diff --git a/manifests/platform/cert-manager/base/deployment.yaml b/manifests/platform/cert-manager/base/deployment.yaml index 759ffb8..379397e 100644 --- a/manifests/platform/cert-manager/base/deployment.yaml +++ b/manifests/platform/cert-manager/base/deployment.yaml @@ -134,6 +134,8 @@ spec: valueFrom: fieldRef: fieldPath: metadata.namespace + - name: GOOGLE_APPLICATION_CREDENTIALS + value: /var/run/secrets/google/credentials.json # LivenessProbe settings are based on those used for the Kubernetes # controller-manager. See: # https://github.com/kubernetes/kubernetes/blob/806b30170c61a38fedd54cc9ede4cd6275a1ad3b/cmd/kubeadm/app/util/staticpod/utils.go#L241-L245 @@ -154,6 +156,26 @@ spec: limits: cpu: 30m memory: 40Mi + volumeMounts: + - name: google-creds + mountPath: /var/run/secrets/google + readOnly: true + - name: bound-sa-token + mountPath: /var/run/secrets/openshift/serviceaccount + readOnly: true + volumes: + - name: google-creds + configMap: + name: google-creds + defaultMode: 420 + - name: bound-sa-token + projected: + sources: + - serviceAccountToken: + audience: openshift + expirationSeconds: 3600 + path: token + defaultMode: 420 nodeSelector: kubernetes.io/os: "linux" --- diff --git a/manifests/platform/cert-manager/overlays/okd/google-creds-configmap.yaml b/manifests/platform/cert-manager/overlays/okd/google-creds-configmap.yaml new file mode 100644 index 0000000..888974a --- /dev/null +++ b/manifests/platform/cert-manager/overlays/okd/google-creds-configmap.yaml @@ -0,0 +1,20 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: google-creds + namespace: cert-manager +data: + credentials.json: | + { + "type": "external_account", + "audience": "//iam.googleapis.com/projects/1086456784694/locations/global/workloadIdentityPools/okd-pool/providers/okd-provider", + "subject_token_type": "urn:ietf:params:oauth:token-type:jwt", + "token_url": "https://sts.googleapis.com/v1/token", + "credential_source": { + "file": "/var/run/secrets/openshift/serviceaccount/token", + "format": { + "type": "text" + } + }, + "service_account_impersonation_url": "https://iamcredentials.googleapis.com/v1/projects/-/serviceAccounts/cert-manager-dns-solver@okd-homelab.iam.gserviceaccount.com:generateAccessToken" + } diff --git a/manifests/platform/cert-manager/overlays/okd/kustomization.yaml b/manifests/platform/cert-manager/overlays/okd/kustomization.yaml index 4a21029..e6662d0 100644 --- a/manifests/platform/cert-manager/overlays/okd/kustomization.yaml +++ b/manifests/platform/cert-manager/overlays/okd/kustomization.yaml @@ -4,4 +4,5 @@ namespace: cert-manager resources: - ../../base - ../../components + - google-creds-configmap.yaml # - clusterissuer-staging.yaml diff --git a/terraform/okd/main.tf b/terraform/okd/main.tf index e08c7cd..cb477e3 100644 --- a/terraform/okd/main.tf +++ b/terraform/okd/main.tf @@ -123,6 +123,12 @@ resource "google_project_iam_custom_role" "cert_manager_dns_solver_role" { ] } +resource "google_project_iam_member" "cert_manager_dns_solver_role_binding" { + project = data.google_project.okd_homelab.project_id + role = "projects/${data.google_project.okd_homelab.project_id}/roles/${google_project_iam_custom_role.cert_manager_dns_solver_role.role_id}" + member = "serviceAccount:${google_service_account.cert_manager_dns_solver.email}" +} + resource "google_service_account_iam_member" "cert_manager_wif_binding" { service_account_id = "projects/${data.google_project.okd_homelab.project_id}/serviceAccounts/${google_service_account.cert_manager_dns_solver.email}" role = "roles/iam.workloadIdentityUser"