From 4db2df1efc73b243cc7dae5406fcb4566abb3ae1 Mon Sep 17 00:00:00 2001 From: Servesha Dudhgaonkar Date: Tue, 23 May 2023 18:51:13 +0530 Subject: [PATCH] OSDOCS#6057: Authenticating cert-manager Operator on GCP (without workload identity) --- _topic_maps/_topic_map.yml | 2 + ...nfigure-cloud-credentials-gcp-non-sts.adoc | 98 +++++++++++++++++++ ...cert-manager-authenticate-non-sts-gcp.adoc | 11 +++ 3 files changed, 111 insertions(+) create mode 100644 modules/cert-manager-configure-cloud-credentials-gcp-non-sts.adoc create mode 100644 security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index c0e37e0007..57c3fe5c9e 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1018,6 +1018,8 @@ Topics: File: cert-manager-customizing-api-fields - Name: Configuring log levels for cert-manager and the cert-manager Operator for Red Hat OpenShift File: cert-manager-log-levels + - Name: Authenticating the cert-manager Operator for Red Hat OpenShift on GCP + File: cert-manager-authenticate-non-sts-gcp - Name: Uninstalling the cert-manager Operator for Red Hat OpenShift File: cert-manager-operator-uninstall - Name: Viewing audit logs diff --git a/modules/cert-manager-configure-cloud-credentials-gcp-non-sts.adoc b/modules/cert-manager-configure-cloud-credentials-gcp-non-sts.adoc new file mode 100644 index 0000000000..c740660eb9 --- /dev/null +++ b/modules/cert-manager-configure-cloud-credentials-gcp-non-sts.adoc @@ -0,0 +1,98 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc + +:_content-type: PROCEDURE +[id="cert-manager-prepare-cloud-credentials-gcp-non-sts_{context}"] += Configuring cloud credentials for the {cert-manager-operator} on GCP + +To configure the cloud credentials for the {cert-manager-operator} on a GCP cluster you must create a `CredentialsRequest` object, and allow the Cloud Credential Operator to generate the cloud credentials secret. + +.Prerequisites + +* The {cert-manager-operator} 1.11.1 or later is installed. +* You have configured the Cloud Credential Operator to operate in _mint_ or _passthrough_ mode. + +.Procedure + +. Create a `CredentialsRequest` resource YAML file, such as, `sample-credential-request.yaml` by applying the following yaml: ++ +[source,yaml] +---- +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: cert-manager + namespace: openshift-cloud-credential-operator +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: GCPProviderSpec + predefinedRoles: + - roles/dns.admin + secretRef: + name: gcp-credentials + namespace: cert-manager + serviceAccountNames: + - cert-manager +---- + +. Create a `CredentialsRequest` resource by running the following command: ++ +[source,terminal] +---- +$ oc create -f sample-credential-request.yaml +---- + +. Update the subscription object for {cert-manager-operator} by running the following command: ++ +[source,terminal] +---- +$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}' +---- + +.Verification + +. Get the name of the redeployed cert-manager controller pod by running the following command: ++ +[source,terminal] +---- +$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager +---- ++ +.Example output +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE +cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 15m39s +---- + +. Verify that the cert-manager controller pod is updated with GCP workload identity credential volumes that are mounted under the path specified in `mountPath` by running the following command: ++ +[source,terminal] +---- +$ oc get -n cert-manager pod/ -o yaml +---- ++ +.Example output +[source,terminal] +---- +spec: + containers: + - args: + ... + volumeMounts: + ... + - mountPath: /.config/gcloud + name: cloud-credentials + .... + volumes: + ... + - name: cloud-credentials + secret: + ... + items: + - key: service_account.json + path: application_default_credentials.json + secretName: gcp-credentials +---- \ No newline at end of file diff --git a/security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc b/security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc new file mode 100644 index 0000000000..b5b6cae5c9 --- /dev/null +++ b/security/cert_manager_operator/cert-manager-authenticate-non-sts-gcp.adoc @@ -0,0 +1,11 @@ +:_content-type: ASSEMBLY +[id="cert-manager-authenticate-non-sts-gcp"] += Authenticating the {cert-manager-operator} on GCP +include::_attributes/common-attributes.adoc[] +:context: cert-manager-authenticate-non-sts-gcp + +toc::[] + +You can configure cloud credentials for the {cert-manager-operator} on a GCP cluster. The cloud credentials are generated by the Cloud Credential Operator. + +include::modules/cert-manager-configure-cloud-credentials-gcp-non-sts.adoc[leveloffset=+1] \ No newline at end of file