Merge pull request #94843 from shreyasiddhartha/OSSM-6707

OSSM 6707- Update cert-manager doc for OCP cert-manager's supported istio-csr

Author: ShaunaDiaz

install/ossm-cert-manager.adoc

@@ -10,37 +10,27 @@ toc::[]
 
 The cert-manager tool is a solution for X.509 certificate management on Kubernetes. It delivers a unified API to integrate applications with private or public key infrastructure (PKI), such as Vault, Google Cloud Certificate Authority Service, Let's Encrypt, and other providers.
 
+The cert-manager tool ensures that the certificates are valid and up-to-date by attempting to renew certificates at a configured time before they expire.
+
 [IMPORTANT]
 ====
 The cert-manager tool must be installed before you create and install your `Istio` resource.
 ====
 
-The cert-manager tool ensures the certificates are valid and up-to-date by attempting to renew certificates at a configured time before they expire.
-
 include::modules/ossm-about-cert-manager.adoc[leveloffset=+1]
-include::modules/ossm-installing-cert-manager.adoc[leveloffset=+1]
-
-.Next steps
-To install `istio-csr`, you must follow the `istio-csr` installation instructions for the type of update strategy you want. By default, `spec.updateStrategy` is set to `InPlace` when you create and install your `Istio` resource. You create and install your `Istio` resource after you install `istio-csr`.
-
-* xref:../install/ossm-cert-manager.adoc#inplace-istio-csr-installation_ossm-cert-manager[Installing the istio-csr agent by using the in place update strategy]
-* xref:../install/ossm-cert-manager.adoc#revision-based-istio-csr-installation_ossm-cert-manager[Installing the istio-csr agent by using the revision based update strategy]
-
-include::modules/ossm-cert-manager-istio-csr-inplace-update-strategy.adoc[leveloffset=+2]
+include::modules/ossm-installing-cert-manager.adoc[leveloffset=+2]
+include::modules/ossm-verifying-cert-manager.adoc[leveloffset=+2]
+include::modules/ossm-uninstalling-cert-manager.adoc[leveloffset=+2]
 
-.Next steps
-* xref:../install/ossm-cert-manager.adoc#installing-istio-resource_ossm-cert-manager[Installing your Istio resource]
 
-include::modules/ossm-cert-manager-istio-csr-revisionbased-strategy.adoc[leveloffset=+2]
-
-[id="additional-resources_{context}"]
+[role="_additional-resources"]
 .Additional resources
-* link:https://github.com/cert-manager/istio-csr/tree/main/deploy/charts/istio-csr#appistiorevisions0--string[istio-csr deployment]
-
-
-.Next steps
-* xref:../install/ossm-cert-manager.adoc#installing-istio-resource_ossm-cert-manager[Installing your Istio resource]
-
-include::modules/ossm-cert-manager-installing-istio-resource.adoc[leveloffset=+2]
-include::modules/ossm-cert-manager-verifying-install.adoc[leveloffset=+2]
-include::modules/ossm-cert-manager-update-istio-csr-revisionbased-only.adoc[leveloffset=+1]
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift#cert-manager-operator-install[Installing the cert-manager Operator for Red Hat OpenShift]
+* link:https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html/security_and_compliance/cert-manager-operator-for-red-hat-openshift#cert-manager-operator-integrating-istio[Integrating the cert-manager Operator for Red Hat OpenShift with Istio-CSR]
+
+//include::modules/ossm-cert-manager-istio-csr-inplace-update-strategy.adoc[leveloffset=+2]
+//include::modules/ossm-cert-manager-istio-csr-revisionbased-strategy.adoc[leveloffset=+2]
+//include::modules/ossm-cert-manager-installing-istio-resource.adoc[leveloffset=+2]
+//include::modules/ossm-cert-manager-verifying-install.adoc[leveloffset=+2]
+//include::modules/ossm-cert-manager-update-istio-csr-revisionbased-only.adoc[leveloffset=+1]
+//The above modules are no longer valid for 3.0

modules/ossm-about-cert-manager.adoc

@@ -4,32 +4,15 @@
 
 :_mod-docs-content-type: CONCEPT
 [id="ossm-cert-manager-integration-istio_{context}"]
-= About integrating Service Mesh with cert-manager and istio-csr
-//TP1 content influx. Title, etc may change.
+= About the cert-manager Operator istio-csr agent
 
-The cert-manager tool provides integration with Istio through an external agent called `istio-csr`. The `istio-csr` agent handles certificate signing requests (CSR) from Istio proxies and the `controlplane` in the following ways:
+include::snippets/technology-preview-istiocsr.adoc[]
 
-. Verifying the identity of the workload.
-. Creating a CSR through cert-manager for the workload.
+The {cert-manager-operator} enhances certificate management for securing workloads and control plane components in {SMProductName} and {istio}. It supports issuing, delivering, and renewing certificates used for mutual Transport Layer Security (mTLS) through cert-manager issuers.
 
-The cert-manager tool then creates a CSR to the configured CA Issuer, which signs the certificate.
+By integrating {istio} with the `istio-csr` agent that is managed by the cert-manager Operator, you enable {istio} to request and manage the certificates directly. The integration simplifies security configuration and centralizes certificate management within the cluster.
 
 [NOTE]
 ====
-Red{nbsp}Hat provides support for integrating with `istio-csr` and cert-manager. Red{nbsp}Hat does not provide direct support for the `istio-csr` or the community cert-manager components. The use of community cert-manager shown here is for demonstration purposes only.
-====
-
-//For Istio users, cert-manager also provides integration with `istio-csr`, which is a certificate authority (CA) server that handles certificate signing requests (CSR) from Istio proxies. The server then delegates signing to cert-manager, which forwards CSRs to the configured CA server.
-
-.Prerequisites
-* One of these versions of cert-manager:
-** Red Hat cert-manager Operator 1.10 or later
-** community cert-manager Operator 1.11 or later
-** cert-manager 1.11 or later
-* {SMProductName} 3.0 or later
-* An `IstioCNI` instance is running in the cluster
-* Istio CLI (`istioctl`) tool is installed
-* `jq` is installed
-* Helm is installed
-
-//Note to add {cert-manager-operator} to stand alone common attributes file. That is outside the scope of this PR and there is an existing Jira to add common attributes for OSSM GA.
+The {cert-manager-operator} must be installed before you create and install your `{istio}` resource.
+====

modules/ossm-installing-cert-manager.adoc

@@ -1,20 +1,20 @@
 // Module included in the following assemblies:
 //
-// * service-mesh-docs-main/install/ossm-installing-openshift-service-mesh.adoc
+// * service-mesh-docs-main/install/ossm-cert-manager.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="ossm-installing-cert-manager_{context}"]
-= Installing cert-manager
-//TP1 content influx. Title, etc may change.
-//Content is very similar to 2.x content
-//all kinds of formatting things to fix. want to see if a build will generate to have a look, and see how it fits structurally with the IA.
+= Integrating Service Mesh with the cert-manager Operator by using the istio-csr agent
 
-You can integrate cert-manager with {SMProduct} by deploying `istio-csr` and then creating an `Istio` resource that uses the `istio-csr` agent to process workload and control plane certificate signing requests. This example creates a self-signed `Issuer`, but any other `Issuer` can be used instead.
+You can integrate the cert-manager Operator with {SMProduct} by deploying the `istio-csr` agent and configuring an `{istio}` resource that uses the `istio-csr` agent to process workload and control plane certificate signing requests. The following procedure creates a self-signed `issuer` object.
 
-[IMPORTANT]
-====
-You must install cert-manager before installing your `Istio` resource.
-====
+.Prerequisites
+
+* You have installed the {cert-manager-operator} version 1.15.1.
+* You are logged in to {ocp-product-title} 4.14 or later.
+* You have installed the {SMProduct} Operator.
+* You have a `IstioCNI` instance running in the cluster.
+* You have installed the `istioctl` command.
 
 .Procedure
 
@@ -25,10 +25,31 @@ You must install cert-manager before installing your `Istio` resource.
 $ oc create namespace istio-system
 ----
 
-. Create the root issuer by creating an `Issuer` object in a YAML file.
+. Patch the cert-manager Operator to install the `istio-csr` agent by running the following command:
++
+[source, terminal]
+----
+$ oc -n cert-manager-operator patch subscription openshift-cert-manager-operator \
+  --type='merge' -p \
+  '{"spec":{"config":{"env":[{"name":"UNSUPPORTED_ADDON_FEATURES","value":"IstioCSR=true"}]}}}'
+----
+
+. Create the root certificate authority (CA) issuer by creating an `Issuer` object for the `istio-csr` agent:
+
+.. Create a new project for installing the `istio-csr` agent by running the following command:
 +
+[source, terminal]
+----
+$ oc new-project istio-csr
+----
+
 .. Create an `Issuer` object similar to the following example:
 +
+[NOTE]
+====
+The `selfSigned` issuer is intended for demonstration, testing, or proof-of-concept environments. For production deployments, use a secure and trusted CA.
+====
++
 .Example `issuer.yaml` file
 [source, yaml]
 ----
@@ -43,11 +64,11 @@ spec:
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-    name: istio-ca
-    namespace: istio-system
+  name: istio-ca
+  namespace: istio-system
 spec:
   isCA: true
-  duration: 87600h # 10 years
+  duration: 87600h
   secretName: istio-ca
   commonName: istio-ca
   privateKey:
@@ -70,36 +91,102 @@ metadata:
 spec:
   ca:
     secretName: istio-ca
----
 ----
-+
+
 .. Create the objects by running the following command:
 +
 [source, terminal]
 +
 ----
 $ oc apply -f issuer.yaml
 ----
-+
+
 .. Wait for the `istio-ca` certificate to contain the "Ready" status condition by running the following command:
 +
 [source, terminal]
 ----
 $ oc wait --for=condition=Ready certificates/istio-ca -n istio-system
 ----
 
-. Copy the `istio-ca` certificate to the `cert-manager` namespace so it can be used by istio-csr:
+. Create the `IstioCSR` custom resource:
+
+.. Create the `IstioCSR` custom resource similar to the following example:
 +
-.. Copy the secret to a local file by running the following command:
+.Example `istioCSR.yaml` file
+[source, yaml]
+----
+apiVersion: operator.openshift.io/v1alpha1
+kind: IstioCSR
+metadata:
+  name: default
+  namespace: istio-csr
+spec:
+  istioCSRConfig:
+    certManager:
+      issuerRef:
+        name: istio-ca
+        kind: Issuer
+        group: cert-manager.io
+    istiodTLSConfig:
+      trustDomain: cluster.local
+    istio:
+      namespace: istio-system
+----
+
+.. Create the `istio-csr` agent by by running the following command:
++
+[source, terminal]
++
+----
+$ oc create -f istioCSR.yaml
+----
+
+.. Verify that the `istio-csr` deployment is ready by running the following command:
 +
 [source, terminal]
++
 ----
-$ oc get -n istio-system secret istio-ca -o jsonpath='{.data.tls\.crt}' | base64 -d > ca.pem
+$ oc get deployment -n istio-csr
 ----
+
+. Install the `istio` resource:
++
+[NOTE]
+====
+The configuration disables the built-in CA server for {istio} and forwards certificate signing requests from `istiod` to the `istio-csr` agent. The `istio-csr` agent obtains certificates for both `istiod` and mesh workloads from the cert-manager Operator. The `istiod` TLS certificate that is generated by the `istio-csr` agent is mounted into the pod at a known location for use.
+====
+
+.. Create the `{istio}` object similar to the following example:
 +
-.. Create a secret from the local certificate file in the `cert-manager` namespace by running the following command:
+.Example `istio.yaml` file
+[source, yaml]
+----
+apiVersion: sailoperator.io/v1
+kind: Istio
+metadata:
+  name: default
+spec:
+  version: v1.24-latest
+  namespace: istio-system
+  values:
+    global:
+      caAddress: cert-manager-istio-csr.istio-csr.svc:443
+    pilot:
+      env:
+        ENABLE_CA_SERVER: "false"
+----
+
+.. Create the `{istio}` resource by running the following command:
++
+[source, terminal]
++
+----
+$ oc apply -f istio.yaml
+----
+
+.. Verify that the `istio` resource displays the "Ready" status condition by running the following command:
 +
 [source, terminal]
 ----
-$ oc create secret generic -n cert-manager istio-root-ca --from-file=ca.pem=ca.pem
+$ oc wait --for=condition=Ready istios/default -n istio-system
 ----

modules/ossm-uninstalling-cert-manager.adoc

@@ -0,0 +1,56 @@
+// Module included in the following assemblies:
+//
+// * service-mesh-docs-main/install/ossm-cert-manager.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="ossm-uninstalling-cert-manager_{context}"]
+= Uninstalling Service Mesh with the cert-manager Operator by using the istio-csr agent
+
+You can uninstall the cert-manager Operator with {SMProduct} by completing the following procedure. Before you remove the following resources, verify that no {SMProductName} or {istio} components reference the `Istio-CSR` agent or the certificates it issued. Removing these resources while they are still in use might disrupt mesh functionality.
+
+.Procedure
+
+. Remove the `IstioCSR` custom resource by running the following command:
++
+[source, terminal]
+----
+$ oc -n <istio-csr_project_name> delete istiocsrs.operator.openshift.io default
+----
+
+. Remove the related resources:
+
+.. List the cluster scoped-resources by running the following command:
++
+[source, terminal]
+----
+$ oc get clusterrolebindings,clusterroles -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr"
+----
++
+Save the names of the listed resources for later reference.
+
+.. List the resources in `istio-csr` agent deployed namespace by running the following command:
++
+[source, terminal]
+----
+$ oc get certificate,deployments,services,serviceaccounts -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" -n <istio_csr_project_name>
+----
++
+Save the names of the listed resources for later reference.
+
+.. List the resources in {SMProductName} or {istio} deployed namespaces by running the following command:
++
+[source, terminal]
+----
+$ oc get roles,rolebindings \
+  -l "app=cert-manager-istio-csr,app.kubernetes.io/name=cert-manager-istio-csr" \
+  -n <istio_csr_project_name>
+----
++
+Save the names of the listed resources for later reference.
+
+.. For each resource listed in previous steps, delete the resources by running the following command:
++
+[source, terminal]
+----
+$ oc -n <istio_csr_project_name> delete <resource_type>/<resource_name>
+----