dns01 azure

2026-05-29 21:44:01 +02:00
parent b0faaded6a
commit ebe067088f
2 changed files with 93 additions and 46 deletions
--- a/cluster-resources/azuredns-config-sealed.yaml
+++ b/cluster-resources/azuredns-config-sealed.yaml
@@ -0,0 +1,15 @@
 ---
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
  creationTimestamp: null
  name: azuredns-config
  namespace: cert-manager
 spec:
  encryptedData:
    client-secret: AgBPCix6yTt8gXV2pMfRx6weWtLWUeMa/cBwuaDBZkqZE4CTSDxjQWWK8ul5OtndlEX7+gXV2HpuAmHRhGC8P1z39yWRxIDbKf+AH4JOGSIfu57tnrGvzAwjanKtqeFCEM67Y42Kz1rahCEtdwJj2YIL9oVdCtRPkpAJrAJclqmrCvJZtqQYcDeEn5ONK5Gchxc6x2/J0U0LTjLz/MP74CEKw3CiZ+9VKA4ppvPqjqoE4yyAXSglSnhYTqtMZpFg5sr+at6rAB1ufmtiS70Vfks46OL0/ZJjdS6h5wjIZhl/1DgIFXqc1yoAjuEoMRzMeW9ji1PnjRqas4lU19tuEOf9/Eq65BYOqSIqJ3saG4I/+z013coCGCalo4ghuufmu5pcsi6ywcszz+g20N/PZcVcLbzZbMnKcXsaE007MDLxGY1QD89aribAvsypDUNEuNh7w2n/OAyQdw+nRDGIi8Oz3FoJUmC0HBxin2hstuBnrAXtxdqRX1NU25HfR2s3qt/yQ33TFx4xHA3NAll8Riyg2rvgqAKo9x9rmlcnzML011vlNu5oLKAuCqJlH8W/Nnnh6LNcZJy8Cj+fqXPeWHS4Qk7nEAbYJN9/sNAUg/VzsP0yYejPfjwzoDDaPLvTHROwv9nZ+Lr/U5epHr231jc5+i3x8dLuBtg+aa5PHoS/Ml1a4811w3Bxj3u36q8UPJGnszQXLKCpucynVVstAj4ufhXhhNXJdK/U31Zrc6j3Skw4zgF8Ddv0
  template:
    metadata:
      creationTimestamp: null
      name: azuredns-config
      namespace: cert-manager
--- a/cluster-resources/letsencrypt-issuer.yaml
+++ b/cluster-resources/letsencrypt-issuer.yaml
@@ -12,22 +12,24 @@ spec:
    privateKeySecretRef:
      name: letsencrypt-staging-key
    solvers:
    # DNS-01 solver for wildcard certificates (*.example.com)
    - dns01:
-        cloudflare:
+        azureDNS:
-          email: danijels@gmail.com
+          subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
-          apiTokenSecretRef:
+          resourceGroupName: forteapps-domain
-            name: cloudflare-api-token-secret
+          hostedZoneName: forteapps.net
-            key: api-token
+          environment: AzurePublicCloud
          clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
          clientSecretSecretRef:
            name: azuredns-config
            key: client-secret
      selector:
        dnsNames:
-        - '*.example.com'
+        - '*.forteapps.net'
-        - 'example.com'
+        - 'forteapps.net'
    # HTTP-01 fallback for non-wildcard certificates
    - http01:
        ingress:
          class: traefik
 ---
 # Production ClusterIssuer for browser-trusted certificates
 apiVersion: cert-manager.io/v1
@@ -42,28 +44,78 @@ spec:
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
-    # DNS-01 solver for wildcard certificates (*.example.com)
+    # DNS-01 solver for wildcard certificates (*.forteapps.net)
    - dns01:
-        cloudflare:
+        azureDNS:
-          email: danijels@gmail.com
+          subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
-          apiTokenSecretRef:
+          resourceGroupName: forteapps-domain
-            name: cloudflare-api-token-secret
+          hostedZoneName: forteapps.net
-            key: api-token
+          environment: AzurePublicCloud
          clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
          clientSecretSecretRef:
            name: azuredns-config
            key: client-secret
      selector:
        dnsNames:
-        - '*.example.com'
+        - '*.forteapps.net'
-        - 'example.com'
+        - 'forteapps.net'
    # HTTP-01 fallback for non-wildcard certificates
    - http01:
        ingress:
          class: traefik
 # =============================================================================
-# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
+# CONFIGURATION INSTRUCTIONS FOR AZURE DNS WITH WILDCARD CERTIFICATES
 # =============================================================================
 #
 # PREREQUISITES IN AZURE DNS PORTAL:
 # ----------------------------------
 # 1. Ensure you have an Azure DNS Zone for "forteapps.net" created in your
 #    Azure subscription. If not, create it in Azure Portal:
 #    - Search for "DNS zones" → Create → Zone name: forteapps.net
 #    - Note the Resource Group where you create it (e.g., "dns-zones-rg")
 #
 # 2. Configure NS records at your domain registrar to point to Azure DNS:
 #    - In Azure Portal → DNS zones → forteapps.net
 #    - Note the 4 NS records shown (e.g., ns1-04.azure-dns.com, etc.)
 #    - Go to your domain registrar and update the NS records to these values
 #
 # AUTHENTICATION (Service Principal - Required for UpCloud/non-Azure clusters):
 # ----------------------------------------------------------------------------
 # Since your cluster runs on UpCloud (not AKS), you must use Service Principal
 # authentication. Managed Identity only works with Azure-hosted resources.
 #
 # =============================================================================
 # SETUP: Service Principal for UpCloud Clusters
 # =============================================================================
 #
 # 1. Create Azure AD App Registration:
 #    az ad sp create-for-rbac --name cert-manager-dns --sdk-auth
 #    # Save the JSON output - you'll need appId (clientID) and password (clientSecret)
 #
 # 2. Assign DNS Zone Contributor role:
 #    az role assignment create \
 #      --role "DNS Zone Contributor" \
 #      --assignee <SERVICE_PRINCIPAL_CLIENT_ID> \
 #      --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<DNS_RESOURCE_GROUP>/providers/Microsoft.Network/dnszones/forteapps.net
 #
 # 3. Create Kubernetes secret for the service principal:
 #    kubectl create secret generic azuredns-config \
 #      --namespace cert-manager \
 #      --from-literal=client-secret=YOUR_CLIENT_SECRET
 #
 # 4. Update the ClusterIssuer above with:
 #    - subscriptionID: Your Azure subscription ID
 #    - resourceGroupName: The resource group containing your DNS zone
 #    - clientID: The Service Principal appId/clientID
 #    - clientSecretSecretRef: References the secret created in step 3
 #
 # =============================================================================
 # ALTERNATIVE DNS PROVIDERS (for reference):
 # =============================================================================
 # -----------------------------------------------------------------------------
-# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
+# Cloudflare (original configuration)
 # -----------------------------------------------------------------------------
 # Create secret with: kubectl create secret generic cloudflare-api-token-secret \
 #   --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
@@ -76,7 +128,7 @@ spec:
 #       key: api-token
 # -----------------------------------------------------------------------------
-# Option 2: AWS Route53
+# AWS Route53
 # -----------------------------------------------------------------------------
 # Create secret with: kubectl create secret generic route53-credentials \
 #   --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
@@ -84,34 +136,14 @@ spec:
 # dns01:
 #   route53:
 #     region: us-east-1
-#     hostedZoneID: ZXXXXXXXXXXXXX  # Optional: auto-detected if not specified
+#     hostedZoneID: ZXXXXXXXXXXXXX
 #     accessKeyID: YOUR_ACCESS_KEY_ID
 #     secretAccessKeySecretRef:
 #       name: route53-credentials
 #       key: secret-access-key
 # -----------------------------------------------------------------------------
-# Option 3: Azure DNS
+# Google Cloud DNS
 # -----------------------------------------------------------------------------
 # Create secret with: kubectl create secret generic azuredns-config \
 #   --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
 #
 # dns01:
 #   azureDNS:
 #     subscriptionID: YOUR_SUBSCRIPTION_ID
 #     resourceGroupName: YOUR_RESOURCE_GROUP
 #     hostedZoneName: example.com
 #     environment: AzurePublicCloud
 #     managedIdentity:
 #       clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID  # For AKS with pod identity
 #     # OR use service principal:
 #     # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
 #     # clientSecretSecretRef:
 #     #   name: azuredns-config
 #     #   key: client-secret
 # -----------------------------------------------------------------------------
 # Option 4: Google Cloud DNS
 # -----------------------------------------------------------------------------
 # Create secret with service account JSON key:
 # kubectl create secret generic clouddns-service-account \
@@ -120,13 +152,13 @@ spec:
 # dns01:
 #   cloudDNS:
 #     project: YOUR_GCP_PROJECT_ID
-#     hostedZoneName: example-com  # Managed zone name in Cloud DNS
+#     hostedZoneName: example-com
 #     serviceAccountSecretRef:
 #       name: clouddns-service-account
 #       key: service-account.json
 # -----------------------------------------------------------------------------
-# Option 5: GoDaddy
+# GoDaddy
 # -----------------------------------------------------------------------------
 # Requires external webhook: https://github.com/snowdrop/godaddy-webhook
 #
@@ -143,7 +175,7 @@ spec:
 #         key: api-secret
 # -----------------------------------------------------------------------------
-# Option 6: Manual/Dynamic DNS (for homelab)
+# Manual/Dynamic DNS (for homelab)
 # -----------------------------------------------------------------------------
 # Requires RFC2136 provider or external webhook
 #
@@ -154,4 +186,4 @@ spec:
 #     tsigAlgorithm: HMACSHA256
 #     tsigSecretSecretRef:
 #       name: tsig-secret
-#       key: secret
+#       key: secret