OSDOCS#6056: cert-manager: Authenticating the cert-manager Operator with AWS [non-sts]

_topic_maps/_topic_map.yml

@@ -1009,6 +1009,8 @@ Topics:
     File: cert-manager-log-levels
   - Name: Authenticating the cert-manager Operator for Red Hat OpenShift with GCP Workload Identity
     File: cert-manager-authenticate-gcp
+  - Name: Authenticating the cert-manager Operator for Red Hat OpenShift on AWS
+    File: cert-manager-authentication-non-sts
   - Name: Uninstalling the cert-manager Operator for Red Hat OpenShift
     File: cert-manager-operator-uninstall
 - Name: Viewing audit logs

modules/cert-manager-configure-cloud-credentials-aws-non-sts.adoc

@@ -0,0 +1,106 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-authenticate-aws.adoc
+
+:_content-type: PROCEDURE
+[id="cert-manager-configure-cloud-credentials-aws-non-sts_{context}"]
+= Configuring cloud credentials for the {cert-manager-operator} on AWS
+
+To configure the cloud credentials for the {cert-manager-operator} on the AWS cluster you must generate the cloud credentials secret by creating a `CredentialsRequest` object, and allowing the Cloud Credential Operator.
+
+.Prerequisites
+
+* You have installed the {cert-manager-operator} 1.11.1 or later.
+* You have configured the Cloud Credential Operator to operate in _mint_ or _passthrough_ mode.
+
+.Procedure
+
+. Create a `CredentialsRequest` resource YAML file, for example, `sample-credential-request.yaml`, as follows:
++
+[source,yaml]
+----
+apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: cert-manager
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: AWSProviderSpec
+    statementEntries:
+    - action:
+      - "route53:GetChange"
+      effect: Allow
+      resource: "arn:aws:route53:::change/*"
+    - action:
+      - "route53:ChangeResourceRecordSets"
+      - "route53:ListResourceRecordSets"
+      effect: Allow
+      resource: "arn:aws:route53:::hostedzone/*"
+    - action:
+      - "route53:ListHostedZonesByName"
+      effect: Allow
+      resource: "*"
+  secretRef:
+    name: aws-creds
+    namespace: cert-manager
+  serviceAccountNames:
+  - cert-manager
+----
+
+. Create a `CredentialsRequest` resource by running the following command:
++
+[source,terminal]
+----
+$ oc create -f sample-credential-request.yaml
+----
+
+. Update the subscription object for {cert-manager-operator} by running the following command:
++
+[source,terminal]
+----
+$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"aws-creds"}]}}}'
+----
+
+.Verification
+
+. Get the name of the redeployed cert-manager controller pod by running the following command:
++
+[source,terminal]
+----
+$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
+----
++
+.Example output
+[source,terminal]
+----
+NAME                          READY   STATUS    RESTARTS   AGE
+cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          15m39s
+----
+
+. Verify that the cert-manager controller pod is updated with AWS credential volumes that are mounted under the path specified in `mountPath` by running the following command:
++
+[source,terminal]
+----
+$ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
+----
++
+.Example output
+[source,terminal]
+----
+...
+spec:
+  containers:
+  - args:
+    ...
+    - mountPath: /.aws
+      name: cloud-credentials
+  ...
+  volumes:
+  ...
+  - name: cloud-credentials
+    secret:
+      ...
+      secretName: aws-creds
+----

security/cert_manager_operator/cert-manager-authentication-non-sts.adoc

@@ -0,0 +1,11 @@
+:_content-type: ASSEMBLY
+[id="cert-manager-authentication-non-sts"]
+= Authenticating the {cert-manager-operator} on AWS
+include::_attributes/common-attributes.adoc[]
+:context: cert-manager-authentication-non-sts
+
+toc::[]
+
+You can configure the cloud credentials for the {cert-manager-operator} on the AWS cluster. The cloud credentials are generated by the Cloud Credential Operator.
+
+include::modules/cert-manager-configure-cloud-credentials-aws-non-sts.adoc[leveloffset=+1]