OSDOCS#17173: CQA 2.0 cert-manager Operator

security/cert_manager_operator/cert-manager-authenticate.adoc

@@ -6,7 +6,8 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-You can authenticate the cert-manager Operator for Red Hat OpenShift on the cluster by configuring the cloud credentials.
+[role="_abstract"]
+To enable the operator to manage components on your cloud provider, authenticate the {cert-manager-operator} by configuring cloud credentials. You can grant the Operator access to external services required for certificate issuance, such as DNS providers.
 
 //  on AWS
 include::modules/cert-manager-configure-cloud-credentials-aws-non-sts.adoc[leveloffset=+1]
@@ -34,4 +35,4 @@ include::modules/cert-manager-configure-cloud-credentials-gcp-sts.adoc[leveloffs
 
 * xref:../../authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc#cco-short-term-creds[Manual mode with short-term credentials for components]
 
-* xref:../../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator-default_about-cloud-credential-operator[Default behavior of the Cloud Credential Operator]
+* xref:../../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator-default_about-cloud-credential-operator[Default behavior of the Cloud Credential Operator]

security/cert_manager_operator/cert-manager-creating-certificate.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 By using the {cert-manager-operator}, you can manage certificates, handling tasks such as renewal and issuance, for workloads within the cluster, as well as components interacting externally to the cluster.
 
 include::modules/cert-manager-certificate-mgmt.adoc[leveloffset=+1]
@@ -17,12 +18,11 @@ include::modules/cert-manager-certificate-ingress.adoc[leveloffset=+1]
 [role="_additional-resources"]
 [id="additional-resources_cert-manager-creating-certificate"]
 == Additional resources
-* Configuring an issuer
 
-** xref:../../security/cert_manager_operator/index.adoc#cert-manager-issuer-types_cert-manager-operator-about[Supported issuer types]
+* xref:../../security/cert_manager_operator/index.adoc#cert-manager-issuer-types_cert-manager-operator-about[Supported issuer types]
 
-** xref:../../security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc#cert-manager-operator-issuer-acme[Configuring an ACME issuer]
+* xref:../../security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc#cert-manager-operator-issuer-acme[Configuring an ACME issuer]
 
 * xref:../../security/certificates/api-server.adoc#customize-certificates-api-add-named_api-server-certificates[Adding an API server named certificate]
 
-* xref:../../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing the default ingress certificate]
+* xref:../../security/certificates/replacing-default-ingress-certificate.adoc#replacing-default-ingress[Replacing the default ingress certificate]

security/cert_manager_operator/cert-manager-customizing-api-fields.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 After installing the {cert-manager-operator}, you can perform the following actions by configuring the `CertManager` custom resource (CR):
 
 * Configure the arguments to modify the behavior of the cert-manager components, such as the cert-manager controller, CA injector, and Webhook.
@@ -106,4 +107,4 @@ include::modules/cert-manager-override-scheduling.adoc[leveloffset=+1]
 [role="_additional-resources"]
 .Additional resources
 
-* xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.adoc#cert-manager-explanation-of-certmanager-cr-fields_cert-manager-customizing-api-fields[Explanation of fields in the CertManager custom resource]
+* xref:../../security/cert_manager_operator/cert-manager-customizing-api-fields.adoc#cert-manager-explanation-of-certmanager-cr-fields_cert-manager-customizing-api-fields[Explanation of fields in the CertManager custom resource]

security/cert_manager_operator/cert-manager-log-levels.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 To troubleshoot issues with the cert-manager components and the {cert-manager-operator}, you can configure the log level verbosity.
 
 [NOTE]

security/cert_manager_operator/cert-manager-monitoring.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 By default, the {cert-manager-operator} exposes metrics for the three core components: controller, cainjector, and webhook. You can configure OpenShift Monitoring to collect these metrics by using the Prometheus Operator format.
 
 // Enabling user workload monitoring for the cert-manager operand
@@ -45,4 +46,4 @@ include::modules/cert-manager-query-metrics-for-istio-csr-operand.adoc[leveloffs
 [role="_additional-resources"]
 .Additional resources
 
-* link:https://docs.redhat.com/en/documentation/monitoring_stack_for_red_hat_openshift/4.21/html/accessing_metrics/accessing-metrics-as-an-administrator[Accessing metrics as an administrator]
+* link:https://docs.redhat.com/en/documentation/monitoring_stack_for_red_hat_openshift/4.21/html/accessing_metrics/accessing-metrics-as-an-administrator[Accessing metrics as an administrator]

security/cert_manager_operator/cert-manager-nw-policy.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 The {cert-manager-operator} provides predefined `NetworkPolicy` resources to enhance security by controlling the ingress and egress traffic for its components. By default, this feature is disabled to prevent connectivity issues or breaking changes during an upgrade. To use this feature, you must enable it in the `CertManager` custom resource (CR).
 
 After enabling the default policies, you must manually configure additional egress rules to allow outbound traffic. These rules are required for {cert-manager-operator} to communicate with external services beyond the API server and internal DNS.
@@ -33,4 +34,4 @@ include::modules/cert-manager-nw-policy-params.adoc[leveloffset=+1]
 include::modules/cert-manager-nw-policy-examples.adoc[leveloffset=+1]
 
 //Verification
-include::modules/cert-manager-nw-policy-verify.adoc[leveloffset=+1]
+include::modules/cert-manager-nw-policy-verify.adoc[leveloffset=+1]

security/cert_manager_operator/cert-manager-operator-install.adoc

@@ -6,13 +6,14 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
+The {cert-manager-operator} is not installed in {product-title} by default. You can install the {cert-manager-operator} by using the web console.
+
 [IMPORTANT]
 ====
 The {cert-manager-operator} version 1.15 or later supports the `AllNamespaces`, `SingleNamespace`, and `OwnNamespace` installation modes. Earlier versions, such as 1.14, support only the `SingleNamespace` and `OwnNamespace` installation modes.
 ====
 
-The {cert-manager-operator} is not installed in {product-title} by default. You can install the {cert-manager-operator} by using the web console.
-
 == Installing the {cert-manager-operator}
 // Installing the {cert-manager-operator} using the web console
 include::modules/cert-manager-install-console.adoc[leveloffset=+2]

security/cert_manager_operator/cert-manager-operator-integrating-istio.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 The {cert-manager-operator} provides enhanced support for securing workloads and control plane components in {SMProductName} or Istio. This includes support for certificates enabling mutual TLS (mTLS), which are signed, delivered, and renewed using cert-manager issuers. You can secure Istio workloads and control plane components by using the {cert-manager-operator} managed Istio-CSR agent.
 
 With this Istio-CSR integration, Istio can now obtain certificates from the {cert-manager-operator}, simplifying security and certificate management.
@@ -24,17 +25,14 @@ include::modules/cert-manager-istio-creating-issuer.adoc[leveloffset=+2]
 // Installing using Istio-CSR
 include::modules/cert-manager-istio-csr-installing.adoc[leveloffset=+2]
 
-// Customizing the IstioCSR custom resource
-include::modules/cert-manager-istio-csr-customizing.adoc[leveloffset=+1]
-
 // Setting a log level for istio-csr
 include::modules/cert-manager-istio-csr-setting-log-level.adoc[leveloffset=+2]
 
-// Configuring the namespace selector for CA bundle distribution [leveloffset=+3]
+// Configuring the namespace selector for CA bundle distribution
 include::modules/cert-manager-istio-csr-config-namespace-sel.adoc[leveloffset=+2]
 
-// Configuring the CA certificate of the istio server [leveloffset=+3]
+// Configuring the CA certificate of the istio server
 include::modules/cert-manager-istio-csr-config-ca-cert.adoc[leveloffset=+2]
 
 // Uninstalling cert-manager Operator with Istio-CSR
-include::modules/cert-manager-istio-csr-uninstalling.adoc[leveloffset=+1]
+include::modules/cert-manager-istio-csr-uninstalling.adoc[leveloffset=+1]

security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 The {cert-manager-operator} supports using Automated Certificate Management Environment (ACME) CA servers, such as _Let's Encrypt_, to issue certificates. Explicit credentials are configured by specifying the secret details in the `Issuer` API object. Ambient credentials are extracted from the environment, metadata services, or local files which are not explicitly configured in the `Issuer` API object.
 
 [NOTE]
@@ -67,4 +68,4 @@ include::modules/cert-manager-acme-dns01-explicit-azure.adoc[leveloffset=+1]
 
 * xref:../../security/cert_manager_operator/cert-manager-authenticate.adoc#cert-manager-configure-cloud-credentials-gcp-sts_cert-manager-authenticate[Configuring cloud credentials for the {cert-manager-operator} with {gcp-short} Workload Identity]
 
-* xref:../../security/cert_manager_operator/cert-manager-authenticate.adoc#cert-manager-configure-cloud-credentials-gcp-non-sts_cert-manager-authenticate[Configuring cloud credentials for the {cert-manager-operator} on {gcp-short}]
+* xref:../../security/cert_manager_operator/cert-manager-authenticate.adoc#cert-manager-configure-cloud-credentials-gcp-non-sts_cert-manager-authenticate[Configuring cloud credentials for the {cert-manager-operator} on {gcp-short}]

security/cert_manager_operator/cert-manager-operator-proxy.adoc

@@ -4,6 +4,7 @@
 include::_attributes/common-attributes.adoc[]
 :context: cert-manager-operator-proxy
 
+[role="_abstract"]
 If a cluster-wide egress proxy is configured in {product-title}, Operator Lifecycle Manager (OLM) automatically configures Operators that it manages with the cluster-wide proxy. OLM automatically updates all of the Operator's deployments with the `HTTP_PROXY`, `HTTPS_PROXY`, `NO_PROXY` environment variables.
 
 You can inject any CA certificates that are required for proxying HTTPS connections into the {cert-manager-operator}.

security/cert_manager_operator/cert-manager-operator-release-notes.adoc

@@ -6,13 +6,13 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 The {cert-manager-operator} is a cluster-wide service that provides application certificate lifecycle management.
 
 These release notes track the development of {cert-manager-operator}.
 
 For more information, see xref:../../security/cert_manager_operator/index.adoc#cert-manager-operator-about[About the {cert-manager-operator}].
 
-
 [id="cert-manager-operator-release-notes-1-18-0_{context}"]
 == {cert-manager-operator} 1.18.0
 
@@ -28,7 +28,7 @@ The following advisories are available for the {cert-manager-operator} 1.18.0:
 Version `1.18.0` of the {cert-manager-operator} is based on the upstream cert-manager version `v1.18.3`. For more information, see the link:https://cert-manager.io/docs/releases/release-notes/release-notes-1.18#v1183[cert-manager project release notes for v1.18.3].
 
 [id="cert-manager-operator-1-18-0-features-enhancements_{context}"]
-=== New features and enhancements
+== New features and enhancements
 
 *Istio-CSR integration with {cert-manager-operator} (Generally Available)*
 
@@ -51,7 +51,7 @@ By default, this feature is disabled to prevent connectivity issues during upgra
 
 
 [id="cert-manager-operator-1-18-0-known-issues_{context}"]
-=== Known issues
+== Known issues
 
 * The upstream cert-manager `v1.18` release updated the ACME HTTP-01 challenge ingress path type from `ImplementationSpecific` to `Exact`. The OpenShift Route API does not have an equivalent for the `Exact` path type, which prevents the ingress-to-route controller from supporting it. As a result, ingress resources created for HTTP-01 challenges cannot route traffic to the solver pod, causing the challenge to fail with a 503 error.
-To mitigate this issue, the `ACMEHTTP01IngressPathTypeExact` feature gate is disabled by default in this release.
+To mitigate this issue, the `ACMEHTTP01IngressPathTypeExact` feature gate is disabled by default in this release.

security/cert_manager_operator/cert-manager-operator-uninstall.adoc

@@ -6,10 +6,11 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 You can remove the {cert-manager-operator} from {product-title} by uninstalling the Operator and removing its related resources.
 
 // Uninstalling the {cert-manager-operator}
 include::modules/cert-manager-uninstall-console.adoc[leveloffset=+1]
 
 // Removing {cert-manager-operator} resources
-include::modules/cert-manager-remove-resources-console.adoc[leveloffset=+1]
+include::modules/cert-manager-remove-resources-console.adoc[leveloffset=+1]

security/cert_manager_operator/cert-manager-securing-routes.adoc

@@ -17,4 +17,4 @@ include::modules/cert-manager-configuring-routes.adoc[leveloffset=+1]
 
 * xref:../../networking/ingress_load_balancing/routes/nw-configuring-routes.adoc#nw-ingress-route-secret-load-external-cert_secured-routes[Creating a route with externally managed certificate]
 
-* xref:../../security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc#cert-manager-operator-issuer-acme[Configuring an ACME issuer]
+* xref:../../security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc#cert-manager-operator-issuer-acme[Configuring an ACME issuer]

security/cert_manager_operator/index.adoc

@@ -6,6 +6,7 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
+[role="_abstract"]
 The {cert-manager-operator} is a cluster-wide service that provides application certificate lifecycle management. The {cert-manager-operator} allows you to integrate with external certificate authorities and provides certificate provisioning, renewal, and retirement.
 
 // About the {cert-manager-operator}
@@ -27,7 +28,9 @@ include::modules/cert-manager-fips-support.adoc[leveloffset=+1]
 [id="cert-manager-operator-about_additional-resources"]
 == Additional resources
 
+* link:https://csrc.nist.gov/Projects/cryptographic-module-validation-program/validated-modules[Cryptographic module validation program]
 * link:https://cert-manager.io/docs/[cert-manager project documentation]
+* link:https://access.redhat.com/support/policy/updates/openshift_operators[{product-title} update and support policy]
 * xref:../../security/container_security/security-compliance.adoc#security-compliance[Understanding compliance]
 * xref:../../installing/overview/installing-fips.adoc#installing-fips-mode_installing-fips[Installing a cluster in FIPS mode]
-* xref:../../installing/overview/installing-preparing.adoc#installing-preparing-security[Do you need extra security for your cluster?]
+* xref:../../installing/overview/installing-preparing.adoc#installing-preparing-security[Do you need extra security for your cluster?]