wso2 · sgayangi · Mar 31, 2025
diff --git a/en/docs/assets/files/configure-permissions/apk-specific-permission.yaml b/en/docs/assets/files/configure-permissions/apk-specific-permission.yaml
@@ -0,0 +1,203 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: {{ .Values.wso2.apk.auth.roleName }}
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: [""]
+    resources: ["services", "configmaps", "secrets"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["httproutes", "grpcroutes"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["httproutes/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["apis"]
+    verbs: ["get", "list", "watch", "update", "delete", "create", "patch"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["apis/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["apis/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["authentications"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["authentications/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["authentications/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["backends"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["backends/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["backends/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["apipolicies"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["apipolicies/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["grpcroutes"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["grpcroutes/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["grpcroutes/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["apipolicies/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["interceptorservices"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["interceptorservices/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["interceptorservices/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["scopes"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["scopes/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["scopes/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["ratelimitpolicies"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["ratelimitpolicies/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["ratelimitpolicies/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["airatelimitpolicies"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["airatelimitpolicies/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["airatelimitpolicies/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["coordination.k8s.io"]
+    resources: ["leases"]
+    verbs: ["get", "list", "watch", "update", "patch", "create", "delete"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["tokenissuers"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["tokenissuers/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["tokenissuers/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["backendjwts"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["backendjwts/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["backendjwts/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["gqlroutes"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["gqlroutes/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["gqlroutes/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["aiproviders"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["aiproviders/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["dp.wso2.com"]
+    resources: ["aiproviders/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["applications"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["applications/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["applications/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["subscriptions"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["subscriptions/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["subscriptions/status"]
+    verbs: ["get", "patch", "update"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["applicationmappings"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["applicationmappings/finalizers"]
+    verbs: ["update"]
+  - apiGroups: ["cp.wso2.com"]
+    resources: ["applicationmappings/status"]
+    verbs: ["get", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: {{ template "apk-helm.resource.prefix" . }}-role-binding
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: Role
+  name: {{ .Values.wso2.apk.auth.roleName }}
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name: {{ .Values.wso2.apk.auth.serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: {{ template "apk-helm.resource.prefix" . }}-gw-cluser-role
+  namespace: {{ .Release.Namespace }}
+rules:
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways", "gatewayclasses"]
+    verbs: ["get", "list", "watch", "update", "delete", "create"]
+  - apiGroups: ["gateway.networking.k8s.io"]
+    resources: ["gateways/status", "gatewayclasses/status"]
+    verbs: ["get", "patch", "update"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: {{ template "apk-helm.resource.prefix" . }}-cluster-role-binding
+  namespace: {{ .Release.Namespace }}
+roleRef:
+  kind: ClusterRole
+  name: {{ template "apk-helm.resource.prefix" . }}-gw-cluser-role
+  apiGroup: rbac.authorization.k8s.io
+subjects:
+  - kind: ServiceAccount
+    name:  {{ .Values.wso2.apk.auth.serviceAccountName }}
+    namespace: {{ .Release.Namespace }}
diff --git a/en/docs/setup/cert-manager.md b/en/docs/setup/cert-manager.md
@@ -0,0 +1,122 @@
+# Configuring Cert-Manager in Custom Scenarios  
+
+In certain scenarios, you may already have **cert-manager** installed or need to install it in a different namespace. This guide outlines the steps to configure **APK cert-manager** in such cases.  
+
+## 1. Ensure Cert-Manager is Installed  
+
+Before proceeding, ensure that your **cert-manager** is installed and running in its own namespace. You can refer to the <a href="https://cert-manager.io/docs/installation/" target="_blank">official cert-manager documentation </a> for this.
+
+## 2. Create the Namespace for APK
+
+We will use this namespace to install APK. For this guide, we will create a namespace named `apk`. Run the following command:  
+
+```sh
+kubectl create ns apk
+```
+
+## 3. Create an Issuer for Cert-Manager in the APK namespace
+
+Create an Issuer required for cert-manager by applying the following configuration:
+```
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: custom-issuer  
+  namespace: apk 
+spec:
+  ca:
+    secretName: apk-root-certificate
+```
+
+You can obtain the <a href="../../assets/files/cert-manager/issuer.yaml" target="_blank" download>issuer.yaml</a> file here.
+
+!!! note
+    ### Why Use an Issuer Instead of a ClusterIssuer?
+
+    By default, APK installation comes with a ClusterIssuer, which operates cluster-wide. However, the ClusterIssuer looks for the secret named `apk-root-certificate` in the namespace where the cert-manager is installed, whereas APK creates the secret in its own namespace.
+
+    There are two ways to fix this.
+
+    1. Modify the cert-manager installation by forcing the ClusterIssuer to check the APK namespace, as in the <a href="https://cert-manager.io/docs/configuration/#cluster-resource-namespace" target="_blank">official cert-manager documentation</a>.
+
+    2. To avoid modifying cert-manager’s installation, **create an Issuer instead**, which will look for secrets in its own namespace. Then it can correctly reference the secret containing the root certificate.
+
+    We will proceed with the **second method** in this guide.
+
+## 4. Apply the Issuer
+
+Run the following command to apply the issuer in the apk namespace:
+
+=== "Command"
+    ```
+    kubectl apply -f issuer.yaml -n apk
+    ```
+=== "Format"
+    ```
+    kubectl apply -f <path-to-issuer.yaml-file> -n <namespace>
+    ```
+
+At this stage, if you run 
+=== "Command"
+    ```
+    kubectl describe issuer custom-issuer -n apk
+    ```
+=== "Format"
+    ```
+    kubectl describe <issuer-name> -n <namespace>
+    ```
+
+it may show a "False" Ready status. This is expected, as the root certificate secret is not created yet. The secret will be generated when APK is installed.
+
+## 5. Update `values.yaml`
+
+Modify the values.yaml file with the following configuration:
+```
+certmanager:
+  enabled: false
+  enableClusterIssuer: false
+  enableRootCa: true
+  rootCaSecretName: "apk-root-certificate"
+  issuerKind: "Issuer"
+  listeners:
+    issuerName: "custom-issuer"
+    issuerKind: "Issuer"
+  servers:
+    issuerName: "custom-issuer"
+    issuerKind: "Issuer"
+```
+
+This configuration 
+
+- disables the cert-manager included with APK
+- creates the root certificate for the Issuer
+- refers to an Issuer for the certificate management instead of a ClusterIssuer
+
+## 6. Install APK
+
+Now, install APK using Helm with the modified values.yaml file.
+
+=== "Command"
+    ```
+    helm install apk wso2apk/apk-helm --version 1.3.0 -f values.yaml -n apk
+    ```
+=== "Format"
+    ```
+    helm install <chart-name> <repository-name>/apk-helm --version <version-of-APK> -f <path-to-values.yaml-file> -n <namespace>
+    ```
+
+## 7. Verify the Certificate Status
+
+Once APK is installed, check the certificates by running:
+=== "Command"
+    ```
+    kubectl get certificates -n apk
+    ```
+=== "Format"
+    ```
+    kubectl get certificates -n <namespace>
+    ```
+
+You should be able to see them having transitioned to the Ready status as follows.
+
+[![Certificates](../../assets/img/cert-manager/certificates.png)](../../assets/img/cert-manager/certificates.png)