Update CertManager readme (#1430)

* Update CertManager readme * update details on dns01 provider
equinor · Aug 15, 2024 · 1e157a7 · 1e157a7
1 parent f9e51db
commit 1e157a7
Showing 1 changed file with 9 additions and 7 deletions.
diff --git a/scripts/cert-manager/README.md b/scripts/cert-manager/README.md
@@ -14,11 +14,10 @@ For certificate management in general in Radix then please see [radix certificat
 
 Cert-manager will use the following resources to obtain certs
 
-- A system user that allows it to edit DNS records (be able to handle ACME challenges)  
-  - The credentials is stored in k8s secret `azure-dns-secret` in namespace `cert-manager`
+- A system user that allows it to edit DNS records (be able to handle ACME dns01 challenges).
 - A private key used for certificate signing request (CSR)
   - Automatically generated by cert-manager
-  - Stored in k8s secret `letsencrypt-prod` in namespace `cert-manager`
+  - Stored in k8s secret `<CLUSTER_ISSUER_NAME>-private-key` in namespace `cert-manager`
 - `ClusterIssuer`
   - a cert-manager CR that has the configuration for how cert-manage should request tls certs
   - stored in default namespace
@@ -30,7 +29,7 @@ Cert-manager will use the following resources to obtain certs
 
 Cert-manager will watch for 
 - `Certificate`(s) manifests
-- `Ingress` that has a special annotation that instructs it to create a `Certificate` manifest
+- `Ingress` that has a special annotation that instructs it to create a `Certificate` manifest ` cert-manager.io/cluster-issuer: <CLUSTER_ISSUER_NAME>`
 
 
 ### How it works
@@ -50,12 +49,15 @@ Until this process is complete, and `{appName}-tls-secret` is populated, then th
 Cert-Manager core is installed by Flux. (Only letsencrypt issuer is installed by its own bootstrap.sh script)
 
 ## Credentials
+All `dns01` providers use Azure Workload identity managed by Flux and Terraform to configure ACME Challenges in the DNS Zone.
 
-`cert-manager` use dedicated service principal to work with the DNS.  
-The name of this service principal is declared in Flux.
+### LetsEncrypt DNS Credentials
+Only Workload Identity is needed for `dns01` provider.
 
 ### Digicert credentials
-Digicert has its own update_account.sh script that will rotate secrets. see the [README](./digicert/README.md) for more details
+DigiCert uses HMAC Account secrets to authenticate and `dns01` provider uses Workload Identity to add challenges to the DNS Zone.
+There is a update_account.sh script that will update the required secrets when the account key is changed. 
+see the [README](./digicert/README.md) for more details
 
 ## Troubleshooting