AzureDNS

Configuring the AzureDNS DNS01 Challenge for a Kubernetes cluster requires creating a service principal in Azure.

For security purposes, it is appropriate to utilize RBAC to ensure that you properly maintain access control to your resources in Azure. The service principal that is generated by this tutorial has fine grained access to ONLY the DNS Zone in the specific resource group specified. It requires this permission so that it can read/write the _acme_challenge TXT records to the zone.

To create the service principal you can use the following script (requires azure-cli and jq):

$ AZURE_CERT_MANAGER_SP_NAME=SOME_SERVICE_PRINCIPAL_NAME
$ AZURE_CERT_MANAGER_DNS_RESOURCE_GROUP=SOME_RESOURCE_GROUP
$ AZURE_CERT_MANAGER_DNS_NAME=SOME_DNS_ZONE

$ DNS_SP=$(az ad sp create-for-rbac --name $AZURE_CERT_MANAGER_SP_NAME)
$ AZURE_CERT_MANAGER_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')
$ AZURE_CERT_MANAGER_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')

Lower the Permissions of the SP.

$ az role assignment delete --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role Contributor

Give Access to DNS Zone.

$ DNS_ID=$(az network dns zone show --name $AZURE_CERT_MANAGER_DNS_NAME --resource-group $AZURE_CERT_MANAGER_DNS_RESOURCE_GROUP --query "id" --output tsv)
$ az role assignment create --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role "DNS Zone Contributor" --scope $DNS_ID

Check Permissions.

$ az role assignment list --assignee $AZURE_CERT_MANAGER_SP_APP_ID

Create Secret.

$ kubectl create secret generic azuredns-config --from-literal=CLIENT_SECRET=$AZURE_CERT_MANAGER_SP_PASSWORD

Get the Service Principal App ID for configuration.

$ echo "Principal: $AZURE_CERT_MANAGER_SP_APP_ID"
$ echo "Password: $AZURE_CERT_MANAGER_SP_PASSWORD"

You can configure the issuer like so.

apiVersion: cert-manager.io/v1alpha2
kind: Issuer
metadata:
  name: example-issuer
spec:
  acme:
    ...
    solvers:
    - dns01:
        azuredns:
          # Service principal clientId (also called appId)
          clientID: AZURE_SERVICE_PRINCIPAL_ID
          # A secretKeyRef to a service principal ClientSecret (password)
          # ref: https://docs.microsoft.com/en-us/azure/container-service/kubernetes/container-service-kubernetes-service-principal
          clientSecretSecretRef:
            name: AZUREDNS_SECRET_KEY_NAME
            key: CLIENT_SECRET
          # Azure subscription Id
          subscriptionID: AZURE_SUBSCRIPTION_ID
          # Azure AD tenant Id
          tenantID: AZURE_TENANT_ID
          # ResourceGroup name where dns zone is provisioned
          resourceGroupName: AZURE_RESOURCE_GROUP
          hostedZoneName: AZURE_DNS_ZONE_NAME
          # Azure Cloud Environment, default to AzurePublicCloud
          environment: AZURE_ENVIRONMENT
Last modified November 18, 2019: Fixes configuration (08270ae)