[stable/2023.1] [ATMOSPHERE-364] cert-manager: Add support for Azure DNS (#1863)
This is an automated cherry-pick of #1601
/assign mnaser
diff --git a/doc/source/deploy/certificates.rst b/doc/source/deploy/certificates.rst
index 2e04abb..8f7f093 100644
--- a/doc/source/deploy/certificates.rst
+++ b/doc/source/deploy/certificates.rst
@@ -141,6 +141,22 @@
If your ACME server cannot reach your API, you will need to use the ``DNS-01``
challenges which require you to configure your DNS provider.
+Azure DNS
+*********
+
+To configure cert-manager with Azure DNS, create a `Service Principal
+<https://cert-manager.io/docs/configuration/acme/dns01/azuredns/#service-principal>`_ and set the following variables:
+
+.. code-block:: yaml
+
+ cluster_issuer_acme_solver: azuredns
+ cluster_issuer_acme_azuredns_client_id: <CLIENT_ID>
+ cluster_issuer_acme_azuredns_client_secret: <CLIENT_SECRET>
+ cluster_issuer_acme_azuredns_subscription_id: <SUBSCRIPTION_ID>
+ cluster_issuer_acme_azuredns_tenant_id: <TENANT_ID>
+ cluster_issuer_acme_azuredns_resourcegroup_name: <RESOURCEGROUP_NAME>
+ cluster_issuer_acme_azuredns_hostedzone_name: <HOSTEDZONE_NAME>
+
RFC2136
*******
diff --git a/roles/cluster_issuer/defaults/main.yml b/roles/cluster_issuer/defaults/main.yml
index 38ef2ba..8bcfddc 100644
--- a/roles/cluster_issuer/defaults/main.yml
+++ b/roles/cluster_issuer/defaults/main.yml
@@ -98,3 +98,12 @@
cluster_issuer_self_signed_certificate_name: self-signed-ca
cluster_issuer_self_signed_secret_name: cert-manager-selfsigned-ca
+
+cluster_issuer_acme_azuredns_secret_name: cert-manager-issuer-azuredns-credentials
+cluster_issuer_acme_azuredns_environment: AzurePublicCloud
+# cluster_issuer_acme_azuredns_client_id:
+# cluster_issuer_acme_azuredns_client_secret:
+# cluster_issuer_acme_azuredns_subscription_id:
+# cluster_issuer_acme_azuredns_tenant_id:
+# cluster_issuer_acme_azuredns_resourcegroup_name:
+# cluster_issuer_acme_azuredns_hostedzone_name:
diff --git a/roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml b/roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml
new file mode 100644
index 0000000..d8107ef
--- /dev/null
+++ b/roles/cluster_issuer/tasks/type/acme/solver/azuredns.yml
@@ -0,0 +1,43 @@
+# SPDX-License-Identifier: Apache-2.0
+# Copyright (c) VEXXHOST, Inc.
+
+- name: Create ClusterIssuer
+ run_once: true
+ kubernetes.core.k8s:
+ state: present
+ definition:
+ - apiVersion: v1
+ kind: Secret
+ metadata:
+ name: "{{ cluster_issuer_acme_azuredns_secret_name }}"
+ namespace: cert-manager
+ app.kubernetes.io/part-of: cert-manager
+ app.kubernetes.io/managed-by: Ansible
+ type: Opaque
+ stringData:
+ client-secret: "{{ cluster_issuer_acme_azuredns_client_secret }}"
+
+ - apiVersion: cert-manager.io/v1
+ kind: ClusterIssuer
+ metadata:
+ name: "{{ cluster_issuer_name }}"
+ app.kubernetes.io/part-of: cert-manager
+ app.kubernetes.io/managed-by: Ansible
+ spec:
+ acme:
+ email: "{{ cluster_issuer_acme_email }}"
+ server: "{{ cluster_issuer_acme_server }}"
+ privateKeySecretRef:
+ name: "{{ cluster_issuer_acme_private_key_secret_name }}"
+ solvers:
+ - dns01:
+ azureDNS:
+ clientID: "{{ cluster_issuer_acme_azuredns_client_id }}"
+ clientSecretSecretRef:
+ name: "{{ cluster_issuer_acme_azuredns_secret_name }}"
+ key: client-secret
+ subscriptionID: "{{ cluster_issuer_acme_azuredns_subscription_id }}"
+ tenantID: "{{ cluster_issuer_acme_azuredns_tenant_id }}"
+ resourceGroupName: "{{ cluster_issuer_acme_azuredns_resourcegroup_name }}"
+ hostedZoneName: "{{ cluster_issuer_acme_azuredns_hostedzone_name }}"
+ environment: "{{ cluster_issuer_acme_azuredns_environment }}"