modules/cert-manager-acme-dns01-explicit-azure.adoc

// Module included in the following assemblies:
//
// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc

:_mod-docs-content-type: PROCEDURE
[id="cert-manager-acme-dns01-explicit-azure_{context}"]
= Configuring an ACME issuer by using explicit credentials for Microsoft Azure DNS

You can use {cert-manager-operator} to set up an ACME issuer to solve DNS-01 challenges by using explicit credentials on Microsoft Azure. This procedure uses _Let's Encrypt_ as the ACME CA server and shows how to solve DNS-01 challenges with Azure DNS.

.Prerequisites

* You have set up a service principal with desired role for Azure DNS. For more information, see link:https://cert-manager.io/docs/configuration/acme/dns01/azuredns/[Azure DNS] in the upstream cert-manager documentation.
+
[NOTE]
====
You can follow this procedure for an {product-title} cluster that is not running on Microsoft Azure.
====

.Procedure

. Optional: Override the nameserver settings for the DNS-01 self check.
+
This step is required only when the target public-hosted zone overlaps with the cluster's default private-hosted zone.

.. Edit the `CertManager` resource by running the following command:
+
[source,terminal]
----
$ oc edit certmanager cluster
----

.. Add a `spec.controllerConfig` section with the following override arguments:
+
[source,yaml]
----
apiVersion: operator.openshift.io/v1alpha1
kind: CertManager
metadata:
  name: cluster
  ...
spec:
  ...
  controllerConfig:                                <1>
    overrideArgs:
      - '--dns01-recursive-nameservers-only'       <2>
      - '--dns01-recursive-nameservers=1.1.1.1:53' <3>
----
<1> Add the `spec.controllerConfig` section.
<2> Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.
<3> Provide a comma-separated list of `<host>:<port>` nameservers to query for the DNS-01 self check. You must use a `1.1.1.1:53` value to avoid the public and private zones overlapping.

.. Save the file to apply the changes.

. Optional: Create a namespace for the issuer:
+
[source,terminal]
----
$ oc new-project my-issuer-namespace
----

. Create a secret to store your Azure credentials in by running the following command:
+
[source,terminal]
----
$ oc create secret generic <secret_name> --from-literal=<azure_secret_access_key_name>=<azure_secret_access_key_value> \ <1> <2> <3>
    -n my-issuer-namespace
----
<1> Replace `<secret_name>` with your secret name.
<2> Replace `<azure_secret_access_key_name>` with your Azure secret access key name.
<3> Replace `<azure_secret_access_key_value>` with your Azure secret key.

. Create an issuer:

.. Create a YAML file that defines the `Issuer` object:
+
.Example `issuer.yaml` file
[source,yaml]
----
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: <acme-dns01-azuredns-issuer>   <1>
  namespace: <issuer_namespace>   <2>
spec:
  acme:
    preferredChain: ""
    privateKeySecretRef:
      name: <secret_private_key> <3>
    server: https://acme-staging-v02.api.letsencrypt.org/directory <4>
    solvers:
    - dns01:
        azureDNS:
          clientID: <azure_client_id> <5>
          clientSecretSecretRef:
            name: <secret_name> <6>
            key: <azure_secret_access_key_name> <7>
          subscriptionID: <azure_subscription_id> <8>
          tenantID: <azure_tenant_id> <9>
          resourceGroupName: <azure_dns_zone_resource_group> <10>
          hostedZoneName: <azure_dns_zone> <11>
          environment: AzurePublicCloud
----
<1> Provide a name for the issuer.
<2> Replace `<issuer_namespace>` with your issuer namespace.
<3> Replace `<secret_private_key>` with the name of the secret to store the ACME account private key in.
<4> Specify the URL to access the ACME server's `directory` endpoint. This example uses the _Let's Encrypt_ staging environment.
<5> Replace `<azure_client_id>` with your Azure client ID.
<6> Replace `<secret_name>` with a name of the client secret.
<7> Replace `<azure_secret_access_key_name>` with the client secret key name.
<8> Replace `<azure_subscription_id>` with your Azure subscription ID.
<9> Replace `<azure_tenant_id>` with your Azure tenant ID.
<10> Replace `<azure_dns_zone_resource_group>` with the name of the Azure DNS zone resource group.
<11> Replace `<azure_dns_zone>` with the name of Azure DNS zone.

.. Create the `Issuer` object by running the following command:
+
[source,terminal]
----
$ oc create -f issuer.yaml
----
OSDOCS#6017 cert-manager : Configuring an ACME issuer 2023-05-09 12:26:37 +05:30			`// Module included in the following assemblies:`
			`//`
			`// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc`

[enterprise-4.14] changing content type attribute 2023-10-30 10:13:25 -04:00			`:_mod-docs-content-type: PROCEDURE`
OSDOCS#6017 cert-manager : Configuring an ACME issuer 2023-05-09 12:26:37 +05:30			`[id="cert-manager-acme-dns01-explicit-azure_{context}"]`
			`= Configuring an ACME issuer by using explicit credentials for Microsoft Azure DNS`

			`You can use {cert-manager-operator} to set up an ACME issuer to solve DNS-01 challenges by using explicit credentials on Microsoft Azure. This procedure uses _Let's Encrypt_ as the ACME CA server and shows how to solve DNS-01 challenges with Azure DNS.`

			`.Prerequisites`

			`* You have set up a service principal with desired role for Azure DNS. For more information, see link:https://cert-manager.io/docs/configuration/acme/dns01/azuredns/[Azure DNS] in the upstream cert-manager documentation.`
			`+`
			`[NOTE]`
			`====`
			`You can follow this procedure for an {product-title} cluster that is not running on Microsoft Azure.`
			`====`

			`.Procedure`

			`. Optional: Override the nameserver settings for the DNS-01 self check.`
			`+`
			`This step is required only when the target public-hosted zone overlaps with the cluster's default private-hosted zone.`

			.. Edit the `CertManager` resource by running the following command:
			`+`
			`[source,terminal]`
			`----`
			`$ oc edit certmanager cluster`
			`----`

			.. Add a `spec.controllerConfig` section with the following override arguments:
			`+`
			`[source,yaml]`
			`----`
			`apiVersion: operator.openshift.io/v1alpha1`
			`kind: CertManager`
			`metadata:`
			`name: cluster`
			`...`
			`spec:`
			`...`
			`controllerConfig: <1>`
			`overrideArgs:`
			`- '--dns01-recursive-nameservers-only' <2>`
			`- '--dns01-recursive-nameservers=1.1.1.1:53' <3>`
			`----`
			<1> Add the `spec.controllerConfig` section.
			`<2> Specify to only use recursive nameservers instead of checking the authoritative nameservers associated with that domain.`
			<3> Provide a comma-separated list of `<host>:<port>` nameservers to query for the DNS-01 self check. You must use a `1.1.1.1:53` value to avoid the public and private zones overlapping.

			`.. Save the file to apply the changes.`

			`. Optional: Create a namespace for the issuer:`
			`+`
			`[source,terminal]`
			`----`
			`$ oc new-project my-issuer-namespace`
			`----`

			`. Create a secret to store your Azure credentials in by running the following command:`
			`+`
			`[source,terminal]`
			`----`
			`$ oc create secret generic <secret_name> --from-literal=<azure_secret_access_key_name>=<azure_secret_access_key_value> \ <1> <2> <3>`
			`-n my-issuer-namespace`
			`----`
			<1> Replace `<secret_name>` with your secret name.
			<2> Replace `<azure_secret_access_key_name>` with your Azure secret access key name.
			<3> Replace `<azure_secret_access_key_value>` with your Azure secret key.

			`. Create an issuer:`

			.. Create a YAML file that defines the `Issuer` object:
			`+`
			.Example `issuer.yaml` file
			`[source,yaml]`
			`----`
			`apiVersion: cert-manager.io/v1`
			`kind: Issuer`
			`metadata:`
			`name: <acme-dns01-azuredns-issuer> <1>`
			`namespace: <issuer_namespace> <2>`
			`spec:`
			`acme:`
			`preferredChain: ""`
			`privateKeySecretRef:`
			`name: <secret_private_key> <3>`
			`server: https://acme-staging-v02.api.letsencrypt.org/directory <4>`
			`solvers:`
			`- dns01:`
			`azureDNS:`
			`clientID: <azure_client_id> <5>`
			`clientSecretSecretRef:`
			`name: <secret_name> <6>`
			`key: <azure_secret_access_key_name> <7>`
			`subscriptionID: <azure_subscription_id> <8>`
			`tenantID: <azure_tenant_id> <9>`
			`resourceGroupName: <azure_dns_zone_resource_group> <10>`
			`hostedZoneName: <azure_dns_zone> <11>`
			`environment: AzurePublicCloud`
			`----`
			`<1> Provide a name for the issuer.`
			<2> Replace `<issuer_namespace>` with your issuer namespace.
			<3> Replace `<secret_private_key>` with the name of the secret to store the ACME account private key in.
			<4> Specify the URL to access the ACME server's `directory` endpoint. This example uses the _Let's Encrypt_ staging environment.
			<5> Replace `<azure_client_id>` with your Azure client ID.
			<6> Replace `<secret_name>` with a name of the client secret.
			<7> Replace `<azure_secret_access_key_name>` with the client secret key name.
			<8> Replace `<azure_subscription_id>` with your Azure subscription ID.
			<9> Replace `<azure_tenant_id>` with your Azure tenant ID.
			<10> Replace `<azure_dns_zone_resource_group>` with the name of the Azure DNS zone resource group.
			<11> Replace `<azure_dns_zone>` with the name of Azure DNS zone.

			.. Create the `Issuer` object by running the following command:
			`+`
			`[source,terminal]`
			`----`
			`$ oc create -f issuer.yaml`
			`----`