dns01 azure
This commit is contained in:
15
cluster-resources/azuredns-config-sealed.yaml
Normal file
15
cluster-resources/azuredns-config-sealed.yaml
Normal file
@@ -0,0 +1,15 @@
|
||||
---
|
||||
apiVersion: bitnami.com/v1alpha1
|
||||
kind: SealedSecret
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: azuredns-config
|
||||
namespace: cert-manager
|
||||
spec:
|
||||
encryptedData:
|
||||
client-secret: AgBPCix6yTt8gXV2pMfRx6weWtLWUeMa/cBwuaDBZkqZE4CTSDxjQWWK8ul5OtndlEX7+gXV2HpuAmHRhGC8P1z39yWRxIDbKf+AH4JOGSIfu57tnrGvzAwjanKtqeFCEM67Y42Kz1rahCEtdwJj2YIL9oVdCtRPkpAJrAJclqmrCvJZtqQYcDeEn5ONK5Gchxc6x2/J0U0LTjLz/MP74CEKw3CiZ+9VKA4ppvPqjqoE4yyAXSglSnhYTqtMZpFg5sr+at6rAB1ufmtiS70Vfks46OL0/ZJjdS6h5wjIZhl/1DgIFXqc1yoAjuEoMRzMeW9ji1PnjRqas4lU19tuEOf9/Eq65BYOqSIqJ3saG4I/+z013coCGCalo4ghuufmu5pcsi6ywcszz+g20N/PZcVcLbzZbMnKcXsaE007MDLxGY1QD89aribAvsypDUNEuNh7w2n/OAyQdw+nRDGIi8Oz3FoJUmC0HBxin2hstuBnrAXtxdqRX1NU25HfR2s3qt/yQ33TFx4xHA3NAll8Riyg2rvgqAKo9x9rmlcnzML011vlNu5oLKAuCqJlH8W/Nnnh6LNcZJy8Cj+fqXPeWHS4Qk7nEAbYJN9/sNAUg/VzsP0yYejPfjwzoDDaPLvTHROwv9nZ+Lr/U5epHr231jc5+i3x8dLuBtg+aa5PHoS/Ml1a4811w3Bxj3u36q8UPJGnszQXLKCpucynVVstAj4ufhXhhNXJdK/U31Zrc6j3Skw4zgF8Ddv0
|
||||
template:
|
||||
metadata:
|
||||
creationTimestamp: null
|
||||
name: azuredns-config
|
||||
namespace: cert-manager
|
||||
@@ -12,22 +12,24 @@ spec:
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-staging-key
|
||||
solvers:
|
||||
# DNS-01 solver for wildcard certificates (*.example.com)
|
||||
- dns01:
|
||||
cloudflare:
|
||||
email: danijels@gmail.com
|
||||
apiTokenSecretRef:
|
||||
name: cloudflare-api-token-secret
|
||||
key: api-token
|
||||
azureDNS:
|
||||
subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
|
||||
resourceGroupName: forteapps-domain
|
||||
hostedZoneName: forteapps.net
|
||||
environment: AzurePublicCloud
|
||||
clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
|
||||
clientSecretSecretRef:
|
||||
name: azuredns-config
|
||||
key: client-secret
|
||||
selector:
|
||||
dnsNames:
|
||||
- '*.example.com'
|
||||
- 'example.com'
|
||||
- '*.forteapps.net'
|
||||
- 'forteapps.net'
|
||||
# HTTP-01 fallback for non-wildcard certificates
|
||||
- http01:
|
||||
ingress:
|
||||
class: traefik
|
||||
|
||||
---
|
||||
# Production ClusterIssuer for browser-trusted certificates
|
||||
apiVersion: cert-manager.io/v1
|
||||
@@ -42,28 +44,78 @@ spec:
|
||||
privateKeySecretRef:
|
||||
name: letsencrypt-prod-key
|
||||
solvers:
|
||||
# DNS-01 solver for wildcard certificates (*.example.com)
|
||||
# DNS-01 solver for wildcard certificates (*.forteapps.net)
|
||||
- dns01:
|
||||
cloudflare:
|
||||
email: danijels@gmail.com
|
||||
apiTokenSecretRef:
|
||||
name: cloudflare-api-token-secret
|
||||
key: api-token
|
||||
azureDNS:
|
||||
subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
|
||||
resourceGroupName: forteapps-domain
|
||||
hostedZoneName: forteapps.net
|
||||
environment: AzurePublicCloud
|
||||
clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
|
||||
clientSecretSecretRef:
|
||||
name: azuredns-config
|
||||
key: client-secret
|
||||
selector:
|
||||
dnsNames:
|
||||
- '*.example.com'
|
||||
- 'example.com'
|
||||
- '*.forteapps.net'
|
||||
- 'forteapps.net'
|
||||
# HTTP-01 fallback for non-wildcard certificates
|
||||
- http01:
|
||||
ingress:
|
||||
class: traefik
|
||||
|
||||
# =============================================================================
|
||||
# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
|
||||
# CONFIGURATION INSTRUCTIONS FOR AZURE DNS WITH WILDCARD CERTIFICATES
|
||||
# =============================================================================
|
||||
#
|
||||
# PREREQUISITES IN AZURE DNS PORTAL:
|
||||
# ----------------------------------
|
||||
# 1. Ensure you have an Azure DNS Zone for "forteapps.net" created in your
|
||||
# Azure subscription. If not, create it in Azure Portal:
|
||||
# - Search for "DNS zones" → Create → Zone name: forteapps.net
|
||||
# - Note the Resource Group where you create it (e.g., "dns-zones-rg")
|
||||
#
|
||||
# 2. Configure NS records at your domain registrar to point to Azure DNS:
|
||||
# - In Azure Portal → DNS zones → forteapps.net
|
||||
# - Note the 4 NS records shown (e.g., ns1-04.azure-dns.com, etc.)
|
||||
# - Go to your domain registrar and update the NS records to these values
|
||||
#
|
||||
# AUTHENTICATION (Service Principal - Required for UpCloud/non-Azure clusters):
|
||||
# ----------------------------------------------------------------------------
|
||||
# Since your cluster runs on UpCloud (not AKS), you must use Service Principal
|
||||
# authentication. Managed Identity only works with Azure-hosted resources.
|
||||
#
|
||||
# =============================================================================
|
||||
# SETUP: Service Principal for UpCloud Clusters
|
||||
# =============================================================================
|
||||
#
|
||||
# 1. Create Azure AD App Registration:
|
||||
# az ad sp create-for-rbac --name cert-manager-dns --sdk-auth
|
||||
# # Save the JSON output - you'll need appId (clientID) and password (clientSecret)
|
||||
#
|
||||
# 2. Assign DNS Zone Contributor role:
|
||||
# az role assignment create \
|
||||
# --role "DNS Zone Contributor" \
|
||||
# --assignee <SERVICE_PRINCIPAL_CLIENT_ID> \
|
||||
# --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<DNS_RESOURCE_GROUP>/providers/Microsoft.Network/dnszones/forteapps.net
|
||||
#
|
||||
# 3. Create Kubernetes secret for the service principal:
|
||||
# kubectl create secret generic azuredns-config \
|
||||
# --namespace cert-manager \
|
||||
# --from-literal=client-secret=YOUR_CLIENT_SECRET
|
||||
#
|
||||
# 4. Update the ClusterIssuer above with:
|
||||
# - subscriptionID: Your Azure subscription ID
|
||||
# - resourceGroupName: The resource group containing your DNS zone
|
||||
# - clientID: The Service Principal appId/clientID
|
||||
# - clientSecretSecretRef: References the secret created in step 3
|
||||
#
|
||||
# =============================================================================
|
||||
# ALTERNATIVE DNS PROVIDERS (for reference):
|
||||
# =============================================================================
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
|
||||
# Cloudflare (original configuration)
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
|
||||
# --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
|
||||
@@ -76,7 +128,7 @@ spec:
|
||||
# key: api-token
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Option 2: AWS Route53
|
||||
# AWS Route53
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create secret with: kubectl create secret generic route53-credentials \
|
||||
# --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
|
||||
@@ -84,34 +136,14 @@ spec:
|
||||
# dns01:
|
||||
# route53:
|
||||
# region: us-east-1
|
||||
# hostedZoneID: ZXXXXXXXXXXXXX # Optional: auto-detected if not specified
|
||||
# hostedZoneID: ZXXXXXXXXXXXXX
|
||||
# accessKeyID: YOUR_ACCESS_KEY_ID
|
||||
# secretAccessKeySecretRef:
|
||||
# name: route53-credentials
|
||||
# key: secret-access-key
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Option 3: Azure DNS
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create secret with: kubectl create secret generic azuredns-config \
|
||||
# --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
|
||||
#
|
||||
# dns01:
|
||||
# azureDNS:
|
||||
# subscriptionID: YOUR_SUBSCRIPTION_ID
|
||||
# resourceGroupName: YOUR_RESOURCE_GROUP
|
||||
# hostedZoneName: example.com
|
||||
# environment: AzurePublicCloud
|
||||
# managedIdentity:
|
||||
# clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID # For AKS with pod identity
|
||||
# # OR use service principal:
|
||||
# # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
|
||||
# # clientSecretSecretRef:
|
||||
# # name: azuredns-config
|
||||
# # key: client-secret
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Option 4: Google Cloud DNS
|
||||
# Google Cloud DNS
|
||||
# -----------------------------------------------------------------------------
|
||||
# Create secret with service account JSON key:
|
||||
# kubectl create secret generic clouddns-service-account \
|
||||
@@ -120,13 +152,13 @@ spec:
|
||||
# dns01:
|
||||
# cloudDNS:
|
||||
# project: YOUR_GCP_PROJECT_ID
|
||||
# hostedZoneName: example-com # Managed zone name in Cloud DNS
|
||||
# hostedZoneName: example-com
|
||||
# serviceAccountSecretRef:
|
||||
# name: clouddns-service-account
|
||||
# key: service-account.json
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Option 5: GoDaddy
|
||||
# GoDaddy
|
||||
# -----------------------------------------------------------------------------
|
||||
# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
|
||||
#
|
||||
@@ -143,7 +175,7 @@ spec:
|
||||
# key: api-secret
|
||||
|
||||
# -----------------------------------------------------------------------------
|
||||
# Option 6: Manual/Dynamic DNS (for homelab)
|
||||
# Manual/Dynamic DNS (for homelab)
|
||||
# -----------------------------------------------------------------------------
|
||||
# Requires RFC2136 provider or external webhook
|
||||
#
|
||||
|
||||
Reference in New Issue
Block a user