Merge pull request #70018 from snarayan-redhat/OSDOCS-9282_managingcertificates

OSDOCS#9282: Creating certificates using an issuer for cert-manager

Author: snarayan-redhat

_topic_maps/_topic_map.yml

@@ -1064,8 +1064,10 @@ Topics:
     File: cert-manager-operator-release-notes
   - Name: Installing the cert-manager Operator for Red Hat OpenShift
     File: cert-manager-operator-install
-  - Name: Managing certificates with an ACME issuer
+  - Name: Configuring an ACME issuer
     File: cert-manager-operator-issuer-acme
+  - Name: Configuring certificates with an issuer
+    File: cert-manager-creating-certificate
   - Name: Enabling monitoring for the cert-manager Operator for Red Hat OpenShift
     File: cert-manager-monitoring
   - Name: Configuring the egress proxy for the cert-manager Operator for Red Hat OpenShift

modules/cert-manager-acme-dns01-ambient-aws.adoc

@@ -100,40 +100,4 @@ spec:
 [source,terminal]
 ----
 $ oc create -f issuer.yaml
-----
-
-. Create a certificate:
-
-.. Create a YAML file that defines the `Certificate` object:
-+
-.Example `certificate.yaml` file
-[source,yaml]
-----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: <tls_cert>              <1>
-  namespace: <issuer_namespace> <2>
-spec:
-  isCA: false
-  commonName: '<common_name>'    <3>
-  secretName: <tls-cert>        <4>
-  dnsNames:
-  - '<domain_name>'              <5>
-  issuerRef:
-    name: <letsencrypt_staging>    <6>
-    kind: Issuer
-----
-<1> Provide a name for the certificate.
-<2> Specify the namespace that you created for the issuer.
-<3> Replace `<common_name>` with your common name (CN).
-<4> Specify the name of the secret to create that will contain the certificate.
-<5> Replace `<domain_name>` with your domain name.
-<6> Specify the name of the issuer that you created.
-
-.. Create the `Certificate` object by running the following command:
-+
-[source,terminal]
-----
-$ oc create -f certificate.yaml
 ----

modules/cert-manager-acme-dns01-ambient-gcp.adoc

@@ -97,35 +97,4 @@ spec:
 [source,terminal]
 ----
 $ oc create -f issuer.yaml
-----
-
-. Create a certificate:
-
-.. Create a YAML file that defines the `Certificate` object:
-+
-.Example `certificate.yaml` file
-[source,yaml]
-----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: <tls_cert> <1>
-  namespace: <issuer_namespace>
-spec:
-  secretName: <tls_cert> <2>
-  issuerRef:
-    name: <acme-dns01-clouddns_issuer> <3>
-  dnsNames:
-  - '<domain_name>' <4>
-----
-<1> Provide a name for the certificate.
-<2> Specify the name of the secret to create that will contain the certificate.
-<3> Specify the name of the issuer that you created.
-<4> Replace `<domain_name>` with your domain name.
-
-.. Create the `Certificate` object by running the following command:
-+
-[source,terminal]
-----
-$ oc create -f certificate.yaml
 ----

modules/cert-manager-acme-dns01-explicit-aws.adoc

@@ -112,40 +112,4 @@ spec:
 [source,terminal]
 ----
 $ oc create -f issuer.yaml
-----
-
-. Create a certificate:
-
-.. Create a YAML file that defines the `Certificate` object:
-+
-.Example `certificate.yaml` file
-[source,yaml]
-----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: <tls_cert>             <1>
-  namespace: <issuer_namespace> <2>
-spec:
-  isCA: false
-  commonName: '<common_name>'    <3>
-  secretName: <tls_cert>        <4>
-  dnsNames:
-  - '<domain_name>'              <5>
-  issuerRef:
-    name: <letsencrypt_staging>    <6>
-    kind: Issuer
-----
-<1> Provide a name for the certificate.
-<2> Specify the namespace that you created for the issuer.
-<3> Replace `<common_name>` with your common name (CN).
-<4> Specify the name of the secret to create that will contain the certificate.
-<5> Replace `<domain_name>` with your domain name.
-<6> Specify the name of the issuer that you created.
-
-.. Create the `Certificate` object by running the following command:
-+
-[source,terminal]
-----
-$ oc create -f certificate.yaml
-----
+----

modules/cert-manager-acme-dns01-explicit-azure.adoc

@@ -118,36 +118,4 @@ spec:
 [source,terminal]
 ----
 $ oc create -f issuer.yaml
-----
-
-. Create a certificate:
-
-.. Create a YAML file that defines the `Certificate` object:
-+
-.Example `certificate.yaml` file
-[source,yaml]
-----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: <tls_cert> <1>
-  namespace: <issuer-namespace> <2>
-spec:
-  secretName: <tls_cert> <3>
-  issuerRef:
-    name: <acme-dns01-azuredns-issuer> <4>
-  dnsNames:
-  - '<domain_name>' <5>
-----
-<1> Provide a name for the certificate.
-<2> Replace `<issuer_namespace>` with your issuer namespace.
-<3> Specify the name of the secret to create that will contain the certificate.
-<4> Specify the name of the issuer that you created.
-<5> Replace `<domain_name>` with your domain name.
-
-.. Create the `Certificate` object by running the following command:
-+
-[source,terminal]
-----
-$ oc create -f certificate.yaml
 ----

modules/cert-manager-acme-dns01-explicit-gcp.adoc

@@ -105,36 +105,4 @@ spec:
 [source,terminal]
 ----
 $ oc create -f issuer.yaml
-----
-
-. Create a certificate:
-
-.. Create a YAML file that defines the `Certificate` object:
-+
-.Example `certificate.yaml` file
-[source,yaml]
-----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: <tls_cert> <1>
-  namespace: <issuer-namespace> <2>
-spec:
-  secretName: <tls_cert> <3>
-  issuerRef:
-    name: issuer-acme-dns01-clouddns <4>
-  dnsNames:
-  - '<domain_name>' <5>
-----
-<1> Provide a name for the certificate.
-<2> Replace `<issuer_namespace>` with your issuer namespace.
-<3> Specify the name of the secret to create that will contain the certificate.
-<4> Specify the name of the issuer that you created.
-<5> Replace `<domain_name>` with your domain name.
-
-.. Create the `Certificate` object by running the following command:
-+
-[source,terminal]
-----
-$ oc create -f certificate.yaml
 ----

modules/cert-manager-certificate-api-server.adoc

@@ -0,0 +1,70 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-creating-certificate.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cert-manager-certificate-api-server_{context}"]
+= Creating certificates for the API server
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have installed the {cert-manager-operator} 1.13.0 or later.
+
+.Procedure
+
+. Create an issuer. For more information, see "Configuring an issuer" in the "Additional Resources" section.
+
+. Create a certificate:
+
+.. Create a YAML file, for example, `certificate.yaml`, that defines the `Certificate` object:
++
+.Example `certificate.yaml` file
++
+[source, yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: <tls_cert> #<1>
+  namespace: openshift-config
+spec:
+  isCA: false
+  commonName: "api.<cluster_base_domain>" #<2>
+  secretName: <secret_name> #<3>
+  dnsNames:
+  - "api.<cluster_base_domain>" #<4>
+  issuerRef:
+    name: <issuer_name> #<5>
+    kind: Issuer
+----
+<1> Provide a name for the certificate.
+<2> Specify the common name (CN).
+<3> Specify the name of the secret to create that contains the certificate.
+<4> Specify the DNS name of the API server.
+<5> Specify the name of the issuer.
+
+.. Create the `Certificate` object by running the following command:
++
+[source, terminal]
+----
+$ oc create -f certificate.yaml
+----
+
+. Add the API server named certificate. For more information, see "Adding an API server named certificate" section in the "Additional resources" section.
+
+[NOTE]
+====
+To ensure the certificates are updated, run the `oc login` command again after the certificate is created.
+====
+
+.Verification
+
+* Verify that the certificate is created and ready to use by running the following command:
++
+[source, terminal]
+----
+$ oc get certificate -w -n openshift-config
+----
++
+Once certificate is in `Ready` status, API server on your cluster can start using the generated certificate secret.

modules/cert-manager-certificate-ingress.adoc

@@ -0,0 +1,66 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-creating-certificate.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="cert-manager-certificate-ingress_{context}"]
+= Creating certificates for the Ingress Controller
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have installed the {cert-manager-operator} 1.13.0 or later.
+
+.Procedure
+
+. Create an issuer. For more information, see "Configuring an issuer" in the "Additional Resources" section.
+
+. Create a certificate:
+
+.. Create a YAML file, for example, `certificate.yaml`, that defines the `Certificate` object:
++
+.Example `certificate.yaml` file
++
+[source, yaml]
+----
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: <tls_cert> #<1>
+  namespace: openshift-ingress
+spec:
+  isCA: false
+  commonName: "apps.<cluster_base_domain>" #<2>
+  secretName: <secret_name> #<3>
+  dnsNames:
+  - "apps.<cluster_base_domain>" #<4>
+  - "*.apps.<cluster_base_domain>" #<4>
+  issuerRef:
+    name: <issuer_name> #<5>
+    kind: Issuer
+----
+<1> Provide a name for the certificate.
+<2> Specify the common name (CN).
+<3> Specify the name of the secret to create that contains the certificate.
+<4> Specify the DNS name of the ingress.
+<5> Specify the name of the issuer.
+
+.. Create the `Certificate` object by running the following command:
++
+[source, terminal]
+----
+$ oc create -f certificate.yaml
+----
+
+. Replace the default ingress certificate. For more information, see "Replacing the default ingress certificate" section in the "Additional resources" section.
+
+.Verification
+
+* Verify that the certificate is created and ready to use by running the following command:
++ 
+[source, terminal]
+----
+$ oc get certificate -w -n openshift-ingress
+----
++
+Once certificate is in `Ready` status, Ingress Controller on your cluster can start using the generated certificate secret.