To cert-manager or not to cert-manager?

[zalsader]

I would like to be able to use webhooks and olm. The documentation suggests enabling cert-manager, while one of the config files warns against uncommenting config sections with [CERTMANAGER] as OLM does not support cert-manager.

What is the URL of the document?

https://sdk.operatorframework.io/docs/building-operators/golang/webhook/#create-validation-webhook

Which section(s) is the issue in?

Create Validation Webhook

What needs fixing?

The end of the section says that cert-manager should be enabled:

2. Uncommenting sections in `config/default/kustomization.yaml` to enable webhook and cert-manager configuration through kustomize. Cert-manager (or any third party solution) can be used to provision certificates for webhook server. This is explained in detail [here](https://book.kubebuilder.io/cronjob-tutorial/running-webhook.html#deploy-webhooks).

While the file config/manifests/kustomization.yaml warns against uncommenting config sections with [CERTMANAGER] as OLM does not support cert-manager:

# [WEBHOOK] To enable webhooks, uncomment all the sections with [WEBHOOK] prefix.
# Do NOT uncomment sections with prefix [CERTMANAGER], as OLM does not support cert-manager.
# These patches remove the unnecessary "cert" volume and its manager container volumeMount.

AFAIK, the OLM docs in the operator-sdk project do not mention cert-manager. All I could find is this page from the olm project.

Which should I do, and could this be more clear in the docs? Thanks!

[zalsader]

Minor issue in the same page: the numbered list in markdown is not rendered (browser: chrome 109.0.5414.74 on fedora 37):

[jberkhahn]

Ish could you take a look at this? See if that comment isn't actually valid, and if so change where it gets generated (kubebuilder?)

[everettraven]

So I recently verified that OLM does not work with cert-manager as OLM has it's own certificate management it uses. So all cert-manager comments should be commented when deploying an operator on cluster via OLM, but should be uncommented when deploying via manifests (i.e when OLM is not managing the operator deployment).

Since the comments in the files are accurate, I think this is just a documentation issue and we should update https://sdk.operatorframework.io/docs/building-operators/golang/webhook/#create-validation-webhook to mention this.