diff --git a/cluster-resources/azuredns-config-sealed.yaml b/cluster-resources/azuredns-config-sealed.yaml new file mode 100644 index 0000000..27dedd7 --- /dev/null +++ b/cluster-resources/azuredns-config-sealed.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: azuredns-config + namespace: cert-manager +spec: + encryptedData: + client-secret: AgBPCix6yTt8gXV2pMfRx6weWtLWUeMa/cBwuaDBZkqZE4CTSDxjQWWK8ul5OtndlEX7+gXV2HpuAmHRhGC8P1z39yWRxIDbKf+AH4JOGSIfu57tnrGvzAwjanKtqeFCEM67Y42Kz1rahCEtdwJj2YIL9oVdCtRPkpAJrAJclqmrCvJZtqQYcDeEn5ONK5Gchxc6x2/J0U0LTjLz/MP74CEKw3CiZ+9VKA4ppvPqjqoE4yyAXSglSnhYTqtMZpFg5sr+at6rAB1ufmtiS70Vfks46OL0/ZJjdS6h5wjIZhl/1DgIFXqc1yoAjuEoMRzMeW9ji1PnjRqas4lU19tuEOf9/Eq65BYOqSIqJ3saG4I/+z013coCGCalo4ghuufmu5pcsi6ywcszz+g20N/PZcVcLbzZbMnKcXsaE007MDLxGY1QD89aribAvsypDUNEuNh7w2n/OAyQdw+nRDGIi8Oz3FoJUmC0HBxin2hstuBnrAXtxdqRX1NU25HfR2s3qt/yQ33TFx4xHA3NAll8Riyg2rvgqAKo9x9rmlcnzML011vlNu5oLKAuCqJlH8W/Nnnh6LNcZJy8Cj+fqXPeWHS4Qk7nEAbYJN9/sNAUg/VzsP0yYejPfjwzoDDaPLvTHROwv9nZ+Lr/U5epHr231jc5+i3x8dLuBtg+aa5PHoS/Ml1a4811w3Bxj3u36q8UPJGnszQXLKCpucynVVstAj4ufhXhhNXJdK/U31Zrc6j3Skw4zgF8Ddv0 + template: + metadata: + creationTimestamp: null + name: azuredns-config + namespace: cert-manager diff --git a/cluster-resources/letsencrypt-issuer.yaml b/cluster-resources/letsencrypt-issuer.yaml index c62ca32..7a5095f 100644 --- a/cluster-resources/letsencrypt-issuer.yaml +++ b/cluster-resources/letsencrypt-issuer.yaml @@ -12,10 +12,24 @@ spec: privateKeySecretRef: name: letsencrypt-staging-key solvers: + - dns01: + azureDNS: + subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d + resourceGroupName: forteapps-domain + hostedZoneName: forteapps.net + environment: AzurePublicCloud + clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74 + clientSecretSecretRef: + name: azuredns-config + key: client-secret + selector: + dnsNames: + - '*.forteapps.net' + - 'forteapps.net' + # HTTP-01 fallback for non-wildcard certificates - http01: ingress: class: traefik - --- # Production ClusterIssuer for browser-trusted certificates apiVersion: cert-manager.io/v1 @@ -30,6 +44,146 @@ spec: privateKeySecretRef: name: letsencrypt-prod-key solvers: + # DNS-01 solver for wildcard certificates (*.forteapps.net) + - dns01: + azureDNS: + subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d + resourceGroupName: forteapps-domain + hostedZoneName: forteapps.net + environment: AzurePublicCloud + clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74 + clientSecretSecretRef: + name: azuredns-config + key: client-secret + selector: + dnsNames: + - '*.forteapps.net' + - 'forteapps.net' + # HTTP-01 fallback for non-wildcard certificates - http01: ingress: class: traefik + +# ============================================================================= +# CONFIGURATION INSTRUCTIONS FOR AZURE DNS WITH WILDCARD CERTIFICATES +# ============================================================================= +# +# PREREQUISITES IN AZURE DNS PORTAL: +# ---------------------------------- +# 1. Ensure you have an Azure DNS Zone for "forteapps.net" created in your +# Azure subscription. If not, create it in Azure Portal: +# - Search for "DNS zones" → Create → Zone name: forteapps.net +# - Note the Resource Group where you create it (e.g., "dns-zones-rg") +# +# 2. Configure NS records at your domain registrar to point to Azure DNS: +# - In Azure Portal → DNS zones → forteapps.net +# - Note the 4 NS records shown (e.g., ns1-04.azure-dns.com, etc.) +# - Go to your domain registrar and update the NS records to these values +# +# AUTHENTICATION (Service Principal - Required for UpCloud/non-Azure clusters): +# ---------------------------------------------------------------------------- +# Since your cluster runs on UpCloud (not AKS), you must use Service Principal +# authentication. Managed Identity only works with Azure-hosted resources. +# +# ============================================================================= +# SETUP: Service Principal for UpCloud Clusters +# ============================================================================= +# +# 1. Create Azure AD App Registration: +# az ad sp create-for-rbac --name cert-manager-dns --sdk-auth +# # Save the JSON output - you'll need appId (clientID) and password (clientSecret) +# +# 2. Assign DNS Zone Contributor role: +# az role assignment create \ +# --role "DNS Zone Contributor" \ +# --assignee \ +# --scope /subscriptions//resourceGroups//providers/Microsoft.Network/dnszones/forteapps.net +# +# 3. Create Kubernetes secret for the service principal: +# kubectl create secret generic azuredns-config \ +# --namespace cert-manager \ +# --from-literal=client-secret=YOUR_CLIENT_SECRET +# +# 4. Update the ClusterIssuer above with: +# - subscriptionID: Your Azure subscription ID +# - resourceGroupName: The resource group containing your DNS zone +# - clientID: The Service Principal appId/clientID +# - clientSecretSecretRef: References the secret created in step 3 +# +# ============================================================================= +# ALTERNATIVE DNS PROVIDERS (for reference): +# ============================================================================= + +# ----------------------------------------------------------------------------- +# Cloudflare (original configuration) +# ----------------------------------------------------------------------------- +# Create secret with: kubectl create secret generic cloudflare-api-token-secret \ +# --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager +# +# dns01: +# cloudflare: +# email: your-cloudflare-email@example.com +# apiTokenSecretRef: +# name: cloudflare-api-token-secret +# key: api-token + +# ----------------------------------------------------------------------------- +# AWS Route53 +# ----------------------------------------------------------------------------- +# Create secret with: kubectl create secret generic route53-credentials \ +# --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager +# +# dns01: +# route53: +# region: us-east-1 +# hostedZoneID: ZXXXXXXXXXXXXX +# accessKeyID: YOUR_ACCESS_KEY_ID +# secretAccessKeySecretRef: +# name: route53-credentials +# key: secret-access-key + +# ----------------------------------------------------------------------------- +# Google Cloud DNS +# ----------------------------------------------------------------------------- +# Create secret with service account JSON key: +# kubectl create secret generic clouddns-service-account \ +# --from-file=service-account.json=path/to/key.json -n cert-manager +# +# dns01: +# cloudDNS: +# project: YOUR_GCP_PROJECT_ID +# hostedZoneName: example-com +# serviceAccountSecretRef: +# name: clouddns-service-account +# key: service-account.json + +# ----------------------------------------------------------------------------- +# GoDaddy +# ----------------------------------------------------------------------------- +# Requires external webhook: https://github.com/snowdrop/godaddy-webhook +# +# dns01: +# webhook: +# groupName: acme.yourcompany.com +# solverName: godaddy +# config: +# apiKeySecretRef: +# name: godaddy-api-credentials +# key: api-key +# apiSecretSecretRef: +# name: godaddy-api-credentials +# key: api-secret + +# ----------------------------------------------------------------------------- +# Manual/Dynamic DNS (for homelab) +# ----------------------------------------------------------------------------- +# Requires RFC2136 provider or external webhook +# +# dns01: +# rfc2136: +# nameserver: your-dns-server.example.com +# tsigKeyName: cert-manager-key +# tsigAlgorithm: HMACSHA256 +# tsigSecretSecretRef: +# name: tsig-secret +# key: secret