-
Story
-
Resolution: Done
-
Major
-
cert-manager-1.18
-
None
This story is for validating the installation and functionality of cert-manager-operator on a cluster having OLMv1.
Initial Analysis:
- Installation doesn't seem to have an issue.
- Operator relies on `subscription.operators.coreos.com` OLMv0 CustomResource for it's functionality and requires an alternate source to allow users to set required environment variables.
- Apparently work is in-progress to extend `clusterextension.olm.operatorframework.io` OLMv1 CustomResource with provision to set environment variables and we need to record the same as part of this activity.
- Ref: https://redhat-internal.slack.com/archives/C097W1N3UQ6/p1753802924299679
- Below have below scenarios where we need to set env vars using Subscription object.
## Injecting a custom CA certificate for the cert-manager Operator for Red Hat OpenShift Copy link $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"TRUSTED_CA_CONFIGMAP_NAME","value":"trusted-ca"}]}}}' ## Authenticating on AWS Copy $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"aws-creds"}]}}}' ## Authenticating on GCP $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}' ## Authenticating with GCP Workload Identity $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}' ## Enabling TechPreview features $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"UNSUPPORTED_ADDON_FEATURES","value":"IstioCSR=true"}]}}}' ## Setting a log level for the cert-manager Operator for Red Hat OpenShift Copy link $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type='merge' -p '{"spec":{"config":{"env":[{"name":"OPERATOR_LOG_LEVEL","value":"v"}]}}}'
1. Configure your kube context for a cluster installed with the most recently accepted 4.20 nightly payload.
- For example, using clusterbot: launch 4.20.0-0.nightly aws
- Note: Hypershift clusters do not include OLMv1 (yet), so a standalone cluster is required for this verification
2. Apply below manifest to install the `cert-manager-operator`
--- apiVersion: v1 kind: Namespace metadata: name: cert-manager-operator --- apiVersion: v1 kind: ServiceAccount metadata: name: openshift-cert-manager-operator-installer namespace: cert-manager-operator --- apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRoleBinding metadata: name: openshift-cert-manager-operator-installer-binding roleRef: apiGroup: rbac.authorization.k8s.io kind: ClusterRole name: cluster-admin subjects: - kind: ServiceAccount name: openshift-cert-manager-operator-installer namespace: cert-manager-operator --- apiVersion: olm.operatorframework.io/v1 kind: ClusterExtension metadata: name: openshift-cert-manager-operator spec: namespace: cert-manager-operator serviceAccount: name: openshift-cert-manager-operator-installer source: sourceType: Catalog catalog: packageName: openshift-cert-manager-operator
3. Run existing test suites that would run had the operator been installed with OLMv0 and configured to watch all namespaces.
Acceptance Criteria:
Record results of below verification steps:
- Installation result
- E2E execution result
- Feedback - Missing features, etc..
Ref: