$ mkdir credentials-request
You can authenticate the cert-manager Operator for Red Hat OpenShift on the AWS Security Token service (STS) cluster. You can configure cloud credentials for the cert-manager Operator for Red Hat OpenShift by using the ccoctl
binary.
To configure the cloud credentials for the cert-manager Operator for Red Hat OpenShift on the AWS Security Token service (STS) cluster with the cloud credentials. You must generate the cloud credentials manually, and apply it on the cluster by using the ccoctl
binary.
You have extracted and prepared the ccoctl
binary.
You have configured an OpenShift Container Platform cluster with AWS STS by using the Cloud Credential Operator in manual mode.
Create a directory to store a CredentialsRequest
resource YAML file by running the following command:
$ mkdir credentials-request
Create a CredentialsRequest
resource YAML file under the credentials-request
directory, such as, sample-credential-request.yaml
, by applying the following yaml:
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: cert-manager
namespace: openshift-cloud-credential-operator
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- action:
- "route53:GetChange"
effect: Allow
resource: "arn:aws:route53:::change/*"
- action:
- "route53:ChangeResourceRecordSets"
- "route53:ListResourceRecordSets"
effect: Allow
resource: "arn:aws:route53:::hostedzone/*"
- action:
- "route53:ListHostedZonesByName"
effect: Allow
resource: "*"
secretRef:
name: aws-creds
namespace: cert-manager
serviceAccountNames:
- cert-manager
Use the ccoctl
tool to process CredentialsRequest
objects by running the following command:
$ ccoctl aws create-iam-roles \
--name <user_defined_name> --region=<aws_region> \
--credentials-requests-dir=<path_to_credrequests_dir> \
--identity-provider-arn <oidc_provider_arn> --output-dir=<path_to_output_dir>
2023/05/15 18:10:34 Role arn:aws:iam::XXXXXXXXXXXX:role/<user_defined_name>-cert-manager-aws-creds created
2023/05/15 18:10:34 Saved credentials configuration to: <path_to_output_dir>/manifests/cert-manager-aws-creds-credentials.yaml
2023/05/15 18:10:35 Updated Role policy for Role <user_defined_name>-cert-manager-aws-creds
Copy the <aws_role_arn>
from the output to use in the next step. For example, "arn:aws:iam::XXXXXXXXXXXX:role/<user_defined_name>-cert-manager-aws-creds"
Add the eks.amazonaws.com/role-arn="<aws_role_arn>"
annotation to the service account by running the following command:
$ oc -n cert-manager annotate serviceaccount cert-manager eks.amazonaws.com/role-arn="<aws_role_arn>"
To create a new pod, delete the existing cert-manager controller pod by running the following command:
$ oc delete pods -l app.kubernetes.io/name=cert-manager -n cert-manager
The AWS credentials are applied to a new cert-manager controller pod within a minute.
Get the name of the updated cert-manager controller pod by running the following command:
$ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
NAME READY STATUS RESTARTS AGE
cert-manager-bd7fbb9fc-wvbbt 1/1 Running 0 39s
Verify that AWS credentials are updated by running the following command:
$ oc set env -n cert-manager po/<cert_manager_controller_pod_name> --list
# pods/cert-manager-57f9555c54-vbcpg, container cert-manager-controller
# POD_NAMESPACE from field path metadata.namespace
AWS_ROLE_ARN=XXXXXXXXXXXX
AWS_WEB_IDENTITY_TOKEN_FILE=/var/run/secrets/eks.amazonaws.com/serviceaccount/token