|
| 1 | +// Module included in the following assemblies: |
| 2 | +// |
| 3 | +// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc |
| 4 | + |
| 5 | +:_content-type: PROCEDURE |
| 6 | +[id="cert-manager-acme-dns01-ambient-aws_{context}"] |
| 7 | += Configuring an ACME issuer by using ambient credentials on AWS |
| 8 | + |
| 9 | +You can use {cert-manager-operator} to set up an ACME issuer to solve DNS-01 challenges by using ambient credentials on AWS. This procedure uses _Let's Encrypt_ as the ACME CA server and shows how to solve DNS-01 challenges with Amazon Route 53. |
| 10 | + |
| 11 | +.Prerequisites |
| 12 | + |
| 13 | +* If your cluster is configured to use the AWS Security Token Service (STS), you followed the instructions from the _Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift for the AWS Security Token Service cluster_ section. |
| 14 | +* If your cluster does not use the AWS STS, you followed the instructions from the _Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift on AWS_ section. |
| 15 | +
|
| 16 | +.Procedure |
| 17 | + |
| 18 | +. Optional: Override the nameserver settings for the DNS-01 self check. |
| 19 | ++ |
| 20 | +This step is required only when the target public-hosted zone overlaps with the cluster's default private-hosted zone. |
| 21 | + |
| 22 | +.. Edit the `CertManager` resource by running the following command: |
| 23 | ++ |
| 24 | +[source,terminal] |
| 25 | +---- |
| 26 | +$ oc edit certmanager cluster |
| 27 | +---- |
| 28 | + |
| 29 | +.. Add a `spec.controllerConfig` section with the following override arguments: |
| 30 | ++ |
| 31 | +[source,yaml] |
| 32 | +---- |
| 33 | +apiVersion: operator.openshift.io/v1alpha1 |
| 34 | +kind: CertManager |
| 35 | +metadata: |
| 36 | + name: cluster |
| 37 | + ... |
| 38 | +spec: |
| 39 | + ... |
| 40 | + controllerConfig: <1> |
| 41 | + overrideArgs: |
| 42 | + - '--dns01-recursive-nameservers-only' <2> |
| 43 | + - '--dns01-recursive-nameservers=1.1.1.1:53' <3> |
| 44 | +---- |
| 45 | +<1> Add the `spec.controllerConfig` section. |
| 46 | +<2> Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain. |
| 47 | +<3> Provide a comma-separated list of `<host>:<port>` nameservers to query for the DNS-01 self check. You must use a `1.1.1.1:53` value to avoid the public and private zones overlapping. |
| 48 | + |
| 49 | +.. Save the file to apply the changes. |
| 50 | + |
| 51 | +. Optional: Create a namespace for the issuer: |
| 52 | ++ |
| 53 | +[source,terminal] |
| 54 | +---- |
| 55 | +$ oc new-project <issuer_namespace> |
| 56 | +---- |
| 57 | + |
| 58 | +. Modify the `CertManager` resource to add the `--issuer-ambient-credentials` argument: |
| 59 | ++ |
| 60 | +[source,terminal] |
| 61 | +---- |
| 62 | +$ oc patch certmanager/cluster \ |
| 63 | + --type=merge \ |
| 64 | + -p='{"spec":{"controllerConfig":{"overrideArgs":["--issuer-ambient-credentials"]}}}' |
| 65 | +---- |
| 66 | + |
| 67 | +. Create an issuer: |
| 68 | + |
| 69 | +.. Create a YAML file that defines the `Issuer` object: |
| 70 | ++ |
| 71 | +.Example `issuer.yaml` file |
| 72 | +[source,yaml] |
| 73 | +---- |
| 74 | +apiVersion: cert-manager.io/v1 |
| 75 | +kind: Issuer |
| 76 | +metadata: |
| 77 | + name: <letsencrypt_staging> <1> |
| 78 | + namespace: <issuer_namespace> <2> |
| 79 | +spec: |
| 80 | + acme: |
| 81 | + server: https://acme-staging-v02.api.letsencrypt.org/directory <3> |
| 82 | + email: "<email_address>" <4> |
| 83 | + privateKeySecretRef: |
| 84 | + name: <secret_private_key> <5> |
| 85 | + solvers: |
| 86 | + - dns01: |
| 87 | + route53: |
| 88 | + hostedZoneID: <hosted_zone_id> <6> |
| 89 | + region: us-east-1 |
| 90 | +---- |
| 91 | +<1> Provide a name for the issuer. |
| 92 | +<2> Specify the namespace that you created for the issuer. |
| 93 | +<3> Specify the URL to access the ACME server's `directory` endpoint. This example uses the _Let's Encrypt_ staging environment. |
| 94 | +<4> Replace `<email_address>` with your email address. |
| 95 | +<5> Replace `<secret_private_key>` with the name of the secret to store the ACME account private key in. |
| 96 | +<6> Replace `<hosted_zone_id>` with your hosted zone ID. |
| 97 | + |
| 98 | +.. Create the `Issuer` object by running the following command: |
| 99 | ++ |
| 100 | +[source,terminal] |
| 101 | +---- |
| 102 | +$ oc create -f issuer.yaml |
| 103 | +---- |
| 104 | + |
| 105 | +. Create a certificate: |
| 106 | + |
| 107 | +.. Create a YAML file that defines the `Certificate` object: |
| 108 | ++ |
| 109 | +.Example `certificate.yaml` file |
| 110 | +[source,yaml] |
| 111 | +---- |
| 112 | +apiVersion: cert-manager.io/v1 |
| 113 | +kind: Certificate |
| 114 | +metadata: |
| 115 | + name: <tls_cert> <1> |
| 116 | + namespace: <issuer_namespace> <2> |
| 117 | +spec: |
| 118 | + isCA: false |
| 119 | + commonName: '<common_name>' <3> |
| 120 | + secretName: <tls-cert> <4> |
| 121 | + dnsNames: |
| 122 | + - '<domain_name>' <5> |
| 123 | + issuerRef: |
| 124 | + name: <letsencrypt_staging> <6> |
| 125 | + kind: Issuer |
| 126 | +---- |
| 127 | +<1> Provide a name for the certificate. |
| 128 | +<2> Specify the namespace that you created for the issuer. |
| 129 | +<3> Replace `<common_name>` with your common name (CN). |
| 130 | +<4> Specify the name of the secret to create that will contain the certificate. |
| 131 | +<5> Replace `<domain_name>` with your domain name. |
| 132 | +<6> Specify the name of the issuer that you created. |
| 133 | + |
| 134 | +.. Create the `Certificate` object by running the following command: |
| 135 | ++ |
| 136 | +[source,terminal] |
| 137 | +---- |
| 138 | +$ oc create -f certificate.yaml |
| 139 | +---- |
0 commit comments