OSDOCS-3142: Adding docs for cert-manager

bergerhoffer · bergerhoffer · commit 7f12144c580e · 2022-04-07T14:50:29.000-04:00
diff --git a/_attributes/common-attributes.adoc b/_attributes/common-attributes.adoc
@@ -35,6 +35,7 @@ endif::[]
 :sandboxed-containers-operator: OpenShift sandboxed containers Operator
 :sandboxed-containers-version: 1.1
 :sandboxed-containers-legacy-version: 1.0.2
+:cert-manager-operator: cert-manager Operator for Red Hat OpenShift
 :rh-virtualization-first: Red Hat Virtualization (RHV)
 :rh-virtualization: RHV
 :rh-virtualization-engine-name: Manager
diff --git a/_topic_maps/_topic_map.yml b/_topic_maps/_topic_map.yml
@@ -840,6 +840,19 @@ Topics:
     File: file-integrity-operator-advanced-usage
   - Name: Troubleshooting the File Integrity Operator
     File: file-integrity-operator-troubleshooting
+- Name: cert-manager Operator for Red Hat OpenShift
+  Dir: cert_manager_operator
+  Distros: openshift-enterprise
+  Topics:
+  - Name: cert-manager Operator for Red Hat OpenShift overview
+    File: index
+  - Name: cert-manager Operator for Red Hat OpenShift release notes
+    File: cert-manager-operator-release-notes
+  - Name: Installing the cert-manager Operator for Red Hat OpenShift
+    File: cert-manager-operator-install
+    # For GA release, add details here on requesting certificates, etc.
+  - Name: Uninstalling the cert-manager Operator for Red Hat OpenShift
+    File: cert-manager-operator-uninstall
 - Name: Viewing audit logs
   File: audit-log-view
 - Name: Configuring the audit log policy
diff --git a/modules/cert-manager-about.adoc b/modules/cert-manager-about.adoc
@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/index.adoc
+
+:_content-type: CONCEPT
+[id="cert-manager-about_{context}"]
+= About the {cert-manager-operator}
+
+The link:https://cert-manager.io/[cert-manager] project introduces certificate authorities and certificates as resource types in the Kubernetes API, which makes it possible to provide certificates on demand to developers working within your cluster. The {cert-manager-operator} provides a supported way to integrate cert-manager into your {product-title} cluster.
+
+The {cert-manager-operator} provides the following features:
+
+* Support for integrating with external certificate authorities
+* Tools to manage certificates
+* Ability for developers to self-serve certificates
+* Automatic certificate renewal
+
+[IMPORTANT]
+====
+Do not attempt to use more than one cert-manager Operator in your cluster. If you have a community cert-manager Operator installed in your cluster, you must uninstall it before installing the {cert-manager-operator}.
+====
diff --git a/modules/cert-manager-install-console.adoc b/modules/cert-manager-install-console.adoc
@@ -0,0 +1,44 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-install.adoc
+
+:_content-type: PROCEDURE
+[id="cert-manager-install-console_{context}"]
+= Installing the {cert-manager-operator} using the web console
+
+You can use the web console to install the {cert-manager-operator}.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have access to the {product-title} web console.
+
+.Procedure
+
+. Log in to the {product-title} web console.
+
+. Navigate to *Operators* -> *OperatorHub*.
+
+. Enter *{cert-manager-operator}* into the filter box.
+
+. Select the *{cert-manager-operator}* and click *Install*.
+
+. On the *Install Operator* page:
+.. The *Update channel* is set to *tech-preview*, which installs the latest Technology Preview release of the {cert-manager-operator}.
+.. The *Installation Mode* is set to *All namespaces on the cluster (default)*. This mode installs the Operator in the Operator-recommended `openshift-cert-manager-operator` namespace to watch and be made available to all namespaces in the cluster.
+.. Choose the *Installed Namespace* for the Operator. The default Operator recommended namespace is `openshift-cert-manager-operator`.
++
+If the `openshift-cert-manager-operator` namespace does not exist, it is created for you.
+.. Click the *Enable Operator recommended cluster monitoring on the Namespace* checkbox to enable cluster monitoring for the Operator.
+.. Select an *Update approval* strategy.
++
+* The *Automatic* strategy allows Operator Lifecycle Manager (OLM) to automatically update the Operator when a new version is available.
++
+* The *Manual* strategy requires a user with appropriate credentials to approve the Operator update.
+
+.. Click *Install*.
+
+.Verification
+
+. Navigate to *Operators* -> *Installed Operators*.
+. Verify that *{cert-manager-operator}* is listed with a *Status* of *Succeeded*.
diff --git a/modules/cert-manager-remove-resources-console.adoc b/modules/cert-manager-remove-resources-console.adoc
@@ -0,0 +1,40 @@
+// Module included in the following assemblies:
+//
+// * security/cert-manager-operator-uninstall.adoc
+
+:_content-type: PROCEDURE
+[id="cert-manager-remove-resources-console_{context}"]
+= Removing {cert-manager-operator} resources
+
+Optionally, after uninstalling the {cert-manager-operator}, you can remove its related resources from your cluster.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have access to the {product-title} web console.
+
+.Procedure
+
+. Log in to the {product-title} web console.
+
+. Remove CRDs that were installed by the {cert-manager-operator}:
+
+.. Navigate to *Administration* -> *CustomResourceDefinitions*.
+
+.. Enter `certmanager` in the *Name* field to filter the CRDs.
+
+.. Click the Options menu {kebab} next to each of the following CRDs, and select *Delete Custom Resource Definition*:
+
+*** `Certificate`
+*** `CertificateRequest`
+*** `CertManager` (`config.openshift.io`)
+*** `CertManager` (`operator.openshift.io`)
+*** `Challenge`
+*** `ClusterIssuer`
+*** `Issuer`
+*** `Order`
+
+. Remove the `openshift-cert-manager-operator` namespace.
+.. Navigate to *Administration* -> *Namespaces*.
+.. Click the Options menu {kebab} next to the *openshift-cert-manager-operator* and select *Delete Namespace*.
+.. In the confirmation dialog, enter `openshift-cert-manager-operator` in the field and click *Delete*.
diff --git a/modules/cert-manager-request-methods.adoc b/modules/cert-manager-request-methods.adoc
@@ -0,0 +1,13 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/index.adoc
+
+:_content-type: CONCEPT
+[id="cert-manager-request-methods_{context}"]
+= Certificate request methods
+
+There are two ways to request a certificate using the {cert-manager-operator}:
+
+Using the `cert-manager.io/CertificateRequest` object:: With this method a service developer creates a `CertificateRequest` object with a valid `issuerRef` pointing to a configured issuer (configured by a service infrastructure administrator). A service infrastructure administrator then accepts or denies the certificate request. Only accepted certificate requests create a corresponding certificate.
+
+Using the `cert-manager.io/Certificate` object:: With this method, a service developer creates a `Certificate` object with a valid `issuerRef` and obtains a certificate from a secret that they pointed to the `Certificate` object.
diff --git a/modules/cert-manager-uninstall-console.adoc b/modules/cert-manager-uninstall-console.adoc
@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * security/cert_manager_operator/cert-manager-operator-uninstall.adoc
+
+:_content-type: PROCEDURE
+[id="cert-manager-uninstall-console_{context}"]
+= Uninstalling the {cert-manager-operator}
+
+You can uninstall the {cert-manager-operator} by using the web console.
+
+.Prerequisites
+
+* You have access to the cluster with `cluster-admin` privileges.
+* You have access to the {product-title} web console.
+* The {cert-manager-operator} is installed.
+// TODO: Any other prereqs, like removing anything that is using it?
+
+.Procedure
+
+. Log in to the {product-title} web console.
+. Uninstall the {cert-manager-operator} Operator.
+.. Navigate to *Operators* -> *Installed Operators*.
+.. Click the Options menu {kebab} next to the *{cert-manager-operator}* entry and click *Uninstall Operator*.
+.. In the confirmation dialog, click *Uninstall*.
diff --git a/modules/nodes-descheduler-uninstalling.adoc b/modules/nodes-descheduler-uninstalling.adoc
@@ -22,7 +22,7 @@ You can remove the descheduler from your cluster by removing the descheduler ins
 .. Click the Options menu {kebab} next to the *cluster* entry and select *Delete KubeDescheduler*.
 .. In the confirmation dialog, click *Delete*.
 . Uninstall the Kube Descheduler Operator.
-.. Navigate to *Operators* -> *Installed Operators*,
+.. Navigate to *Operators* -> *Installed Operators*.
 .. Click the Options menu {kebab} next to the *Kube Descheduler Operator* entry and select *Uninstall Operator*.
 .. In the confirmation dialog, click *Uninstall*.
 . Delete the `openshift-kube-descheduler-operator` namespace.
diff --git a/security/cert_manager_operator/cert-manager-operator-install.adoc b/security/cert_manager_operator/cert-manager-operator-install.adoc
@@ -0,0 +1,21 @@
+:_content-type: ASSEMBLY
+[id="cert-manager-operator-install"]
+= Installing the {cert-manager-operator}
+include::_attributes/common-attributes.adoc[]
+:context: cert-manager-operator-install
+
+toc::[]
+
+The {cert-manager-operator} is not installed in {product-title} by default. You can install the {cert-manager-operator} by using the web console.
+
+:FeatureName: The {cert-manager-operator}
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+// Installing the {cert-manager-operator} using the web console
+include::modules/cert-manager-install-console.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="cert-manager-operator-install_additional-resources"]
+== Additional resources
+
+* xref:../../operators/admin/olm-adding-operators-to-cluster.adoc#olm-adding-operators-to-a-cluster[Adding Operators to a cluster]
diff --git a/security/cert_manager_operator/cert-manager-operator-release-notes.adoc b/security/cert_manager_operator/cert-manager-operator-release-notes.adoc
@@ -0,0 +1,45 @@
+:_content-type: ASSEMBLY
+[id="cert-manager-operator-release-notes"]
+= {cert-manager-operator} release notes
+include::_attributes/common-attributes.adoc[]
+:context: cert-manager-operator-release-notes
+
+toc::[]
+
+The {cert-manager-operator} is a cluster-wide service that provides application certificate lifecycle management.
+
+These release notes track the development of {cert-manager-operator}.
+
+:FeatureName: The {cert-manager-operator}
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+For more information, see xref:../../security/cert_manager_operator/index.adoc#cert-manager-operator-about[About the {cert-manager-operator}].
+
+[id="cert-manager-operator-release-notes-1.7.1-1"]
+== Release notes for {cert-manager-operator} 1.7.1-1 (Technology Preview)
+
+Issued: 2022-04-11
+
+The following advisory is available for the {cert-manager-operator} 1.7.1-1:
+
+* link:https://access.redhat.com/errata/RHEA-2022:1273[RHEA-2022:1273]
+
+For more information, see the link:https://cert-manager.io/docs/release-notes/release-notes-1.7/#v1-7-1[cert-manager project release notes for v1.7.1].
+
+[id="cert-manager-operator-1.7.1-1-new-features-and-enhancements"]
+=== New features and enhancements
+
+* This is the initial, Technology Preview release of the {cert-manager-operator}.
+
+////
+// No bug fixes in the initial release
+[id="cert-manager-operator-1.7.1-1-bug-fixes"]
+=== Bug fixes
+
+* TODO
+////
+
+[id="cert-manager-operator-1.7.1-1-known-issues"]
+=== Known issues
+
+* Using `Route` objects is not fully supported. Currently, {cert-manager-operator} integrates with `Route` objects by creating `Ingress` objects through the Ingress Controller. (link:https://issues.redhat.com/projects/CM/issues/CM-16[*CM-16*])
diff --git a/security/cert_manager_operator/cert-manager-operator-uninstall.adoc b/security/cert_manager_operator/cert-manager-operator-uninstall.adoc
@@ -0,0 +1,18 @@
+:_content-type: ASSEMBLY
+[id="cert-manager-operator-uninstall"]
+= Uninstalling the {cert-manager-operator}
+include::_attributes/common-attributes.adoc[]
+:context: cert-manager-operator-uninstall
+
+toc::[]
+
+You can remove the {cert-manager-operator} from {product-title} by uninstalling the Operator and removing its related resources.
+
+:FeatureName: The {cert-manager-operator}
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+// Uninstalling the {cert-manager-operator}
+include::modules/cert-manager-uninstall-console.adoc[leveloffset=+1]
+
+// Removing {cert-manager-operator} resources
+include::modules/cert-manager-remove-resources-console.adoc[leveloffset=+1]
diff --git a/security/cert_manager_operator/images b/security/cert_manager_operator/images
@@ -0,0 +1 @@
+../../images/
diff --git a/security/cert_manager_operator/index.adoc b/security/cert_manager_operator/index.adoc
@@ -0,0 +1,24 @@
+:_content-type: ASSEMBLY
+[id="cert-manager-operator-about"]
+= {cert-manager-operator} overview
+include::_attributes/common-attributes.adoc[]
+:context: cert-manager-operator-about
+
+toc::[]
+
+The {cert-manager-operator} is a cluster-wide service that provides application certificate lifecycle management. The {cert-manager-operator} allows you to integrate with external certificate authorities and provides certificate provisioning, renewal, and retirement.
+
+:FeatureName: The {cert-manager-operator}
+include::snippets/technology-preview.adoc[leveloffset=+1]
+
+// About the {cert-manager-operator}
+include::modules/cert-manager-about.adoc[leveloffset=+1]
+
+// Certificate request methods
+include::modules/cert-manager-request-methods.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="cert-manager-operator-about_additional-resources"]
+== Additional resources
+
+* link:https://cert-manager.io/docs/[cert-manager project documentation]
diff --git a/security/cert_manager_operator/modules b/security/cert_manager_operator/modules
@@ -0,0 +1 @@
+../../modules/
diff --git a/security/cert_manager_operator/snippets b/security/cert_manager_operator/snippets
@@ -0,0 +1 @@
+../../snippets/
