From 43722d6a4c0ac29913b06a9b7b6b4d37158d8701 Mon Sep 17 00:00:00 2001 From: Giovanni Tirloni Date: Fri, 6 Sep 2024 13:18:17 -0300 Subject: [PATCH] [ATMOSPHERE-364] cert-manager: Add support for Azure DNS (#1601) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Reviewed-by: Guilherme Steinmüller --- doc/source/deploy/certificates.rst | 16 +++++++ roles/cluster_issuer/defaults/main.yml | 9 ++++ .../tasks/type/acme/solver/azuredns.yml | 43 +++++++++++++++++++ 3 files changed, 68 insertions(+) create mode 100644 roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml diff --git a/doc/source/deploy/certificates.rst b/doc/source/deploy/certificates.rst index 2e04abbaf..8f7f0939c 100644 --- a/doc/source/deploy/certificates.rst +++ b/doc/source/deploy/certificates.rst @@ -141,6 +141,22 @@ your ACME server can reach your API, you don't need to do anything else. If your ACME server cannot reach your API, you will need to use the ``DNS-01`` challenges which require you to configure your DNS provider. +Azure DNS +********* + +To configure cert-manager with Azure DNS, create a `Service Principal +`_ and set the following variables: + +.. code-block:: yaml + + cluster_issuer_acme_solver: azuredns + cluster_issuer_acme_azuredns_client_id: + cluster_issuer_acme_azuredns_client_secret: + cluster_issuer_acme_azuredns_subscription_id: + cluster_issuer_acme_azuredns_tenant_id: + cluster_issuer_acme_azuredns_resourcegroup_name: + cluster_issuer_acme_azuredns_hostedzone_name: + RFC2136 ******* diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml index 38ef2ba38..8bcfddc2c 100644 --- a/roles/cluster_issuer/defaults/main.yml +++ b/roles/cluster_issuer/defaults/main.yml @@ -98,3 +98,12 @@ cluster_issuer_ca_secret_name: cert-manager-issuer-ca cluster_issuer_self_signed_certificate_name: self-signed-ca cluster_issuer_self_signed_secret_name: cert-manager-selfsigned-ca + +cluster_issuer_acme_azuredns_secret_name: cert-manager-issuer-azuredns-credentials +cluster_issuer_acme_azuredns_environment: AzurePublicCloud +# cluster_issuer_acme_azuredns_client_id: +# cluster_issuer_acme_azuredns_client_secret: +# cluster_issuer_acme_azuredns_subscription_id: +# cluster_issuer_acme_azuredns_tenant_id: +# cluster_issuer_acme_azuredns_resourcegroup_name: +# cluster_issuer_acme_azuredns_hostedzone_name: diff --git a/roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml b/roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml new file mode 100644 index 000000000..d8107ef8d --- /dev/null +++ b/roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml @@ -0,0 +1,43 @@ +# SPDX-License-Identifier: Apache-2.0 +# Copyright (c) VEXXHOST, Inc. + +- name: Create ClusterIssuer + run_once: true + kubernetes.core.k8s: + state: present + definition: + - apiVersion: v1 + kind: Secret + metadata: + name: "{{ cluster_issuer_acme_azuredns_secret_name }}" + namespace: cert-manager + app.kubernetes.io/part-of: cert-manager + app.kubernetes.io/managed-by: Ansible + type: Opaque + stringData: + client-secret: "{{ cluster_issuer_acme_azuredns_client_secret }}" + + - apiVersion: cert-manager.io/v1 + kind: ClusterIssuer + metadata: + name: "{{ cluster_issuer_name }}" + app.kubernetes.io/part-of: cert-manager + app.kubernetes.io/managed-by: Ansible + spec: + acme: + email: "{{ cluster_issuer_acme_email }}" + server: "{{ cluster_issuer_acme_server }}" + privateKeySecretRef: + name: "{{ cluster_issuer_acme_private_key_secret_name }}" + solvers: + - dns01: + azureDNS: + clientID: "{{ cluster_issuer_acme_azuredns_client_id }}" + clientSecretSecretRef: + name: "{{ cluster_issuer_acme_azuredns_secret_name }}" + key: client-secret + subscriptionID: "{{ cluster_issuer_acme_azuredns_subscription_id }}" + tenantID: "{{ cluster_issuer_acme_azuredns_tenant_id }}" + resourceGroupName: "{{ cluster_issuer_acme_azuredns_resourcegroup_name }}" + hostedZoneName: "{{ cluster_issuer_acme_azuredns_hostedzone_name }}" + environment: "{{ cluster_issuer_acme_azuredns_environment }}"