Simplify certificate management on OpenShift across multiple architectures

Learn efficient certificate management techniques on Red Hat OpenShift using the cert-manager Operator for OpenShift’s multi-architecture support.

Let's kick things up a notch!

We're now all set to install the cert-manager Operator for Red Hat OpenShift on our cluster. As of the time of publishing, the installation documentation primarily outlines the steps using the OpenShift web console, this learning path will guide you through the CLI installation (Figure 1), with some Operator Lifecycle Manager(OLM) explanations. Pick your flavor, and feel free to choose the method that best suits your use case and preferences, as both lead to the same result.

Steps to install cert manager Operator for Red Hat OpenShift using command line interface (CLI).
Figure 1: The installation steps for cert manager Operator for Red Hat OpenShift.

In order to get the full benefit from taking this lesson, you need to:

  • Export KUBECONFIG or use oc login to access your cluster, as accomplished at the end of Lesson 2

    $ export KUBECONFIG=<path-to-kubeconfig>

In this lesson, you will:

  • Understand and leverage Operator Lifecycle Manager (OLM) resources for streamlined operator management.
  • Use OLM to install cert-manager Operator for Red Hat OpenShift on IBM Power VS.

Review Operator Lifecycle Manager (OLM) resources

In OpenShift, a catalog source serves as a carefully curated repository of operators, akin to an app store. It provides a comprehensive listing of operators along with their descriptions, versions, and compatibility information. By default, the redhat-operators catalog source is included with the cluster in openshift-marketplace namespace, featuring the presence of the openshift-cert-manager-operator:

$ oc get catalogsources redhat-operators -n openshift-marketplace

Within OLM, the PackageManifest is your operator's info card. It includes details such as the package name, available channels, source repository (catalog aource), install modes, version details, etc., which simplifies operator installation within your OpenShift cluster. Let's check the details for openshift-cert-manager-operator:

$ oc describe packagemanifest openshift-cert-manager-operator -n openshift-marketplace

Have you observed the labels? They provide information about the supported architectures and the source catalog:

$ oc get packagemanifest openshift-cert-manager-operator -n openshift-marketplace -o json | jq .metadata.labels
  "catalog": "redhat-operators",
  "catalog-namespace": "openshift-marketplace",
  "": "true",
  "": "supported",
  "": "supported",
  "": "supported",
  "": "supported",
  "": "supported",
  "provider": "Red Hat",
  "provider-url": ""

Take a look at the defaultChannel:

$ oc get packagemanifest openshift-cert-manager-operator -n openshift-marketplace -o json | jq .status.defaultChannel

Make a note of this information as we'll use it when creating the Subscription.

Install cert-manager Operator for OpenShift via CLI

To set up cert-manager for Red Hat OpenShift, follow these steps:

  1. Create a new project cert-manager-operator. This will be the operator namespace:

    $ oc new-project cert-manager-operator
  2. Next, we'll create the OperatorGroup to help OLM specify the target namespaces where the operator should be deployed and watch for its resources:

    $ oc create -f - <<EOF 
    kind: OperatorGroup
      name: openshift-cert-manager-operator
      namespace: cert-manager-operator
      - "cert-manager-operator"
  3. Finally, create a Subscription to install your operator. Ensure that the information in the spec is sourced from the PackageManifest as needed:

    $ oc create -f - <<EOF
    kind: Subscription
      name: openshift-cert-manager-operator
      namespace: cert-manager-operator
      channel: stable-v1
      name: openshift-cert-manager-operator
      source: redhat-operators
      sourceNamespace: openshift-marketplace
      installPlanApproval: Automatic
      startingCSV: cert-manager-operator.v1.13.0
  4. You can do a quick verification by following the commands and sample outputs below:

    oc get subscription -n cert-manager-operator
    NAME                              PACKAGE                           SOURCE             CHANNEL
    openshift-cert-manager-operator   openshift-cert-manager-operator   redhat-operators   stable-v1
    oc get csv -n cert-manager-operator
    NAME                            DISPLAY                                       VERSION   REPLACES                        PHASE
    cert-manager-operator.v1.13.0   cert-manager Operator for Red Hat OpenShift   1.13.0    cert-manager-operator.v1.12.1   Succeeded
    oc get pods -n cert-manager-operator
    NAME                                                        READY   STATUS    RESTARTS   AGE
    cert-manager-operator-controller-manager-695b4d46cb-r4hld   2/2     Running   0          7m4s
    oc get pods -n cert-manager
    NAME                                       READY   STATUS    RESTARTS   AGE
    cert-manager-58b7f649c4-dp6l4              1/1     Running   0          7m1s
    cert-manager-cainjector-5565b8f897-gx25h   1/1     Running   0          7m37s
    cert-manager-webhook-9bc98cbdd-f972x       1/1     Running   0          7m40s

Well done! You've successfully installed the openshift-cert-manager-operator in your cluster, and it is prepared to handle certificate services. 

Previous resource
Deploy an OpenShift cluster on IBM Power Virtual Server
Next resource
Automate TLS certificate management using cert-manager Operator for OpenShift