[ATMOSPHERE-364] cert-manager: Add support for Azure DNS (#1601)

Reviewed-by: Guilherme Steinmüller <[email protected]>

doc/source/deploy/certificates.rst

@@ -141,6 +141,22 @@ your ACME server can reach your API, you don't need to do anything else.
 If your ACME server cannot reach your API, you will need to use the ``DNS-01``
 challenges which require you to configure your DNS provider.
 
+Azure DNS
+*********
+
+To configure cert-manager with Azure DNS, create a `Service Principal
+<https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#service-principal>`_ and set the following variables:
+
+.. code-block:: yaml
+
+  cluster_issuer_acme_solver: azuredns
+  cluster_issuer_acme_azuredns_client_id: <CLIENT_ID>
+  cluster_issuer_acme_azuredns_client_secret: <CLIENT_SECRET>
+  cluster_issuer_acme_azuredns_subscription_id: <SUBSCRIPTION_ID>
+  cluster_issuer_acme_azuredns_tenant_id: <TENANT_ID>
+  cluster_issuer_acme_azuredns_resourcegroup_name: <RESOURCEGROUP_NAME>
+  cluster_issuer_acme_azuredns_hostedzone_name: <HOSTEDZONE_NAME>
+
 RFC2136
 *******
 

roles/cluster_issuer/defaults/main.yml

@@ -98,3 +98,12 @@ cluster_issuer_ca_secret_name: cert-manager-issuer-ca
 
 cluster_issuer_self_signed_certificate_name: self-signed-ca
 cluster_issuer_self_signed_secret_name: cert-manager-selfsigned-ca
+
+cluster_issuer_acme_azuredns_secret_name: cert-manager-issuer-azuredns-credentials
+cluster_issuer_acme_azuredns_environment: AzurePublicCloud
+# cluster_issuer_acme_azuredns_client_id:
+# cluster_issuer_acme_azuredns_client_secret:
+# cluster_issuer_acme_azuredns_subscription_id:
+# cluster_issuer_acme_azuredns_tenant_id:
+# cluster_issuer_acme_azuredns_resourcegroup_name:
+# cluster_issuer_acme_azuredns_hostedzone_name:

roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml

@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) VEXXHOST, Inc.
+
+- name: Create ClusterIssuer
+  run_once: true
+  kubernetes.core.k8s:
+    state: present
+    definition:
+      - apiVersion: v1
+        kind: Secret
+        metadata:
+          name: "{{ cluster_issuer_acme_azuredns_secret_name }}"
+          namespace: cert-manager
+          app.kubernetes.io/part-of: cert-manager
+          app.kubernetes.io/managed-by: Ansible
+        type: Opaque
+        stringData:
+          client-secret: "{{ cluster_issuer_acme_azuredns_client_secret }}"
+
+      - apiVersion: cert-manager.io/v1
+        kind: ClusterIssuer
+        metadata:
+          name: "{{ cluster_issuer_name }}"
+          app.kubernetes.io/part-of: cert-manager
+          app.kubernetes.io/managed-by: Ansible
+        spec:
+          acme:
+            email: "{{ cluster_issuer_acme_email }}"
+            server: "{{ cluster_issuer_acme_server }}"
+            privateKeySecretRef:
+              name: "{{ cluster_issuer_acme_private_key_secret_name }}"
+            solvers:
+              - dns01:
+                  azureDNS:
+                    clientID: "{{ cluster_issuer_acme_azuredns_client_id }}"
+                    clientSecretSecretRef:
+                      name: "{{ cluster_issuer_acme_azuredns_secret_name }}"
+                      key: client-secret
+                    subscriptionID: "{{ cluster_issuer_acme_azuredns_subscription_id }}"
+                    tenantID: "{{ cluster_issuer_acme_azuredns_tenant_id }}"
+                    resourceGroupName: "{{ cluster_issuer_acme_azuredns_resourcegroup_name }}"
+                    hostedZoneName: "{{ cluster_issuer_acme_azuredns_hostedzone_name }}"
+                    environment: "{{ cluster_issuer_acme_azuredns_environment }}"