Subscription does not expose basic cert-manager controller configurations

[absynth76]

Using Subscription to install cert-manager does not permit to alter its configuration, among them:

• log level
• recursive names servers
• etc

everything is hardcoded in the csv and cannot be changed.

This is fairly limiting subscription usage and almost force everybody to use the helm chart or else to deploy.

related code is located within bindata.go

    spec:
      containers:
        - args:
            - --v=2
            - --cluster-resource-namespace=$(POD_NAMESPACE)
            - --leader-election-namespace=kube-system
            - --acme-http01-solver-image=quay.io/jetstack/cert-manager-acmesolver:v1.15.2
            - --max-concurrent-challenges=60
          command:
            - /app/cmd/controller/controller
          env:
            - name: POD_NAMESPACE
              valueFrom:
                fieldRef:
                  fieldPath: metadata.namespace
          image: quay.io/jetstack/cert-manager-controller:v1.15.2
          imagePullPolicy: IfNotPresent
          livenessProbe:

this is the issue when using OLM, you need to expose every capability over environment variables as it's done via the downward api with POD_NAMESPACE here.

[lunarwhite]

As per current design, it provides an object CertManager that allows users to configure API fields by overriding args or env variables. You could set the loglevel of the operands by:

$ oc patch certmanager/cluster --type=merge -p '
spec:
  controllerConfig:
    overrideArgs:
    - --v=6
  webhookConfig:
    overrideArgs:
    - --v=6
  cainjectorConfig:
    overrideArgs:
    - --v=6
'

and the dns01 recursive nameservers by:

$ oc patch certmanager/cluster --type=merge -p '
spec:
  controllerConfig:
    overrideArgs:
    - --dns01-recursive-nameservers=1.1.1.1:53
    - --dns01-recursive-nameservers-only
'

Please also ref: https://docs.openshift.com/container-platform/4.16/security/cert_manager_operator/cert-manager-customizing-api-fields.html

[absynth76]

"It's okay to be not okay."

we use Openshift 4.14.30

• there is no CertManager object kind defined in the API.
• a CSV - ClusterServiceVersion, is the parent of some deployments that are persisted by the OLM controller.
  cert-manager.v1.15.2 cert-manager 1.15.2 cert-manager.v1.15.0 Succeeded

If parameters are not exposed via environment vars and/or extra mounts in the catalog (which injection is permitted by customizing the associated Subscription), I'm afraid we can't override anything.

[lunarwhite]

Hi @absynth76, I think I know what the exact issue is.

From your shared info I guess that you are using the operator provided by the cert-manager community (doc, operatorhub page, repo), right? But this repository is for the RedHat-provided operator (full name is "cert-manager Operator for Red Hat OpenShift"), and it has not released v1.15 yet. So it won't have a CertManager CRD.

TBH, I have limited experience with the operator provided by the community. After a quick search, it seems to be a known issue that it does not support customizing deployment configurations well through OLM: cert-manager/cert-manager-olm#22

Please note that we do not support the community operator. You may want to consider switching to the Red Hat-provided operator to utilize this capability and receive our full support.

[absynth76]

Hello @lunarwhite Thanks! This is precisely this. Sorry I innocently thought we are running the Redhat operator one knowing I'm working with a redhat subscription covered environment.