From 2989410a26603abe8b76ea4801d35b10e72e53fb Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sandor=20Sz=C3=BCcs?= <sandor.szuecs@zalando.de>
Date: Tue, 5 Mar 2024 21:29:44 +0100
Subject: [PATCH] doc: add requirements for acm tagging doc: add missing
 documented features to the list
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: Sandor Szücs <sandor.szuecs@zalando.de>
---
 README.md              |  2 ++
 deploy/kops.md         |  4 ++++
 deploy/requirements.md | 10 ++++++++++
 3 files changed, 16 insertions(+)

diff --git a/README.md b/README.md
index e43f5c5f..075f3384 100644
--- a/README.md
+++ b/README.md
@@ -33,6 +33,8 @@ This information is used to manage AWS resources for each ingress objects of the
 - Support for AWS WAF and WAFv2
 - Support for AWS CNI pod direct access
 - Support for Kubernetes CRD [RouteGroup](https://opensource.zalando.com/skipper/kubernetes/routegroups/)
+- Support for zone aware traffic (enable and disable cross zone traffic `--nlb-cross-zone`)
+- Support for explicitly enable certificates by using certificate Tags `--cert-filter-tag=key=value`
 
 ## Upgrade
 
diff --git a/deploy/kops.md b/deploy/kops.md
index c24f9249..b2befe52 100644
--- a/deploy/kops.md
+++ b/deploy/kops.md
@@ -57,6 +57,7 @@ kube-ingress-aws-controller, which we will use:
   "Effect": "Allow",
   "Action": [
     "acm:ListCertificates",
+    "acm:ListTagsForCertificate",
     "acm:GetCertificate",
     "acm:DescribeCertificate",
     "autoscaling:DescribeAutoScalingGroups",
@@ -77,6 +78,7 @@ kube-ingress-aws-controller, which we will use:
     "ec2:DescribeInternetGateways",
     "iam:GetServerCertificate",
     "iam:ListServerCertificates",
+    "iam:ListServerCertificateTags",
     "iam:CreateServiceLinkedRole"
   ],
   "Resource": [
@@ -101,6 +103,7 @@ and add this to your node policy:
           "Effect": "Allow",
           "Action": [
             "acm:ListCertificates",
+            "acm:ListTagsForCertificate",
             "acm:GetCertificate",
             "acm:DescribeCertificate",
             "autoscaling:DescribeAutoScalingGroups",
@@ -121,6 +124,7 @@ and add this to your node policy:
             "ec2:DescribeVpcs",
             "iam:GetServerCertificate",
             "iam:CreateServiceLinkedRole",
+            "iam:ListServerCertificateTags",
             "iam:ListServerCertificates"
           ],
           "Resource": ["*"]
diff --git a/deploy/requirements.md b/deploy/requirements.md
index 3cfd5833..126f89da 100644
--- a/deploy/requirements.md
+++ b/deploy/requirements.md
@@ -256,6 +256,11 @@ Please also note that the worker nodes will need the right permission to describ
         "Resource": "*",
         "Effect": "Allow"
     },
+    {
+        "Action": "acm:ListTagsForCertificate",
+        "Resource": "*",
+        "Effect": "Allow"
+    },
     {
         "Action": "acm:DescribeCertificate",
         "Resource": "*",
@@ -266,6 +271,11 @@ Please also note that the worker nodes will need the right permission to describ
         "Resource": "*",
         "Effect": "Allow"
     },
+    {
+        "Action": "iam:ListServerCertificateTags",
+        "Resource": "*",
+        "Effect": "Allow"
+    },
     {
         "Action": "iam:GetServerCertificate",
         "Resource": "*",