This is a cache of https://docs.openshift.com/container-platform/4.14/security/cert_manager_operator/cert-manager-authentication-non-sts.html. It is a snapshot of the page at 2024-11-29T15:08:58.389+0000.
Authenticating the cert-manager Operator for Red Hat OpenShift on AWS - cert-manager Operator for Red Hat OpenShift | Security and compliance | OpenShift Container Platform 4.14
×

You can configure the cloud credentials for the cert-manager Operator for Red Hat OpenShift on the AWS cluster. The cloud credentials are generated by the Cloud Credential Operator.

Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift on AWS

To configure the cloud credentials for the cert-manager Operator for Red Hat OpenShift on the AWS cluster you must generate the cloud credentials secret by creating a CredentialsRequest object, and allowing the Cloud Credential Operator.

Prerequisites
  • You have installed version 1.11.1 or later of the cert-manager Operator for Red Hat OpenShift.

  • You have configured the Cloud Credential Operator to operate in mint or passthrough mode.

Procedure
  1. Create a CredentialsRequest resource YAML file, for example, sample-credential-request.yaml, as follows:

    apiVersion: cloudcredential.openshift.io/v1
    kind: CredentialsRequest
    metadata:
      name: cert-manager
      namespace: openshift-cloud-credential-operator
    spec:
      providerSpec:
        apiVersion: cloudcredential.openshift.io/v1
        kind: AWSProviderSpec
        statementEntries:
        - action:
          - "route53:GetChange"
          effect: Allow
          resource: "arn:aws:route53:::change/*"
        - action:
          - "route53:ChangeResourceRecordSets"
          - "route53:ListResourceRecordSets"
          effect: Allow
          resource: "arn:aws:route53:::hostedzone/*"
        - action:
          - "route53:ListHostedZonesByName"
          effect: Allow
          resource: "*"
      secretRef:
        name: aws-creds
        namespace: cert-manager
      serviceAccountNames:
      - cert-manager
  2. Create a CredentialsRequest resource by running the following command:

    $ oc create -f sample-credential-request.yaml
  3. Update the subscription object for cert-manager Operator for Red Hat OpenShift by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_secret_NAME","value":"aws-creds"}]}}}'
Verification
  1. Get the name of the redeployed cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Example output
    NAME                          READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt  1/1     Running   0          15m39s
  2. Verify that the cert-manager controller pod is updated with AWS credential volumes that are mounted under the path specified in mountPath by running the following command:

    $ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
    Example output
    ...
    spec:
      containers:
      - args:
        ...
        - mountPath: /.aws
          name: cloud-credentials
      ...
      volumes:
      ...
      - name: cloud-credentials
        secret:
          ...
          secretName: aws-creds