From ae9a9e01482b0c0cb69418eb9791453c2bd11981 Mon Sep 17 00:00:00 2001 From: Richard Wall Date: Wed, 9 Oct 2024 07:22:27 +0100 Subject: [PATCH] Cross links with the tutorial Signed-off-by: Richard Wall --- .../docs/configuration/acme/dns01/route53.md | 19 ++++++++++--------- .../getting-started-aws-letsencrypt/README.md | 8 ++++---- 2 files changed, 14 insertions(+), 13 deletions(-) diff --git a/content/docs/configuration/acme/dns01/route53.md b/content/docs/configuration/acme/dns01/route53.md index e66f2822d1..7a66efc74f 100644 --- a/content/docs/configuration/acme/dns01/route53.md +++ b/content/docs/configuration/acme/dns01/route53.md @@ -11,9 +11,9 @@ how cert-manager handles DNS01 challenges. > ℹī¸ This guide assumes that your cluster is hosted on Amazon Web Services > (AWS) and that you already have a hosted zone in Route53. > -> 📖 Read -> [Tutorial: Deploy cert-manager on Amazon Elastic Kubernetes (EKS) and use Let's Encrypt to sign a certificate for an HTTPS website](../../../tutorials/getting-started-aws-letsencrypt/README.md), -> which contains end-to-end instructions for those who are new to cert-manager and AWS. +> 📖 Read the [AWS + LoadBalancer + Let's Encrypt](../../../tutorials/getting-started-aws-letsencrypt/README.md) +> tutorial, which contains end-to-end instructions for those who are new to +> cert-manager and AWS. ## Set up an IAM Policy @@ -90,8 +90,8 @@ Ambient credentials are credentials which are made available in the cert-manager - [**Shared config and credentials files**](https://docs.aws.amazon.com/sdkref/latest/guide/file-format.html):
where cert-manager loads credentials from files (`~/.aws/config` and `~/.aws/credentials`) which are mounted into the cert-manager controller Pod. -The advantage of ambient credentials is that they are easier to set up, well -documented, and AWS provides ways to automate the configuration. +The advantage of ambient credentials is that they are easier to set up and +extensively documented by Amazon AWS. The disadvantage of ambient credentials is that they are globally available to all ClusterIssuer and all Issuer resources, which means that in a multi-tenant environment, any tenant who has permission to create Issuer or ClusterIssuer may @@ -150,10 +150,9 @@ It is a four step process: name: letsencrypt-prod spec: acme: - ... solvers: - dns01: - route53 {}: + route53: {} ``` #### EKS IAM Role for Service Accounts (IRSA) @@ -260,10 +259,9 @@ A mutating webhook will automatically setup a mounted service account volume in name: letsencrypt-prod spec: acme: - ... solvers: - dns01: - route53 {}: + route53: {} ``` ### Non-ambient Credentials @@ -281,6 +279,9 @@ Each tenant can be granted permission to create and update Issuer resources in t #### Referencing your own ServiceAccount within in an Issuer or ClusterIssuer +> 📖 Read the [AWS + LoadBalancer + Let's Encrypt tutorial](../../../tutorials/getting-started-aws-letsencrypt/README.md) +> to learn how to deploy cert-manager on EKS and use this authentication mechanism. + In this configuration you can reference your own `ServiceAccounts` in your `Issuer` or `ClusterIssuer` and cert-manager will get a ServiceAccount token from the Kubernetes API which it will send to STS in exchange for AWS temporary credentials. The advantage of this method over IRSA or Pod Identity is that each Issuer can reference a different `ServiceAccount`, diff --git a/content/docs/tutorials/getting-started-aws-letsencrypt/README.md b/content/docs/tutorials/getting-started-aws-letsencrypt/README.md index 87110e8d49..55ced23bc0 100644 --- a/content/docs/tutorials/getting-started-aws-letsencrypt/README.md +++ b/content/docs/tutorials/getting-started-aws-letsencrypt/README.md @@ -12,8 +12,8 @@ In this tutorial you will learn how to deploy and configure cert-manager on AWS and how to deploy an HTTPS web server and make it available on the Internet. You will learn how to configure cert-manager to get a signed certificate from Let's Encrypt, which will allow clients to connect to your HTTPS website securely. -You will configure cert-manager to use the [Let's Encrypt DNS-01 challenge protocol](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) with AWS Route53 DNS, -using IAM Roles for Service Accounts (IRSA) to authenticate to AWS. +You will configure cert-manager to use the [Let's Encrypt DNS-01 challenge protocol](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge) with AWS Route53 DNS. +You will authenticate to Route53 using a [dedicated Kubernetes ServiceAccount token](../../configuration/acme/dns01/route53.md#referencing-your-own-serviceaccount-within-in-an-issuer-or-clusterissuer). # Part 1 @@ -379,7 +379,7 @@ You need to prove to Let's Encrypt that you own the domain name of the certifica This is known as the [DNS-01 challenge type](https://letsencrypt.org/docs/challenge-types/#dns-01-challenge). cert-manager can create that DNS record for you in by using the AWS Route53 API but it needs to authenticate first, -and currently the most secure method of authentication is to use [IAM roles for service accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html). +and currently the most secure method of authentication is to use a [dedicated Kubernetes ServiceAccount token](../../configuration/acme/dns01/route53.md#referencing-your-own-serviceaccount-within-in-an-issuer-or-clusterissuer). The advantages of this method are that cert-manager will use an ephemeral Kubernetes ServiceAccount Token to authenticate to AWS and the token need not be stored in a Kubernetes Secret. > 📖 Read about [other ways to configure the ACME issuer with AWS Route53 DNS](../../configuration/acme/dns01/route53.md). @@ -425,7 +425,7 @@ aws iam create-policy \ EOF ``` -> ℹī¸ Read the [cert-manager ACME DNS01 Route53 configuration documentation](https://cert-manager.io/docs/configuration/acme/dns01/route53), +> ℹī¸ Read the [cert-manager ACME DNS01 Route53 configuration documentation](../../configuration/acme/dns01/route53.md), > for more details of this IAM policy. ## Create an IAM role and associate it with a Kubernetes service account