Skip to content

Instantly share code, notes, and snippets.

@swghosh
Last active May 23, 2023 18:26
Show Gist options
  • Save swghosh/9476b5d08186016ac21ab1786c438a53 to your computer and use it in GitHub Desktop.
Save swghosh/9476b5d08186016ac21ab1786c438a53 to your computer and use it in GitHub Desktop.
Manifests for ambient credentials of cert-manager with OpenShift Cert Manager Operator
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: cert-manager
namespace: openshift-cloud-credential-operator
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- action:
- route53:GetChange
effect: Allow
resource: arn:aws:route53:::change/*
- action:
- route53:ChangeResourceRecordSets
- route53:ListResourceRecordSets
effect: Allow
resource: arn:aws:route53:::hostedzone/*
- action:
- route53:ListHostedZonesByName
effect: Allow
resource: "*"
secretRef:
name: aws-creds
namespace: cert-manager
serviceAccountNames:
- cert-manager
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-hello-tls
spec:
isCA: false
commonName: "cert-hello.gcp.devcluster.openshift.com"
secretName: cert-hello-tls-cert
dnsNames:
- "cert-hello.gcp.devcluster.openshift.com"
issuerRef:
name: letsencrypt-cloud-dns
kind: ClusterIssuer
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: cert-hello-tls
spec:
isCA: false
commonName: "cert-hello.devcluster.openshift.com"
secretName: cert-hello-tls-cert
dnsNames:
- "cert-hello.devcluster.openshift.com"
issuerRef:
name: letsencrypt-route53
kind: ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-cloud-dns
spec:
acme:
privateKeySecretRef:
name: letsencrypt-acme
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
cloudDNS:
project: <GCP_PROJECT_ID>
hostedZoneName: <CLOUD_DNS_HOSTED_ZONE_NAME>
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-route53
spec:
acme:
privateKeySecretRef:
name: letsencrypt-acme
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
route53:
hostedZoneID: <ROUTE53_HOSTED_ZONE_ID>
region: <AWS_REGION>
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
labels:
app: cert-manager
app.kubernetes.io/component: controller
app.kubernetes.io/instance: cert-manager
app.kubernetes.io/name: cert-manager
name: cert-manager
namespace: openshift-cloud-credential-operator
spec:
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: GCPProviderSpec
predefinedRoles:
- roles/dns.admin
secretRef:
name: gcp-credentials
namespace: cert-manager
serviceAccountNames:
- cert-manager
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment