diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index a6c54876bb..dda9f3700e 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1009,6 +1009,8 @@ Topics: File: cert-manager-log-levels - Name: Authenticating the cert-manager Operator for Red Hat OpenShift with GCP Workload Identity File: cert-manager-authenticate-gcp + - Name: Authenticating the cert-manager Operator for Red Hat OpenShift on AWS + File: cert-manager-authentication-non-sts - Name: Uninstalling the cert-manager Operator for Red Hat OpenShift File: cert-manager-operator-uninstall - Name: Viewing audit logs diff --git a/modules/cert-manager-configure-cloud-credentials-aws-non-sts.adoc b/modules/cert-manager-configure-cloud-credentials-aws-non-sts.adoc new file mode 100644 index 0000000000..91efdaee0e --- /dev/null +++ b/modules/cert-manager-configure-cloud-credentials-aws-non-sts.adoc @@ -0,0 +1,106 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-authenticate-aws.adoc + +:_content-type: PROCEDURE +[id="cert-manager-configure-cloud-credentials-aws-non-sts_{context}"] += Configuring cloud credentials for the {cert-manager-operator} on AWS + +To configure the cloud credentials for the {cert-manager-operator} on the AWS cluster you must generate the cloud credentials secret by creating a `CredentialsRequest` object, and allowing the Cloud Credential Operator. + +.Prerequisites + +* You have installed the {cert-manager-operator} 1.11.1 or later. +* You have configured the Cloud Credential Operator to operate in _mint_ or _passthrough_ mode. + +.Procedure + +. Create a `CredentialsRequest` resource YAML file, for example, `sample-credential-request.yaml`, as follows: ++ +[source,yaml] +---- +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: cert-manager + namespace: openshift-cloud-credential-operator +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: AWSProviderSpec + statementEntries: + - action: + - "route53:GetChange" + effect: Allow + resource: "arn:aws:route53:::change/*" + - action: + - "route53:ChangeResourceRecordSets" + - "route53:ListResourceRecordSets" + effect: Allow + resource: "arn:aws:route53:::hostedzone/*" + - action: + - "route53:ListHostedZonesByName" + effect: Allow + resource: "*" + secretRef: + name: aws-creds + namespace: cert-manager + serviceAccountNames: + - cert-manager +---- + +. Create a `CredentialsRequest` resource by running the following command: ++ +[source,terminal] +---- +$ oc create -f sample-credential-request.yaml +---- + +. Update the subscription object for {cert-manager-operator} by running the following command: ++ +[source,terminal] +---- +$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"aws-creds"}]}}}' +---- + +.Verification + +. Get the name of the redeployed cert-manager controller pod by running the following command: ++ +[source,terminal] +---- +$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager +---- ++ +.Example output +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE +cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 15m39s +---- + +. Verify that the cert-manager controller pod is updated with AWS credential volumes that are mounted under the path specified in `mountPath` by running the following command: ++ +[source,terminal] +---- +$ oc get -n cert-manager pod/ -o yaml +---- ++ +.Example output +[source,terminal] +---- +... +spec: + containers: + - args: + ... + - mountPath: /.aws + name: cloud-credentials + ... + volumes: + ... + - name: cloud-credentials + secret: + ... + secretName: aws-creds +---- \ No newline at end of file diff --git a/security/cert_manager_operator/cert-manager-authentication-non-sts.adoc b/security/cert_manager_operator/cert-manager-authentication-non-sts.adoc new file mode 100644 index 0000000000..a616febe24 --- /dev/null +++ b/security/cert_manager_operator/cert-manager-authentication-non-sts.adoc @@ -0,0 +1,11 @@ +:_content-type: ASSEMBLY +[id="cert-manager-authentication-non-sts"] += Authenticating the {cert-manager-operator} on AWS +include::_attributes/common-attributes.adoc[] +:context: cert-manager-authentication-non-sts + +toc::[] + +You can configure the cloud credentials for the {cert-manager-operator} on the AWS cluster. The cloud credentials are generated by the Cloud Credential Operator. + +include::modules/cert-manager-configure-cloud-credentials-aws-non-sts.adoc[leveloffset=+1] \ No newline at end of file