OSDOCS-4923: Docs for cert-manager operator GA

Author: bergerhoffer

_topic_maps/_topic_map.yml

@@ -949,7 +949,10 @@ Topics:
     File: cert-manager-operator-release-notes
   - Name: Installing the cert-manager Operator for Red Hat OpenShift
     File: cert-manager-operator-install
-    # For GA release, add details here on requesting certificates, etc.
+  - Name: Managing certificates with an ACME issuer
+    File: cert-manager-operator-issuer-acme
+  - Name: Configuring the egress proxy for the cert-manager Operator for Red Hat OpenShift
+    File: cert-manager-operator-proxy
   - Name: Uninstalling the cert-manager Operator for Red Hat OpenShift
     File: cert-manager-operator-uninstall
 - Name: Viewing audit logs

modules/cert-manager-acme-about.adoc

@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc
+
+:_content-type: CONCEPT
+[id="cert-manager-acme-about_{context}"]
+= About ACME issuers
+
+The ACME issuer type for the {cert-manager-operator} represents an Automated Certificate Management Environment (ACME) certificate authority (CA) server. ACME CA servers rely on a _challenge_ to verify that a client owns the domain names that the certificate is being requested for. If the challenge is successful, the {cert-manager-operator} can issue the certificate. If the challenge fails, the {cert-manager-operator} does not issue the certificate.

modules/cert-manager-acme-challenges-types.adoc

@@ -0,0 +1,17 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc
+
+:_content-type: CONCEPT
+[id="cert-manager-acme-challenges-types_{context}"]
+= Supported ACME challenges types
+
+The {cert-manager-operator} supports the following challenge types for ACME issuers:
+
+HTTP-01:: With the HTTP-01 challenge type, you provide a computed key at an HTTP URL endpoint in your domain. If the ACME CA server can get the key from the URL, it can validate you as the owner of the domain.
++
+For more information, see link:https://cert-manager.io/docs/configuration/acme/http01/[HTTP01] in the upstream cert-manager documentation.
+
+DNS-01:: With the DNS-01 challenge type, you provide a computed key at a DNS TXT record. If the ACME CA server can get the key by DNS lookup, it can validate you as the owner of the domain.
++
+For more information, see link:https://cert-manager.io/docs/configuration/acme/dns01/[DNS01] in the upstream cert-manager documentation.

modules/cert-manager-acme-dns-providers.adoc

@@ -0,0 +1,23 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc
+
+:_content-type: CONCEPT
+[id="cert-manager-acme-dns-providers_{context}"]
+= Supported DNS-01 providers
+
+The {cert-manager-operator} supports the following DNS-01 providers for ACME issuers:
+
+* Amazon Route 53
+* Azure DNS
++
+[NOTE]
+====
+The {cert-manager-operator} does not support using Azure Active Directory (Azure AD) pod identities to assign a managed identity to a pod.
+====
+* Google Cloud DNS
++
+[NOTE]
+====
+The {cert-manager-operator} does not support using Google workload identity federation.
+====

modules/cert-manager-acme-dns01-aws.adoc

@@ -0,0 +1,170 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc
+
+:_content-type: PROCEDURE
+[id="cert-manager-acme-dns01-aws_{context}"]
+= Configuring an ACME issuer to solve DNS-01 challenges
+
+You can use {cert-manager-operator} to set up an ACME issuer to solve DNS-01 challenges. This procedure uses _Let's Encrypt_ as the ACME CA server and shows how to solve DNS-01 challenges with Amazon Route 53.
+
+[NOTE]
+====
+Private DNS zones are not supported.
+====
+
+.Prerequisites
+
+* You have access to the {product-title} cluster as a user with the `cluster-admin` role.
+* You have set up an IAM role for Amazon Route 53. For more information, see link:https://cert-manager.io/docs/configuration/acme/dns01/route53/[Route53] in the upstream cert-manager documentation.
++
+[NOTE]
+====
+If your cluster is _not_ configured to use the AWS Security Token Service (STS), you must provide explicit `accessKeyID` and `secretAccessKey` credentials. If you cluster uses AWS STS, you can use implicit ambient credentials.
+====
+
+.Procedure
+
+. Optional: Override the nameserver settings for the DNS-01 self check:
++
+This step is required only when the target public-hosted zone overlaps with the cluster's default private-hosted zone.
+
+.. Edit the `CertManager` resource by running the following command:
++
+[source,terminal]
+----
+$ oc edit certmanager cluster
+----
+
+.. Add a `spec.controllerConfig` section with the following override arguments:
++
+[source,yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: CertManager
+metadata:
+  name: cluster
+  ...
+spec:
+  ...
+  controllerConfig:                                <1>
+    overrideArgs:
+      - '--dns01-recursive-nameservers=1.1.1.1:53' <2>
+      - '--dns01-recursive-nameservers-only'       <3>
+----
+<1> Add the `spec.controllerConfig` section.
+<2> Provide a comma-separated list of `<host>:<port>` nameservers to query for the DNS-01 self check.
+<3> Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
+
+.. Save the file to apply the changes.
+
+. Optional: Create a namespace for the issuer.
+
+.. Create a YAML file that defines a `Namespace` object:
++
+.Example `namespace.yaml` file
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-issuer-namespace <1>
+----
+<1> Specify the namespace for the issuer.
+
+.. Create the `Namespace` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f namespace.yaml
+----
+
+. Create a secret to store your AWS credentials in by running the following command:
++
+[source,terminal]
+----
+$ oc create secret generic aws-secret --from-literal=awsSecretAccessKey=<aws_secret_access_key> \ <1>
+    -n my-issuer-namespace
+----
+<1> Replace `<aws_secret_access_key>` with your AWS secret access key.
+
+. Create an issuer.
+
+.. Create a YAML file that defines the `Issuer` object:
++
+.Example `issuer.yaml` file
+[source,yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging                                        <1>
+  namespace: my-issuer-namespace                                   <2>
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory <3>
+    email: "<email_address>"                                       <4>
+    privateKeySecretRef:
+      name: <secret_private_key>                                   <5>
+    solvers:
+    - dns01:
+        route53:
+          accessKeyID: <aws_key_id>                                <6>
+          hostedZoneID: <hosted_zone_id>                           <7>
+          region: us-east-1
+          secretAccessKeySecretRef:
+            name: "aws-secret"                                     <8>
+            key: "awsSecretAccessKey"                              <9>
+----
+<1> Provide a name for the issuer.
+<2> Specify the namespace that you created for the issuer.
+<3> Specify the URL to access the ACME server's `directory` endpoint. This example uses the _Let's Encrypt_ staging environment.
+<4> Replace `<email_address>` with your email address.
+<5> Replace `<secret_private_key>` with the name of the secret to store the ACME account private key in.
+<6> Replace `<aws_key_id>` with your AWS key ID.
+<7> Replace `<hosted_zone_id>` with your hosted zone ID.
+<8> Specify the name of the secret you created.
+<9> Specify the key in the secret you created that stores your AWS secret access key.
+
+.. Create the `Issuer` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f issuer.yaml
+----
+
+. Create a certificate.
+
+.. Create a YAML file that defines the `Certificate` object:
++
+.Example `certificate.yaml` file
+[source,yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: my-tls-cert              <1>
+  namespace: my-issuer-namespace <2>
+spec:
+  isCA: false
+  commonName: '<common_name>'    <3>
+  secretName: my-tls-cert        <4>
+  dnsNames:
+  - '<domain_name>'              <5>
+  issuerRef:
+    name: letsencrypt-staging    <6>
+    kind: Issuer
+----
+<1> Provide a name for the certificate.
+<2> Specify the namespace that you created for the issuer.
+<3> Replace `<common_name>` with your common name (CN).
+<4> Specify the name of the secret to create that will contain the certificate.
+<5> Replace `<domain_name>` with your domain name.
+<6> Specify the name of the issuer that you created.
+
+.. Create the `Certificate` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f certificate.yaml
+----

modules/cert-manager-acme-http01.adoc

@@ -0,0 +1,119 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc
+
+:_content-type: PROCEDURE
+[id="cert-manager-acme-http01_{context}"]
+= Configuring an ACME issuer to solve HTTP-01 challenges
+
+You can use {cert-manager-operator} to set up an ACME issuer to solve HTTP-01 challenges. This procedure uses Let's Encrypt as the ACME CA server.
+
+.Prerequisites
+
+* You have access to the cluster as a user with the `cluster-admin` role.
+* You have a service that you want to expose. In this procedure, the service is named `sample-workload`.
+
+.Procedure
+
+. Create an ACME cluster issuer.
+
+.. Create a YAML file that defines the `ClusterIssuer` object:
++
+.Example `acme-cluster-issuer.yaml` file
+[source,yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging                                        <1>
+spec:
+  acme:
+    preferredChain: ""
+    privateKeySecretRef:
+      name: <secret_for_private_key>                               <2>
+    server: https://acme-staging-v02.api.letsencrypt.org/directory <3>
+    solvers:
+    - http01:
+        ingress:
+          class: openshift-default                                 <4>
+----
+<1> Provide a name for the cluster issuer.
+<2> Replace `<secret_private_key>` with the name of secret to store the ACME account private key in.
+<3> Specify the URL to access the ACME server's `directory` endpoint. This example uses the Let's Encrypt staging environment.
+<4> Specify the Ingress class.
+
+.. Create the `ClusterIssuer` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f acme-cluster-issuer.yaml
+----
+
+. Create an Ingress to expose the service of the user workload.
+
+.. Create a YAML file that defines a `Namespace` object:
++
+.Example `namespace.yaml` file
+[source,yaml]
+----
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-ingress-namespace <1>
+----
+<1> Specify the namespace for the Ingress.
+
+.. Create the `Namespace` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f namespace.yaml
+----
+
+.. Create a YAML file that defines the `Ingress` object:
++
+.Example `ingress.yaml` file
+[source,yaml]
+----
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sample-ingress                                           <1>
+  namespace: my-ingress-namespace                                <2>
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-staging          <3>
+    acme.cert-manager.io/http01-ingress-class: openshift-default <4>
+spec:
+  ingressClassName: openshift-default                            <5>
+  tls:
+  - hosts:
+    - <hostname>                                                 <6>
+    secretName: sample-tls                                       <7>
+  rules:
+  - host: <hostname>                                             <8>
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: sample-workload                                <9>
+            port:
+              number: 80
+----
+<1> Specify the name of the Ingress.
+<2> Specify the namespace that you created for the Ingress.
+<3> Specify the cluster issuer that you created.
+<4> Specify the Ingress class.
+<5> Specify the Ingress class.
+<6> Replace `<hostname>` with the Subject Alternative Name to be associated with the certificate. This name is used to add DNS names to the certificate.
+<7> Specify the secret to store the created certificate in.
+<8> Replace `<hostname>` with the hostname. You can use the `<host_name>.<cluster_ingress_domain>` syntax to take advantage of the `*.<cluster_ingress_domain>` wildcard DNS record and serving certificate for the cluster. For example, you might use `apps.<cluster_base_domain>`. Otherwise, you must ensure that a DNS record exists for the chosen hostname.
+<9> Specify the name of the service to expose. This example uses a service named `sample-workload`.
+
+.. Create the `Ingress` object by running the following command:
++
+[source,terminal]
+----
+$ oc create -f ingress.yaml
+----

modules/cert-manager-install-console.adoc

@@ -24,12 +24,11 @@ You can use the web console to install the {cert-manager-operator}.
 . Select the *{cert-manager-operator}* and click *Install*.
 
 . On the *Install Operator* page:
-.. The *Update channel* is set to *tech-preview*, which installs the latest Technology Preview release of the {cert-manager-operator}.
-.. The *Installation Mode* is set to *All namespaces on the cluster (default)*. This mode installs the Operator in the Operator-recommended `openshift-cert-manager-operator` namespace to watch and be made available to all namespaces in the cluster.
-.. Choose the *Installed Namespace* for the Operator. The default Operator recommended namespace is `openshift-cert-manager-operator`.
+.. Update the *Update channel*, if necessary. The channel defaults to *stable-v1*, which installs the latest stable release of the {cert-manager-operator}.
+.. Choose the *Installed Namespace* for the Operator. The default Operator namespace is `cert-manager-operator`.
 +
-If the `openshift-cert-manager-operator` namespace does not exist, it is created for you.
-.. Click the *Enable Operator recommended cluster monitoring on the Namespace* checkbox to enable cluster monitoring for the Operator.
+If the `cert-manager-operator` namespace does not exist, it is created for you.
+
 .. Select an *Update approval* strategy.
 +
 * The *Automatic* strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
@@ -41,4 +40,4 @@ If the `openshift-cert-manager-operator` namespace does not exist, it is created
 .Verification
 
 . Navigate to *Operators* -> *Installed Operators*.
-. Verify that *{cert-manager-operator}* is listed with a *Status* of *Succeeded*.
+. Verify that *{cert-manager-operator}* is listed with a *Status* of *Succeeded* in the `cert-manager-operator` namespace.

modules/cert-manager-issuer-types.adoc

@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/index.adoc
+
+:_content-type: CONCEPT
+[id="cert-manager-issuer-types_{context}"]
+= Supported issuer types
+
+The {cert-manager-operator} supports the following issuer types:
+
+* Automated Certificate Management Environment (ACME)
+* Certificate authority (CA)
+* Self-signed