From eae411ea90b4e10c7f4d2c059d448d3216e229f1 Mon Sep 17 00:00:00 2001 From: Servesha Dudhgaonkar Date: Thu, 11 May 2023 16:24:31 +0530 Subject: [PATCH] OSDOCS#6055: Authenticating cert-manager Operator with GCP workload identity --- _topic_maps/_topic_map.yml | 2 + ...r-configure-cloud-credentials-gcp-sts.adoc | 147 ++++++++++++++++++ .../cert-manager-authenticate-gcp.adoc | 17 ++ 3 files changed, 166 insertions(+) create mode 100644 modules/cert-manager-configure-cloud-credentials-gcp-sts.adoc create mode 100644 security/cert_manager_operator/cert-manager-authenticate-gcp.adoc diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml index dcdc3de988..1a8e858c67 100644 --- a/_topic_maps/_topic_map.yml +++ b/_topic_maps/_topic_map.yml @@ -1028,6 +1028,8 @@ Topics: File: cert-manager-log-levels - Name: Authenticating the cert-manager Operator for Red Hat OpenShift on GCP File: cert-manager-authenticate-non-sts-gcp + - Name: Authenticating the cert-manager Operator for Red Hat OpenShift with GCP Workload Identity + File: cert-manager-authenticate-gcp - Name: Uninstalling the cert-manager Operator for Red Hat OpenShift File: cert-manager-operator-uninstall - Name: Viewing audit logs diff --git a/modules/cert-manager-configure-cloud-credentials-gcp-sts.adoc b/modules/cert-manager-configure-cloud-credentials-gcp-sts.adoc new file mode 100644 index 0000000000..c155d3c261 --- /dev/null +++ b/modules/cert-manager-configure-cloud-credentials-gcp-sts.adoc @@ -0,0 +1,147 @@ +// Module included in the following assemblies: +// +// * security/cert_manager_operator/cert-manager-authenticate-gcp.adoc + +:_content-type: PROCEDURE +[id="cert-manager-configure-cloud-credentials-gcp-sts_{context}"] += Configuring cloud credentials for the {cert-manager-operator} with GCP Workload Identity + +Generate the cloud credentials for the {cert-manager-operator} by using the `ccoctl` binary. Then, apply them to the GCP Workload Identity cluster. + +.Prerequisites + +* You extracted and prepared the `ccoctl` binary. +* The {cert-manager-operator} 1.11.1 or later is installed. +* You have configured an {product-title} cluster with GCP Workload Identity by using the Cloud Credential Operator in a manual mode. + +.Procedure + +. Create a directory to store a `CredentialsRequest` resource YAML file by running the following command: ++ +[source,terminal] +---- +$ mkdir credentials-request +---- + +. In the `credentials-request` directory, create a YAML file that contains the following `CredentialsRequest` manifest: ++ +[source,yaml] +---- +apiVersion: cloudcredential.openshift.io/v1 +kind: CredentialsRequest +metadata: + name: cert-manager + namespace: openshift-cloud-credential-operator +spec: + providerSpec: + apiVersion: cloudcredential.openshift.io/v1 + kind: GCPProviderSpec + predefinedRoles: + - roles/dns.admin + secretRef: + name: gcp-credentials + namespace: cert-manager + serviceAccountNames: + - cert-manager +---- ++ +[NOTE] +==== +The `dns.admin` role provides admin privileges to the service account for managing Google Cloud DNS resources. To ensure that the cert-manager runs with the service account that has the least privilege, you can create a custom role with the following permissions: + +* `dns.resourceRecordSets.*` +* `dns.changes.*` +* `dns.managedZones.list` +==== + +. Use the `ccoctl` tool to process `CredentialsRequest` objects by running the following command: ++ +[source,terminal] +---- +$ ccoctl gcp create-service-accounts \ + --name --output-dir= \ + --credentials-requests-dir= \ + --workload-identity-pool \ + --workload-identity-provider \ + --project +---- ++ +.Example command +[source,terminal] +---- +$ ccoctl gcp create-service-accounts \ + --name abcde-20230525-4bac2781 --output-dir=/home/outputdir \ + --credentials-requests-dir=/home/credentials-requests \ + --workload-identity-pool abcde-20230525-4bac2781 \ + --workload-identity-provider abcde-20230525-4bac2781 \ + --project openshift-gcp-devel +---- + +. Apply the secrets generated in the manifests directory of your cluster by running the following command: ++ +[source,terminal] +---- +$ ls /manifests/*-credentials.yaml | xargs -I{} oc apply -f {} +---- + +. Update the subscription object for {cert-manager-operator} by running the following command: ++ +[source,terminal] +---- +$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}' +---- + +.Verification + +. Get the name of the redeployed cert-manager controller pod by running the following command: ++ +[source,terminal] +---- +$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager +---- ++ +.Example output +[source,terminal] +---- +NAME READY STATUS RESTARTS AGE +cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 15m39s +---- + +. Verify that the cert-manager controller pod is updated with GCP workload identity credential volumes that are mounted under the path specified in `mountPath` by running the following command: ++ +[source,terminal] +---- +$ oc get -n cert-manager pod/ -o yaml +---- ++ +.Example output +[source,terminal] +---- +spec: + containers: + - args: + ... + volumeMounts: + - mountPath: /var/run/secrets/openshift/serviceaccount + name: bound-sa-token + ... + - mountPath: /.config/gcloud + name: cloud-credentials + ... + volumes: + - name: bound-sa-token + projected: + ... + sources: + - serviceAccountToken: + audience: openshift + ... + path: token + - name: cloud-credentials + secret: + ... + items: + - key: service_account.json + path: application_default_credentials.json + secretName: gcp-credentials +---- \ No newline at end of file diff --git a/security/cert_manager_operator/cert-manager-authenticate-gcp.adoc b/security/cert_manager_operator/cert-manager-authenticate-gcp.adoc new file mode 100644 index 0000000000..c6f1fd0767 --- /dev/null +++ b/security/cert_manager_operator/cert-manager-authenticate-gcp.adoc @@ -0,0 +1,17 @@ +:_content-type: ASSEMBLY +[id="cert-manager-authenticate-gcp"] += Authenticating the {cert-manager-operator} with GCP Workload Identity +include::_attributes/common-attributes.adoc[] +:context: cert-manager-authenticate-gcp + +toc::[] + +You can authenticate the {cert-manager-operator} on the GCP Workload Identity cluster by using the cloud credentials. You can configure the cloud credentials by using the `ccoctl` binary. + +include::modules/cert-manager-configure-cloud-credentials-gcp-sts.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_cert-manager-authenticate-gcp"] +== Additional resources +* xref:../../authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc#cco-ccoctl-configuring_cco-mode-sts[Configuring the Cloud Credential Operator utility] +* xref:../../authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc#gcp-workload-identity-mode-installing[Configuring an {product-title} cluster by using the manual mode with GCP Workload Identity] \ No newline at end of file