mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
128 lines
4.3 KiB
Plaintext
128 lines
4.3 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * security/cert_manager_operator/cert-manager-operator-issuer-acme.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="cert-manager-acme-dns01-explicit-azure_{context}"]
|
|
= Configuring an ACME issuer by using explicit credentials for Microsoft Azure DNS
|
|
|
|
[role="_abstract"]
|
|
You can use {cert-manager-operator} to set up an ACME issuer to solve DNS-01 challenges by using explicit credentials on Microsoft Azure. This procedure uses _Let's Encrypt_ as the ACME CA server and shows how to solve DNS-01 challenges with Azure DNS.
|
|
|
|
.Prerequisites
|
|
|
|
* You have set up a service principal with desired role for Azure DNS. For more information, see link:https://cert-manager.io/docs/configuration/acme/dns01/azuredns/[Azure DNS] in the upstream cert-manager documentation.
|
|
+
|
|
[NOTE]
|
|
====
|
|
You can follow this procedure for an {product-title} cluster that is not running on Microsoft Azure.
|
|
====
|
|
|
|
.Procedure
|
|
|
|
. Optional: Override the nameserver settings for the DNS-01 self check.
|
|
+
|
|
This step is required only when the target public-hosted zone overlaps with the cluster's default private-hosted zone.
|
|
|
|
.. Edit the `CertManager` resource by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc edit certmanager cluster
|
|
----
|
|
|
|
.. Add a `spec.controllerConfig` section with the following override arguments:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: operator.openshift.io/v1alpha1
|
|
kind: CertManager
|
|
metadata:
|
|
name: cluster
|
|
...
|
|
spec:
|
|
...
|
|
controllerConfig:
|
|
overrideArgs:
|
|
- '--dns01-recursive-nameservers-only'
|
|
- '--dns01-recursive-nameservers=1.1.1.1:53'
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
`--dns01-recursive-nameservers-only`:: Specifies recursive name servers instead of checking the authoritative name servers associated with that domain.
|
|
`--dns01-recursive-nameservers=1.1.1.1:53`:: Specifies a comma-separated list of `<host>:<port>` name servers to query for the DNS-01 self check. You must use a `1.1.1.1:53` value to avoid the public and private zones overlapping.
|
|
|
|
.. Save the file to apply the changes.
|
|
|
|
. Optional: Create a namespace for the issuer:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc new-project my-issuer-namespace
|
|
----
|
|
|
|
. Create a secret to store your Azure credentials in by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create secret generic <secret_name> --from-literal=<azure_secret_access_key_name>=<azure_secret_access_key_value> \
|
|
-n my-issuer-namespace
|
|
----
|
|
+
|
|
* Replace `<secret_name>` with your secret name.
|
|
* Replace `<azure_secret_access_key_name>` with your Azure secret access key name.
|
|
* Replace `<azure_secret_access_key_value>` with your Azure secret key.
|
|
|
|
. Create an issuer:
|
|
|
|
.. Create a YAML file, for example, `issuer.yaml`, that defines the `Issuer` object:
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Issuer
|
|
metadata:
|
|
name: <acme-dns01-azuredns-issuer>
|
|
namespace: <issuer_namespace>
|
|
spec:
|
|
acme:
|
|
preferredChain: ""
|
|
privateKeySecretRef:
|
|
name: <secret_private_key>
|
|
server: <server>
|
|
solvers:
|
|
- dns01:
|
|
azureDNS:
|
|
clientID: <azure_client_id>
|
|
clientSecretSecretRef:
|
|
name: <secret_name>
|
|
key: <azure_secret_access_key_name>
|
|
subscriptionID: <azure_subscription_id>
|
|
tenantID: <azure_tenant_id>
|
|
resourceGroupName: <azure_dns_zone_resource_group>
|
|
hostedZoneName: <azure_dns_zone>
|
|
environment: AzurePublicCloud
|
|
----
|
|
+
|
|
where:
|
|
+
|
|
`<acme-dns01-azuredns-issuer>`:: Specifies a name for the issuer.
|
|
`<issuer_namespace>`:: Specifies your issuer namespace.
|
|
`<secret_private_key>`:: Specifies the name of the secret to store the ACME account private key in.
|
|
`<server>`:: Specifies the URL to access the ACME server's `directory` endpoint. This example uses the _Let's Encrypt_ staging environment.
|
|
`<azure_client_id>`:: Specifies your Azure client ID.
|
|
`<secret_name>`:: Specifies a name of the client secret.
|
|
`<azure_secret_access_key_name>`:: Specifies the client secret key name.
|
|
`<azure_subscription_id>`:: Specifies your Azure subscription ID.
|
|
`<azure_tenant_id>`:: Specifies your Azure tenant ID.
|
|
`<azure_dns_zone_resource_group>`:: Specifies the name of the Azure DNS zone resource group.
|
|
`<azure_dns_zone>`:: Specifies the name of Azure DNS zone.
|
|
|
|
.. Create the `Issuer` object by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f issuer.yaml
|
|
----
|