dns01
This commit is contained in:
@@ -12,10 +12,24 @@ spec:
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging-key
|
||||
solvers:
|
||||
- dns01:
|
||||
azureDNS:
|
||||
subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
|
||||
resourceGroupName: forteapps-domain
|
||||
hostedZoneName: forteapps.net
|
||||
environment: AzurePublicCloud
|
||||
clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
|
||||
clientSecretSecretRef:
|
||||
name: azuredns-config
|
||||
key: client-secret
|
||||
selector:
|
||||
dnsNames:
|
||||
- '*.forteapps.net'
|
||||
- 'forteapps.net'
|
||||
# HTTP-01 fallback for non-wildcard certificates
|
||||
- http01:
|
||||
ingress:
|
||||
class: traefik
|
||||
|
||||
---
|
||||
# Production ClusterIssuer for browser-trusted certificates
|
||||
apiVersion: cert-manager.io/v1
|
||||
@@ -30,6 +44,146 @@ spec:
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-prod-key
|
||||
solvers:
|
||||
# DNS-01 solver for wildcard certificates (*.forteapps.net)
|
||||
- dns01:
|
||||
azureDNS:
|
||||
subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
|
||||
resourceGroupName: forteapps-domain
|
||||
hostedZoneName: forteapps.net
|
||||
environment: AzurePublicCloud
|
||||
clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
|
||||
clientSecretSecretRef:
|
||||
name: azuredns-config
|
||||
key: client-secret
|
||||
selector:
|
||||
dnsNames:
|
||||
- '*.forteapps.net'
|
||||
- 'forteapps.net'
|
||||
# HTTP-01 fallback for non-wildcard certificates
|
||||
- http01:
|
||||
ingress:
|
||||
class: traefik
|
||||
|
||||
# =============================================================================
|
||||
# CONFIGURATION INSTRUCTIONS FOR AZURE DNS WITH WILDCARD CERTIFICATES
|
||||
# =============================================================================
|
||||
#
|
||||
# PREREQUISITES IN AZURE DNS PORTAL:
|
||||
# ----------------------------------
|
||||
# 1. Ensure you have an Azure DNS Zone for "forteapps.net" created in your
|
||||
# Azure subscription. If not, create it in Azure Portal:
|
||||
# - Search for "DNS zones" → Create → Zone name: forteapps.net
|
||||
# - Note the Resource Group where you create it (e.g., "dns-zones-rg")
|
||||
#
|
||||
# 2. Configure NS records at your domain registrar to point to Azure DNS:
|
||||
# - In Azure Portal → DNS zones → forteapps.net
|
||||
# - Note the 4 NS records shown (e.g., ns1-04.azure-dns.com, etc.)
|
||||
# - Go to your domain registrar and update the NS records to these values
|
||||
#
|
||||
# AUTHENTICATION (Service Principal - Required for UpCloud/non-Azure clusters):
|
||||
# ----------------------------------------------------------------------------
|
||||
# Since your cluster runs on UpCloud (not AKS), you must use Service Principal
|
||||
# authentication. Managed Identity only works with Azure-hosted resources.
|
||||
#
|
||||
# =============================================================================
|
||||
# SETUP: Service Principal for UpCloud Clusters
|
||||
# =============================================================================
|
||||
#
|
||||
# 1. Create Azure AD App Registration:
|
||||
# az ad sp create-for-rbac --name cert-manager-dns --sdk-auth
|
||||
# # Save the JSON output - you'll need appId (clientID) and password (clientSecret)
|
||||
#
|
||||
# 2. Assign DNS Zone Contributor role:
|
||||
# az role assignment create \
|
||||
# --role "DNS Zone Contributor" \
|
||||
# --assignee <SERVICE_PRINCIPAL_CLIENT_ID> \
|
||||
# --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<DNS_RESOURCE_GROUP>/providers/Microsoft.Network/dnszones/forteapps.net
|
||||
#
|
||||
# 3. Create Kubernetes secret for the service principal:
|
||||
# kubectl create secret generic azuredns-config \
|
||||
# --namespace cert-manager \
|
||||
# --from-literal=client-secret=YOUR_CLIENT_SECRET
|
||||
#
|
||||
# 4. Update the ClusterIssuer above with:
|
||||
# - subscriptionID: Your Azure subscription ID
|
||||
# - resourceGroupName: The resource group containing your DNS zone
|
||||
# - clientID: The Service Principal appId/clientID
|
||||
# - clientSecretSecretRef: References the secret created in step 3
|
||||
#
|
||||
# =============================================================================
|
||||
# ALTERNATIVE DNS PROVIDERS (for reference):
|
||||
# =============================================================================
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Cloudflare (original configuration)
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
|
||||
# --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
|
||||
#
|
||||
# dns01:
|
||||
# cloudflare:
|
||||
# email: your-cloudflare-email@example.com
|
||||
# apiTokenSecretRef:
|
||||
# name: cloudflare-api-token-secret
|
||||
# key: api-token
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# AWS Route53
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create secret with: kubectl create secret generic route53-credentials \
|
||||
# --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
|
||||
#
|
||||
# dns01:
|
||||
# route53:
|
||||
# region: us-east-1
|
||||
# hostedZoneID: ZXXXXXXXXXXXXX
|
||||
# accessKeyID: YOUR_ACCESS_KEY_ID
|
||||
# secretAccessKeySecretRef:
|
||||
# name: route53-credentials
|
||||
# key: secret-access-key
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Google Cloud DNS
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create secret with service account JSON key:
|
||||
# kubectl create secret generic clouddns-service-account \
|
||||
# --from-file=service-account.json=path/to/key.json -n cert-manager
|
||||
#
|
||||
# dns01:
|
||||
# cloudDNS:
|
||||
# project: YOUR_GCP_PROJECT_ID
|
||||
# hostedZoneName: example-com
|
||||
# serviceAccountSecretRef:
|
||||
# name: clouddns-service-account
|
||||
# key: service-account.json
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# GoDaddy
|
||||
# -----------------------------------------------------------------------------
|
||||
# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
|
||||
#
|
||||
# dns01:
|
||||
# webhook:
|
||||
# groupName: acme.yourcompany.com
|
||||
# solverName: godaddy
|
||||
# config:
|
||||
# apiKeySecretRef:
|
||||
# name: godaddy-api-credentials
|
||||
# key: api-key
|
||||
# apiSecretSecretRef:
|
||||
# name: godaddy-api-credentials
|
||||
# key: api-secret
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Manual/Dynamic DNS (for homelab)
|
||||
# -----------------------------------------------------------------------------
|
||||
# Requires RFC2136 provider or external webhook
|
||||
#
|
||||
# dns01:
|
||||
# rfc2136:
|
||||
# nameserver: your-dns-server.example.com
|
||||
# tsigKeyName: cert-manager-key
|
||||
# tsigAlgorithm: HMACSHA256
|
||||
# tsigSecretSecretRef:
|
||||
# name: tsig-secret
|
||||
# key: secret
|
||||
|
||||
Reference in New Issue
Block a user