OSDOCS#6057: Authenticating cert-manager Operator on GCP (without workload identity)

_topic_maps/_topic_map.yml

@@ -1018,6 +1018,8 @@ Topics:
     File: cert-manager-customizing-api-fields
   - Name: Configuring log levels for cert-manager and the cert-manager Operator for Red Hat OpenShift
     File: cert-manager-log-levels
+  - Name: Authenticating the cert-manager Operator for Red Hat OpenShift on GCP
+    File: cert-manager-authenticate-non-sts-gcp
   - Name: Uninstalling the cert-manager Operator for Red Hat OpenShift
     File: cert-manager-operator-uninstall
 - Name: Viewing audit logs

modules/cert-manager-configure-cloud-credentials-gcp-non-sts.adoc

@@ -0,0 +1,98 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc
+
+:_content-type: PROCEDURE
+[id="cert-manager-prepare-cloud-credentials-gcp-non-sts_{context}"]
+= Configuring cloud credentials for the {cert-manager-operator} on GCP
+
+To configure the cloud credentials for the {cert-manager-operator} on a GCP cluster you must create a `CredentialsRequest` object, and allow the Cloud Credential Operator to generate the cloud credentials secret.
+
+.Prerequisites
+
+* The {cert-manager-operator} 1.11.1 or later is installed.
+* You have configured the Cloud Credential Operator to operate in _mint_ or _passthrough_ mode.
+
+.Procedure
+
+. Create a `CredentialsRequest` resource YAML file, such as, `sample-credential-request.yaml` by applying the following yaml:
++
+[source,yaml]
+----
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: cert-manager
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: GCPProviderSpec
+    predefinedRoles:
+    - roles/dns.admin
+  secretRef:
+    name: gcp-credentials
+    namespace: cert-manager
+  serviceAccountNames:
+  - cert-manager
+----
+
+. Create a `CredentialsRequest` resource by running the following command:
++
+[source,terminal]
+----
+$ oc create -f sample-credential-request.yaml
+----
+
+. Update the subscription object for {cert-manager-operator} by running the following command:
++
+[source,terminal]
+----
+$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}'
+----
+
+.Verification
+
+. Get the name of the redeployed cert-manager controller pod by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                                       READY   STATUS    RESTARTS   AGE
+cert-manager-bd7fbb9fc-wvbbt               1/1     Running   0          15m39s
+----
+
+. Verify that the cert-manager controller pod is updated with GCP workload identity credential volumes that are mounted under the path specified in `mountPath` by running the following command:
++
+[source,terminal]
+----
+$ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
+----
++
+.Example output
+[source,terminal]
+----
+spec:
+  containers:
+  - args:
+    ...
+    volumeMounts:
+    ...
+    - mountPath: /.config/gcloud
+      name: cloud-credentials
+    ....
+  volumes:
+  ...
+  - name: cloud-credentials
+    secret:
+      ...
+      items:
+      - key: service_account.json
+        path: application_default_credentials.json
+      secretName: gcp-credentials
+----

security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc

@@ -0,0 +1,11 @@
+:_content-type: ASSEMBLY
+[id="cert-manager-authenticate-non-sts-gcp"]
+= Authenticating the {cert-manager-operator} on GCP
+include::_attributes/common-attributes.adoc[]
+:context: cert-manager-authenticate-non-sts-gcp
+
+toc::[]
+
+You can configure cloud credentials for the {cert-manager-operator} on a GCP cluster. The cloud credentials are generated by the Cloud Credential Operator.
+
+include::modules/cert-manager-configure-cloud-credentials-gcp-non-sts.adoc[leveloffset=+1]