×

You can configure cloud credentials for the cert-manager Operator for Red Hat OpenShift on a GCP cluster. The cloud credentials are generated by the Cloud Credential Operator.

Configuring cloud credentials for the cert-manager Operator for Red Hat OpenShift on GCP

To configure the cloud credentials for the cert-manager Operator for Red Hat OpenShift on a GCP cluster you must create a CredentialsRequest object, and allow the Cloud Credential Operator to generate the cloud credentials secret.

Prerequisites
  • You have installed version 1.11.1 or later of the cert-manager Operator for Red Hat OpenShift.

  • You have configured the Cloud Credential Operator to operate in mint or passthrough mode.

Procedure
  1. Create a CredentialsRequest resource YAML file, such as, sample-credential-request.yaml by applying the following yaml:

    apiVersion: cloudcredential.openshift.io/v1
    kind: CredentialsRequest
    metadata:
      name: cert-manager
      namespace: openshift-cloud-credential-operator
    spec:
      providerSpec:
        apiVersion: cloudcredential.openshift.io/v1
        kind: GCPProviderSpec
        predefinedRoles:
        - roles/dns.admin
      secretRef:
        name: gcp-credentials
        namespace: cert-manager
      serviceAccountNames:
      - cert-manager

    The dns.admin role provides admin privileges to the service account for managing Google Cloud DNS resources. To ensure that the cert-manager runs with the service account that has the least privilege, you can create a custom role with the following permissions:

    • dns.resourceRecordSets.*

    • dns.changes.*

    • dns.managedZones.list

  2. Create a CredentialsRequest resource by running the following command:

    $ oc create -f sample-credential-request.yaml
  3. Update the subscription object for cert-manager Operator for Red Hat OpenShift by running the following command:

    $ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator --type=merge -p '{"spec":{"config":{"env":[{"name":"CLOUD_CREDENTIALS_SECRET_NAME","value":"gcp-credentials"}]}}}'
Verification
  1. Get the name of the redeployed cert-manager controller pod by running the following command:

    $ oc get pods -l app.kubernetes.io/name=cert-manager -n cert-manager
    Example output
    NAME                                       READY   STATUS    RESTARTS   AGE
    cert-manager-bd7fbb9fc-wvbbt               1/1     Running   0          15m39s
  2. Verify that the cert-manager controller pod is updated with GCP credential volumes that are mounted under the path specified in mountPath by running the following command:

    $ oc get -n cert-manager pod/<cert-manager_controller_pod_name> -o yaml
    Example output
    spec:
      containers:
      - args:
        ...
        volumeMounts:
        ...
        - mountPath: /.config/gcloud
          name: cloud-credentials
        ....
      volumes:
      ...
      - name: cloud-credentials
        secret:
          ...
          items:
          - key: service_account.json
            path: application_default_credentials.json
          secretName: gcp-credentials