mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
108 lines
2.8 KiB
Plaintext
108 lines
2.8 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/cert_manager_operator/cert-manager-authenticate.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="cert-manager-configure-cloud-credentials-aws-non-sts_{context}"]
|
|
= Authenticating on AWS
|
|
|
|
[role="_abstract"]
|
|
To securely access AWS resources from your applications, authenticate your workloads on AWS by using the {cert-manager-operator}.
|
|
|
|
.Prerequisites
|
|
|
|
* You have installed version 1.11.1 or later of the {cert-manager-operator}.
|
|
* You have configured the Cloud Credential Operator to operate in _mint_ or _passthrough_ mode.
|
|
|
|
.Procedure
|
|
|
|
. Create a `CredentialsRequest` resource YAML file, for example, `sample-credential-request.yaml`, as follows:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: CredentialsRequest
|
|
metadata:
|
|
name: cert-manager
|
|
namespace: openshift-cloud-credential-operator
|
|
spec:
|
|
providerSpec:
|
|
apiVersion: cloudcredential.openshift.io/v1
|
|
kind: AWSProviderSpec
|
|
statementEntries:
|
|
- action:
|
|
- "route53:GetChange"
|
|
effect: Allow
|
|
resource: "arn:aws:route53:::change/*"
|
|
- action:
|
|
- "route53:ChangeResourceRecordSets"
|
|
- "route53:ListResourceRecordSets"
|
|
effect: Allow
|
|
resource: "arn:aws:route53:::hostedzone/*"
|
|
- action:
|
|
- "route53:ListHostedZonesByName"
|
|
effect: Allow
|
|
resource: "*"
|
|
secretRef:
|
|
name: aws-creds
|
|
namespace: cert-manager
|
|
serviceAccountNames:
|
|
- cert-manager
|
|
----
|
|
|
|
. Create a `CredentialsRequest` resource by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f sample-credential-request.yaml
|
|
----
|
|
|
|
. Update the subscription object for {cert-manager-operator} by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"aws-creds"}]}}}'
|
|
----
|
|
|
|
.Verification
|
|
|
|
. Get the name of the redeployed cert-manager controller pod by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME READY STATUS RESTARTS AGE
|
|
cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 15m39s
|
|
----
|
|
|
|
. Verify that the cert-manager controller pod is updated with AWS credential volumes that are mounted under the path specified in `mountPath` by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
...
|
|
spec:
|
|
containers:
|
|
- args:
|
|
...
|
|
- mountPath: /.aws
|
|
name: cloud-credentials
|
|
...
|
|
volumes:
|
|
...
|
|
- name: cloud-credentials
|
|
secret:
|
|
...
|
|
secretName: aws-creds
|
|
----
|