, RISC-V) and sometimes operating systems (e.g., Linux, Windows). A common tag is used for the image, but the container runtime automatically selects the appropriate variant based on the target platform where you want to run the container, using manifests that reference individual image variants for different platforms.

By using this approach, developers can deploy applications on a variety of hardware platforms without the hassle of reconstructing or handling individual images for each architecture, all with increased efficiency and flexibility. 

How to create

Creating a multi-arch container image has become straightforward using Podman (Figure 1). It not only allows you to create multi-architecture images but also lets you run them seamlessly.

Step 1: Initialize the manifest 

The first step is to initialize the manifest file. A manifest file is a type of manifest list that can point to specific image manifests for one or more platforms. You can create a manifest file using the podman manifest create command followed by the name of the image: 

podman manifest create <image>

<image> is the name of the image. Replace it with the name you want for your image.

Step 2: Build the image and attach it to the manifest 

Next, build the image for different platforms and attach them to the manifest list. The --platform option allows you to specify the platforms for which you want to build the image: 

podman build --platform linux/amd64,linux/arm64 --manifest <image> .

In this command, linux/amd64 and linux/arm64 are the platforms for which the image is being built. <image> is the name of the image, and `.` is your Dockerfile context path.

Step 3: Publish the manifest 

Finally, publish the manifest list to a registry. You can do this using the podman manifest push command: 

podman manifest push <image> docker://<registry>/<image>:<tag>

Where <image> is the name of the image, <registry> is the name of your registry, and tag is the image tag, as shown in Figure 1.

A process for using Podman to pull a correct image variant from a container registry. The process starts with creating a multi-architecture image. The image is then pushed to a registry. Podman then pulls the image from the registry, based on the target platform.
Figure 2: Visual illustration demonstrating the process of generating a multi-architecture image with Podman.
Figure 1:  Visual illustration demonstrating the process of generating a multi-architecture image with Podman.

That’s all it takes. Using these steps, you’ll have an image capable of running on both AMD64 and ARM64 architectures, all from a single tag. This means you can have a single image that works seamlessly across multiple platforms. Isn’t that cool? 

This is the power of multi-architecture images and the flexibility that Podman provides. It simplifies the process of building and deploying containerized applications, making your life as a developer much easier.

How to verify

To verify whether an image is multi-architecture or not, you can use the podman manifest inspect command, which provides details about the image, including size, digest, and most importantly, supported platforms.

Let's check the supported platforms for the cert-manager Operator's bundle image v1.13.0-9:

$ podman manifest inspect registry.redhat.io/cert-manager/cert-manager-operator-bundle:v1.13.0-9 | jq -r '.manifests[].platform' 

Here is a sample output:

{
  "architecture": "amd64",
  "os": "linux"
}
{
  "architecture": "arm64",
  "os": "linux"
}
{
  "architecture": "ppc64le",
  "os": "linux"
}
{
  "architecture": "s390x",
  "os": "linux"
}

As is evident, the image is compatible with amd64, arm64, ppc64le, and s390x architectures, making it capable of running on these platforms. We will use this image in Lesson 3.

Previous resource
Overview: Simplify certificate management on OpenShift across multiple architectures
Next resource
Deploy an OpenShift cluster on IBM Power Virtual Server