openshift-docs/modules/cert-manager-acme-dns01-explicit-azure.adoc

// Module included in the following assemblies:
//
// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc

:_mod-docs-content-type: PROCEDURE
[id="cert-manager-acme-dns01-explicit-azure_{context}"]
= Configuring an ACME issuer by using explicit credentials for Microsoft Azure DNS

[role="_abstract"]
You can use {cert-manager-operator} to set up an ACME issuer to solve DNS-01 challenges by using explicit credentials on Microsoft Azure. This procedure uses _Let's Encrypt_ as the ACME CA server and shows how to solve DNS-01 challenges with Azure DNS.

.Prerequisites

* You have set up a service principal with desired role for Azure DNS. For more information, see link:https://cert-manager.io/docs/configuration/acme/dns01/azuredns/[Azure DNS] in the upstream cert-manager documentation.
+
[NOTE]
====
You can follow this procedure for an {product-title} cluster that is not running on Microsoft Azure.
====

.Procedure

. Optional: Override the nameserver settings for the DNS-01 self check.
+
This step is required only when the target public-hosted zone overlaps with the cluster's default private-hosted zone.

.. Edit the `CertManager` resource by running the following command:
+
[source,terminal]
----
$ oc edit certmanager cluster
----

.. Add a `spec.controllerConfig` section with the following override arguments:
+
[source,yaml]
----
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
  name: cluster
  ...
spec:
  ...
  controllerConfig:
    overrideArgs:
      - '--dns01-recursive-nameservers-only'
      - '--dns01-recursive-nameservers=1.1.1.1:53'
----
+
where:
+
`--dns01-recursive-nameservers-only`:: Specifies recursive name servers instead of checking the authoritative name servers associated with that domain.
`--dns01-recursive-nameservers=1.1.1.1:53`:: Specifies a comma-separated list of `<host>:<port>` name servers to query for the DNS-01 self check. You must use a `1.1.1.1:53` value to avoid the public and private zones overlapping.

.. Save the file to apply the changes.

. Optional: Create a namespace for the issuer:
+
[source,terminal]
----
$ oc new-project my-issuer-namespace
----

. Create a secret to store your Azure credentials in by running the following command:
+
[source,terminal]
----
$ oc create secret generic <secret_name> --from-literal=<azure_secret_access_key_name>=<azure_secret_access_key_value> \
    -n my-issuer-namespace
----
+
* Replace `<secret_name>` with your secret name.
* Replace `<azure_secret_access_key_name>` with your Azure secret access key name.
* Replace `<azure_secret_access_key_value>` with your Azure secret key.

. Create an issuer:

.. Create a YAML file, for example, `issuer.yaml`, that defines the `Issuer` object:
+
[source,yaml]
----
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: <acme-dns01-azuredns-issuer>
  namespace: <issuer_namespace>
spec:
  acme:
    preferredChain: ""
    privateKeySecretRef:
      name: <secret_private_key>
    server: <server>
    solvers:
    - dns01:
        azureDNS:
          clientID: <azure_client_id>
          clientSecretSecretRef:
            name: <secret_name>
            key: <azure_secret_access_key_name>
          subscriptionID: <azure_subscription_id>
          tenantID: <azure_tenant_id>
          resourceGroupName: <azure_dns_zone_resource_group>
          hostedZoneName: <azure_dns_zone>
          environment: AzurePublicCloud
----
+
where:
+
`<acme-dns01-azuredns-issuer>`:: Specifies a name for the issuer.
`<issuer_namespace>`:: Specifies your issuer namespace.
`<secret_private_key>`:: Specifies the name of the secret to store the ACME account private key in.
`<server>`:: Specifies the URL to access the ACME server's `directory` endpoint. This example uses the _Let's Encrypt_ staging environment.
`<azure_client_id>`:: Specifies your Azure client ID.
`<secret_name>`:: Specifies a name of the client secret.
`<azure_secret_access_key_name>`:: Specifies the client secret key name.
`<azure_subscription_id>`:: Specifies your Azure subscription ID.
`<azure_tenant_id>`:: Specifies your Azure tenant ID.
`<azure_dns_zone_resource_group>`:: Specifies the name of the Azure DNS zone resource group.
`<azure_dns_zone>`:: Specifies the name of Azure DNS zone.

.. Create the `Issuer` object by running the following command:
+
[source,terminal]
----
$ oc create -f issuer.yaml
----