Skip to content

IBM/ibm-cert-manager-operator

Repository files navigation

ibm-cert-manager-operator

You can use IBM Cert Manager Operator to install the IBM certificate manager service. IBM certificate manager service issues and manages x509 certificates from various sources, such as a simple signing key pair, or self-signed. It ensures certificates are valid and up to date and will renew certificates before they expire. If you are using this operator as part of an IBM Cloud Pak, see the documentation for your specific IBM Cloud Pak to learn more about how to install and use the operator service. For more information about IBM Cloud Paks, see IBM Cloud Paks that use foundational services.

Supported platforms

Red Hat OpenShift Container Platform 4.3 or newer installed on one of the following platforms:

  • Linux x86_64
  • Linux on Power (ppc64le)
  • Linux on IBM Z and LinuxONE

Operator versions

  • 3.5.0
  • 3.6.0
  • 3.7.1

Prerequisites

Before you install this operator, you need to first install the operator dependencies and prerequisites:

Documentation

To install the operator with the IBM Common Services Operator follow the the installation and configuration instructions within the IBM Knowledge Center.

  • If you are using the operator as part of an IBM Cloud Pak, see the documentation for that IBM Cloud Pak. For a list of IBM Cloud Paks, see IBM Cloud Paks that use Common Services.
  • If you are using the operator with an IBM Containerized Software, see the IBM Cloud Platform Common Services Knowledge Center Installer documentation.

SecurityContextConstraints Requirements

The IBM certificate manager service supports running with the OpenShift Container Platform 4.3 default restricted Security Context Constraints (SCCs).

For more information about the OpenShift Container Platform Security Context Constraints, see Managing Security Context Constraints.

OCP 4.3 restricted SCC:

allowHostDirVolumePlugin: false
allowHostIPC: false
allowHostNetwork: false
allowHostPID: false
allowHostPorts: false
allowPrivilegeEscalation: true
allowPrivilegedContainer: false
allowedCapabilities: null
apiVersion: security.openshift.io/v1
defaultAddCapabilities: null
fsGroup:
  type: MustRunAs
groups:
- system:authenticated
kind: SecurityContextConstraints
metadata:
  annotations:
    kubernetes.io/description: restricted denies access to all host features and requires
      pods to be run with a UID, and SELinux context that are allocated to the namespace.  This
      is the most restrictive SCC and it is used by default for authenticated users.
  creationTimestamp: "2020-03-27T15:01:00Z"
  generation: 1
  name: restricted
  resourceVersion: "6365"
  selfLink: /apis/security.openshift.io/v1/securitycontextconstraints/restricted
  uid: 6a77775c-a6d8-4341-b04c-bd826a67f67e
priority: null
readOnlyRootFilesystem: false
requiredDropCapabilities:
- KILL
- MKNOD
- SETUID
- SETGID
runAsUser:
  type: MustRunAsRange
seLinuxContext:
  type: MustRunAs
supplementalGroups:
  type: RunAsAny
users: []
volumes:
- configMap
- downwardAPI
- emptyDir
- persistentVolumeClaim
- projected
- secret

Developer guide

See CONTRIBUTING.md

End-to-End testing

For more instructions on how to run end-to-end testing with the Operand Deployment Lifecycle Manager, see IBM Common Services Operator guide.