Cross links with the tutorial

Signed-off-by: Richard Wall <[email protected]>
cert-manager · Oct 9, 2024 · ae9a9e0 · ae9a9e0
1 parent b8b1a1c
commit ae9a9e0
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 13 deletions.
diff --git a/content/docs/configuration/acme/dns01/route53.md b/content/docs/configuration/acme/dns01/route53.md
@@ -11,9 +11,9 @@ how cert-manager handles DNS01 challenges.
 > ℹ️ This guide assumes that your cluster is hosted on Amazon Web Services
 > (AWS) and that you already have a hosted zone in Route53.
 >
-> 📖 Read
-> [Tutorial: Deploy cert-manager on Amazon Elastic Kubernetes (EKS) and use Let's Encrypt to sign a certificate for an HTTPS website](../../../tutorials/getting-started-aws-letsencrypt/README.md),
-> which contains end-to-end instructions for those who are new to cert-manager and AWS.
+> 📖 Read the [AWS + LoadBalancer + Let's Encrypt](../../../tutorials/getting-started-aws-letsencrypt/README.md)
+> tutorial, which contains end-to-end instructions for those who are new to
+> cert-manager and AWS.
 
 ## Set up an IAM Policy
 
@@ -90,8 +90,8 @@ Ambient credentials are credentials which are made available in the cert-manager
 - [**Shared config and credentials files**](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html):<br/>
   where cert-manager loads credentials from files (`~/.aws/config` and `~/.aws/credentials`) which are mounted into the cert-manager controller Pod.
 
-The advantage of ambient credentials is that they are easier to set up, well
-documented, and AWS provides ways to automate the configuration.
+The advantage of ambient credentials is that they are easier to set up and
+extensively documented by Amazon AWS.
 The disadvantage of ambient credentials is that they are globally available to
 all ClusterIssuer and all Issuer resources, which means that in a multi-tenant
 environment, any tenant who has permission to create Issuer or ClusterIssuer may
@@ -150,10 +150,9 @@ It is a four step process:
      name: letsencrypt-prod
    spec:
      acme:
-       ...
        solvers:
        - dns01:
-           route53 {}:
+           route53: {}
    ```
 
 #### EKS IAM Role for Service Accounts (IRSA)
@@ -260,10 +259,9 @@ A mutating webhook will automatically setup a mounted service account volume in
      name: letsencrypt-prod
    spec:
      acme:
-       ...
        solvers:
        - dns01:
-           route53 {}:
+           route53: {}
    ```
 
 ### Non-ambient Credentials
@@ -281,6 +279,9 @@ Each tenant can be granted permission to create and update Issuer resources in t
 
 #### Referencing your own ServiceAccount within in an Issuer or ClusterIssuer
 
+> 📖 Read the [AWS + LoadBalancer + Let's Encrypt tutorial](../../../tutorials/getting-started-aws-letsencrypt/README.md)
+> to learn how to deploy cert-manager on EKS and use this authentication mechanism.
+
 In this configuration you can reference your own `ServiceAccounts` in your `Issuer` or `ClusterIssuer`
 and cert-manager will get a ServiceAccount token from the Kubernetes API which it will send to STS in exchange for AWS temporary credentials.
 The advantage of this method over IRSA or Pod Identity is that each Issuer can reference a different `ServiceAccount`,

diff --git a/content/docs/tutorials/getting-started-aws-letsencrypt/README.md b/content/docs/tutorials/getting-started-aws-letsencrypt/README.md
@@ -12,8 +12,8 @@ In this tutorial you will learn how to deploy and configure cert-manager on AWS
 and how to deploy an HTTPS web server and make it available on the Internet.
 You will learn how to configure cert-manager to get a signed certificate from Let's Encrypt,
 which will allow clients to connect to your HTTPS website securely.
-You will configure cert-manager to use the [Let's Encrypt DNS-01 challenge protocol](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) with AWS Route53 DNS,
-using IAM Roles for Service Accounts (IRSA) to authenticate to AWS.
+You will configure cert-manager to use the [Let's Encrypt DNS-01 challenge protocol](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) with AWS Route53 DNS.
+You will authenticate to Route53 using a [dedicated Kubernetes ServiceAccount token](../../configuration/acme/dns01/route53.md#referencing-your-own-serviceaccount-within-in-an-issuer-or-clusterissuer).
 
 # Part 1
 
@@ -379,7 +379,7 @@ You need to prove to Let's Encrypt that you own the domain name of the certifica
 This is known as the [DNS-01 challenge type](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge).
 
 cert-manager can create that DNS record for you in by using the AWS Route53 API but it needs to authenticate first,
-and currently the most secure method of authentication is to use [IAM roles for service accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+and currently the most secure method of authentication is to use a [dedicated Kubernetes ServiceAccount token](../../configuration/acme/dns01/route53.md#referencing-your-own-serviceaccount-within-in-an-issuer-or-clusterissuer).
 The advantages of this method are that cert-manager will use an ephemeral Kubernetes ServiceAccount Token to authenticate to AWS and the token need not be stored in a Kubernetes Secret.
 
 > 📖 Read about [other ways to configure the ACME issuer with AWS Route53 DNS](../../configuration/acme/dns01/route53.md).
@@ -425,7 +425,7 @@ aws iam create-policy \
 EOF
 ```
 
-> ℹ️ Read the [cert-manager ACME DNS01 Route53 configuration documentation](https://cert-manager.io/docs/configuration/acme/dns01/route53),
+> ℹ️ Read the [cert-manager ACME DNS01 Route53 configuration documentation](../../configuration/acme/dns01/route53.md),
 > for more details of this IAM policy.
 
 ## Create an IAM role and associate it with a Kubernetes service account