Installing the {cert-manager-operator}

The cert-manager Operator for Red Hat OpenShift is not installed in OpenShift Container Platform by default. You can install the cert-manager Operator for Red Hat OpenShift by using the web console.

Important

The cert-manager Operator for Red Hat OpenShift version 1.15 or later supports the AllNamespaces, SingleNamespace, and OwnNamespace installation modes. Earlier versions, such as 1.14, support only the SingleNamespace and OwnNamespace installation modes.

Installing the cert-manager Operator for Red Hat OpenShift

Installing the cert-manager Operator for Red Hat OpenShift by using the web console

You can use the web console to install the cert-manager Operator for Red Hat OpenShift.

Prerequisites

• You have access to the cluster with cluster-admin privileges.

• You have access to the OpenShift Container Platform web console.

Procedure

1. Log in to the OpenShift Container Platform web console.

2. Navigate to Ecosystem → Software Catalog.

3. Enter cert-manager Operator for Red Hat OpenShift into the filter box.

4. Select the cert-manager Operator for Red Hat OpenShift

5. Select the cert-manager Operator for Red Hat OpenShift version from Version drop-down list, and click Install.

   Note

   See supported cert-manager Operator for Red Hat OpenShift versions in the following "Additional resources" section.

6. On the Install Operator page:

   1. Update the Update channel, if necessary. The channel defaults to stable-v1, which installs the latest stable release of the cert-manager Operator for Red Hat OpenShift.

   2. Choose the Installed Namespace for the Operator. The default Operator namespace is cert-manager-operator.

      If the cert-manager-operator namespace does not exist, it is created for you.

      Note

      During the installation, the OpenShift Container Platform web console allows you to select between AllNamespaces and SingleNamespace installation modes. For installations with cert-manager Operator for Red Hat OpenShift version 1.15.0 or later, it is recommended to choose the AllNamespaces installation mode. SingleNamespace and OwnNamespace support will remain for earlier versions but will be deprecated in future versions.

   3. Select an Update approval strategy.

      • The Automatic strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.

      • The Manual strategy requires a user with appropriate credentials to approve the Operator update.

   4. Click Install.

Verification

1. Navigate to Ecosystem → Installed Operators.

2. Verify that cert-manager Operator for Red Hat OpenShift is listed with a Status of Succeeded in the cert-manager-operator namespace.

3. Verify that cert-manager pods are up and running by entering the following command:

   $ oc get pods -n cert-manager

   Example output

   NAME                                       READY   STATUS    RESTARTS   AGE
   cert-manager-bd7fbb9fc-wvbbt               1/1     Running   0          3m39s
   cert-manager-cainjector-56cc5f9868-7g9z7   1/1     Running   0          4m5s
   cert-manager-webhook-d4f79d7f7-9dg9w       1/1     Running   0          4m9s

   You can use the cert-manager Operator for Red Hat OpenShift only after cert-manager pods are up and running.

Installing the cert-manager Operator for Red Hat OpenShift by using the CLI

You can install the cert-manager Operator for Red Hat OpenShift by using the command-line interface(CLI).

Prerequisites

• You have access to the cluster with cluster-admin privileges.

Procedure

1. Create a new project named cert-manager-operator by running the following command:

   $ oc new-project cert-manager-operator

2. Create an OperatorGroup object:

   1. Create a YAML file, for example, operatorGroup.yaml, with the following content:

      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      metadata:
        name: openshift-cert-manager-operator
        namespace: cert-manager-operator
      spec:
        targetNamespaces:
        - "cert-manager-operator"

   2. For cert-manager Operator for Red Hat OpenShift v1.15.0 or later, create a YAML file with the following content:

      apiVersion: operators.coreos.com/v1
      kind: OperatorGroup
      metadata:
        name: openshift-cert-manager-operator
        namespace: cert-manager-operator
      spec:
        targetNamespaces: []
        spec: {}

      Note

      Starting from cert-manager Operator for Red Hat OpenShift version 1.15.0, it is recommended to install the Operator using the AllNamespaces OLM installMode. Older versions can continue using the SingleNamespace or OwnNamespace OLM installMode. Support for SingleNamespace and OwnNamespace will be deprecated in future versions.

   3. Create the OperatorGroup object by running the following command:

      $ oc create -f operatorGroup.yaml

3. Create a Subscription object:

   1. Create a YAML file, for example, subscription.yaml, that defines the Subscription object:

      apiVersion: operators.coreos.com/v1alpha1
      kind: Subscription
      metadata:
        name: openshift-cert-manager-operator
        namespace: cert-manager-operator
      spec:
        channel: stable-v1
        name: openshift-cert-manager-operator
        source: redhat-operators
        sourceNamespace: openshift-marketplace
        installPlanApproval: Automatic

   2. Create the Subscription object by running the following command:

      $ oc create -f subscription.yaml

Verification

1. Verify that the OLM subscription is created by running the following command:

   $ oc get subscription -n cert-manager-operator

   Example output

   NAME                              PACKAGE                           SOURCE             CHANNEL
   openshift-cert-manager-operator   openshift-cert-manager-operator   redhat-operators   stable-v1

2. Verify whether the Operator is successfully installed by running the following command:

   $ oc get csv -n cert-manager-operator

   Example output

   NAME                            DISPLAY                                       VERSION   REPLACES                        PHASE
   cert-manager-operator.v1.13.0   cert-manager Operator for Red Hat OpenShift   1.13.0    cert-manager-operator.v1.12.1   Succeeded

3. Verify that the status cert-manager Operator for Red Hat OpenShift is Running by running the following command:

   $ oc get pods -n cert-manager-operator

   Example output

   NAME                                                        READY   STATUS    RESTARTS   AGE
   cert-manager-operator-controller-manager-695b4d46cb-r4hld   2/2     Running   0          7m4s

4. Verify that the status of cert-manager pods is Running by running the following command:

   $ oc get pods -n cert-manager

   Example output

   NAME                                       READY   STATUS    RESTARTS   AGE
   cert-manager-58b7f649c4-dp6l4              1/1     Running   0          7m1s
   cert-manager-cainjector-5565b8f897-gx25h   1/1     Running   0          7m37s
   cert-manager-webhook-9bc98cbdd-f972x       1/1     Running   0          7m40s

Additional resources

• Supported cert-manager Operator for Red Hat OpenShift versions

Understanding update channels of the cert-manager Operator for Red Hat OpenShift

Update channels are the mechanism by which you can declare the version of your cert-manager Operator for Red Hat OpenShift in your cluster. The cert-manager Operator for Red Hat OpenShift offers the following update channels:

• stable-v1

• stable-v1.y

stable-v1 channel

The stable-v1 channel installs and updates the latest release version of the cert-manager Operator for Red Hat OpenShift. Select the stable-v1 channel if you want to use the latest stable release of the cert-manager Operator for Red Hat OpenShift.

Note

The stable-v1 channel is the default and suggested channel while installing the cert-manager Operator for Red Hat OpenShift.

The stable-v1 channel offers the following update approval strategies:

Automatic

If you choose automatic updates for an installed cert-manager Operator for Red Hat OpenShift, a new version of the cert-manager Operator for Red Hat OpenShift is available in the stable-v1 channel. The Operator Lifecycle Manager (OLM) automatically upgrades the running instance of your Operator without human intervention.

Manual

If you select manual updates, when a newer version of the cert-manager Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version.

stable-v1.y channel

The y-stream version of the cert-manager Operator for Red Hat OpenShift installs updates from the stable-v1.y channels such as stable-v1.10, stable-v1.11, and stable-v1.12. Select the stable-v1.y channel if you want to use the y-stream version and stay updated to the z-stream version of the cert-manager Operator for Red Hat OpenShift.

The stable-v1.y channel offers the following update approval strategies:

Automatic

If you choose automatic updates for an installed cert-manager Operator for Red Hat OpenShift, a new z-stream version of the cert-manager Operator for Red Hat OpenShift is available in the stable-v1.y channel. OLM automatically upgrades the running instance of your Operator without human intervention.

Manual

If you select manual updates, when a newer version of the cert-manager Operator for Red Hat OpenShift is available, OLM creates an update request. As a cluster administrator, you must then manually approve that update request to have the cert-manager Operator for Red Hat OpenShift updated to the new version of the z-stream releases.

Additional resources

• Adding Operators to a cluster

• Updating installed Operators