AzureDNS
To configure the AzureDNS DNS01 Challenge in a Kubernetes cluster there are 3 ways available:
- Managed Identity Using AAD Pod Identities
- Managed Identity Using AKS Kubelet Identity
- Service Principal
Managed Identity Using AAD Pod Identities
AAD Pod Identities allows assigning a Managed Identity to a pod. This removes the need for adding explicit credentials into the cluster to create the required DNS records.
Note: When using Pod identity, even though assigning multiple identities to a single pod is allowed, currently cert-manager does not support this as it is not able to identify which identity to use.
Firstly an identity should be created that has access to contribute to the DNS Zone.
- Example creation using
azure-cli
andjq
:
# Choose a unique Identity name and existing resource group to create identity in.IDENTITY=$(az identity create --name $IDENTITY_NAME --resource-group $IDENTITY_GROUP )# Gets principalId to use for role assignmentPRINCIPAL_ID=$(echo $IDENTITY | jq -r '.principalId')# Used for identity bindingCLIENT_ID=$(echo $IDENTITY | jq -r '.clientId')RESOURCE_ID=$(echo $IDENTITY | jq -r '.id')# Get existing DNS Zone IdZONE_ID=$(az network dns zone show --name $ZONE_NAME --resource-group $ZONE_GROUP --query "id" -o tsv)# Create role assignmentaz role assignment create --role "DNS Zone Contributor" --assignee $PRINCIPAL_ID --scope $ZONE_ID
- Example creation using Terraform
variable resource_group_name {}variable location {}variable dns_zone_id {}# Creates Identityresource "azurerm_user_assigned_identity" "dns_identity" {name = "cert-manager-dns01"resource_group_name = var.resource_group_namelocation = var.location}# Creates Role Assignmentresource "azurerm_role_assignment" "dns_contributor" {scope = var.dns_zone_idrole_definition_name = "DNS Zone Contributor"principal_id = azurerm_user_assigned_identity.dns_identity.principal_id}# Client Id Used for identity bindingoutput "identity_client_id" {value = azurerm_user_assigned_identity.dns_identity.client_id}# Resource Id Used for identity bindingoutput "identity_resource_id" {value = azurerm_user_assigned_identity.dns_identity.id}
Next we need to ensure we have installed AAD Pod Identity using their walk-through. This will install the CRDs and deployment required to assign the identity.
Now we can create the identity resource and binding using the below manifest as an example:
apiVersion: "aadpodidentity.k8s.io/v1"kind: AzureIdentitymetadata:annotations:# recommended to use namespaced identites https://azure.github.io/aad-pod-identity/docs/configure/match_pods_in_namespace/aadpodidentity.k8s.io/Behavior: namespacedname: certman-identitynamespace: cert-manager # change to your preferred namespacespec:type: 0 # MSIresourceID: <Identity_Id> # Resource Id From Previous stepclientID: <Client_Id> # Client Id from previous step---apiVersion: "aadpodidentity.k8s.io/v1"kind: AzureIdentityBindingmetadata:name: certman-id-bindingnamespace: cert-manager # change to your preferred namespacespec:azureIdentity: certman-identityselector: certman-label # This is the label that needs to be set on cert-manager pods
Next we need to ensure the cert-manager pod has a relevant label to use the pod identity binding. This can be done by editing the deployment and adding the below into the .spec.template.metadata.labels
field
spec:template:metadata:labels:aadpodidbinding: certman-label # must match selector in AzureIdentityBinding
Or by using the helm values podLabels
podLabels:aadpodidbinding: certman-label
Lastly when we create the certificate issuer we only need to specify the hostedZoneName
, resourceGroupName
and subscriptionID
fields for the DNS zone. Example below:
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: example-issuerspec:acme:...solvers:- dns01:azureDNS:subscriptionID: AZURE_SUBSCRIPTION_IDresourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUPhostedZoneName: AZURE_DNS_ZONE# Azure Cloud Environment, default to AzurePublicCloudenvironment: AzurePublicCloud
Managed Identity Using AKS Kubelet Identity
When creating an AKS cluster in Azure there is the option to use a managed identity that is assigned to the kubelet. This identity is assigned to the underlying node pool in the AKS cluster and can then be used by the cert-manager pods to authenticate to Azure Active Directory.
There are some caveats with this approach, these mainly being:
- You will need to ensure only 1 managed identity is assigned to the node pool. This is due to cert-manager not currently being able to select the identity to use
- Any permissions granted to this identity will also be accessible to all containers running inside the Kubernetes cluster.
- Using AKS extensions like
Kube Dashboard
will not work with this method as this creates an additional identity that is assigned to the node pools.
To set this up, firstly you will need to retrieve the identity that the kubelet is using by querying the AKS cluster. This can then be used to create the appropriate permissions in the DNS zone.
- Example commands using
azure-cli
:
# Get AKS Kubelet IdentityPRINCIPAL_ID=$(az aks show -n $CLUSTERNAME -g $CLUSTER_GROUP --query "identityProfile.kubeletidentity.objectId" -o tsv)# Get existing DNS Zone IdZONE_ID=$(az network dns zone show --name $ZONE_NAME --resource-group $ZONE_GROUP --query "id" -o tsv)# Create role assignmentaz role assignment create --role "DNS Zone Contributor" --assignee $PRINCIPAL_ID --scope $ZONE_ID
- Example terraform:
variable dns_zone_id {}# Creating the AKS cluster, abbreviated.resource "azurerm_kubernetes_cluster" "cluster" {...# Creates Identity associated to kubeletidentity {type = "SystemAssigned"}...}resource "azurerm_role_assignment" "dns_contributor" {scope = var.dns_zone_idrole_definition_name = "DNS Zone Contributor"principal_id = azurerm_kubernetes_cluster.cluster.kubelet_identity[0].object_idskip_service_principal_aad_check = true # Allows skipping propagation of identity to ensure assignment succeeds.}
Then when creating the cert-manager issuer we only need to specify the hostedZoneName
, resourceGroupName
and subscriptionID
fields for the DNS Zone. Example below:
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: example-issuerspec:acme:...solvers:- dns01:azureDNS:subscriptionID: AZURE_SUBSCRIPTION_IDresourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUPhostedZoneName: AZURE_DNS_ZONE# Azure Cloud Environment, default to AzurePublicCloudenvironment: AzurePublicCloud
Service Principal
Configuring the AzureDNS DNS01 Challenge for a Kubernetes cluster requires creating a service principal in Azure.
To create the service principal you can use the following script (requires
azure-cli
and jq
):
# Choose a name for the service principal that contacts azure DNS to present# the challenge.$ AZURE_CERT_MANAGER_NEW_SP_NAME=NEW_SERVICE_PRINCIPAL_NAME# This is the name of the resource group that you have your dns zone in.$ AZURE_DNS_ZONE_RESOURCE_GROUP=AZURE_DNS_ZONE_RESOURCE_GROUP# The DNS zone name. It should be something like domain.com or sub.domain.com.$ AZURE_DNS_ZONE=AZURE_DNS_ZONE$ DNS_SP=$(az ad sp create-for-rbac --name $AZURE_CERT_MANAGER_NEW_SP_NAME)$ AZURE_CERT_MANAGER_SP_APP_ID=$(echo $DNS_SP | jq -r '.appId')$ AZURE_CERT_MANAGER_SP_PASSWORD=$(echo $DNS_SP | jq -r '.password')$ AZURE_TENANT_ID=$(echo $DNS_SP | jq -r '.tenant')$ AZURE_SUBSCRIPTION_ID=$(az account show | jq -r '.id')
For security purposes, it is appropriate to utilize RBAC to ensure that you properly maintain access control to your resources in Azure. The service principal that is generated by this tutorial has fine-grained access to ONLY the DNS Zone in the specific resource group specified. It requires this permission so that it can read/write the _acme_challenge TXT records to the zone.
Lower the Permissions of the service principal.
$ az role assignment delete --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role Contributor
Give Access to DNS Zone.
$ DNS_ID=$(az network dns zone show --name $AZURE_DNS_ZONE --resource-group $AZURE_DNS_ZONE_RESOURCE_GROUP --query "id" --output tsv)$ az role assignment create --assignee $AZURE_CERT_MANAGER_SP_APP_ID --role "DNS Zone Contributor" --scope $DNS_ID
Check Permissions. As the result of the following command, we would like to see just one object in the permissions array with "DNS Zone Contributor" role.
$ az role assignment list --all --assignee $AZURE_CERT_MANAGER_SP_APP_ID
A secret containing service principal password should be created on Kubernetes to facilitate presenting the challenge to Azure DNS. You can create the secret with the following command:
$ kubectl create secret generic azuredns-config --from-literal=client-secret=$AZURE_CERT_MANAGER_SP_PASSWORD
Get the variables for configuring the issuer.
$ echo "AZURE_CERT_MANAGER_SP_APP_ID: $AZURE_CERT_MANAGER_SP_APP_ID"$ echo "AZURE_CERT_MANAGER_SP_PASSWORD: $AZURE_CERT_MANAGER_SP_PASSWORD"$ echo "AZURE_SUBSCRIPTION_ID: $AZURE_SUBSCRIPTION_ID"$ echo "AZURE_TENANT_ID: $AZURE_TENANT_ID"$ echo "AZURE_DNS_ZONE: $AZURE_DNS_ZONE"$ echo "AZURE_DNS_ZONE_RESOURCE_GROUP: $AZURE_DNS_ZONE_RESOURCE_GROUP"
To configure the issuer, substitute the capital cased variables with the values from the previous script. You can get the subscription id from the Azure portal.
apiVersion: cert-manager.io/v1kind: Issuermetadata:name: example-issuerspec:acme:...solvers:- dns01:azureDNS:clientID: AZURE_CERT_MANAGER_SP_APP_IDclientSecretSecretRef:# The following is the secret we created in Kubernetes. Issuer will use this to present challenge to Azure DNS.name: azuredns-configkey: client-secretsubscriptionID: AZURE_SUBSCRIPTION_IDtenantID: AZURE_TENANT_IDresourceGroupName: AZURE_DNS_ZONE_RESOURCE_GROUPhostedZoneName: AZURE_DNS_ZONE# Azure Cloud Environment, default to AzurePublicCloudenvironment: AzurePublicCloud