Cert-manager: Azure DNS examples missing from docs

Not sure where to file this, but the old cert-manager docs on Azure DNS01 link to Azure documentation on creating a ServicePrincipal that says it's outdated.

I believe the following is more up-to-date: https://docs.microsoft.com/en-us/azure/aks/aad-integration.

I've been trying to figure out how to integrate set-up an Azure DNS challenge using the new ServicePrincipal, so that's how I noticed the difference. It would be great to see an updated cert-manager DNS01 challenge for Azure DNS.

Thanks!

I succeeded to set up my cert-manager (0.4.1) on AKS.
Step by step is like this:

1. Check if you logged in with the subscription same as AKS.

2. Create new service principal.

az ad sp create-for-rbac --name AKSCertManager2 --password PASSWORD

Of course, you should use your good password instead of PASSWORD

You'll get information like this.

{
  "appId": "8b8a0556-3f44-4827-ad4d-aaaaaaaaaaaa",
  "displayName": "AKSCertManager",
  "name": "http://AKSCertManager",
  "password": "PASSWORD",
  "tenant": "2c606659-30f9-4cb1-aa65-bbbbbbbbbbbb"
}

1. Create secret.

PASSWORD is same as above.

kubectl create secret generic azuredns-config --from-literal=client-secret=PASSWORD

1. Create issue.

apiVersion: certmanager.k8s.io/v1alpha1
kind: Issuer
# 8<---8<--- snip
spec:
  acme:
    dns01:
      providers:
      - azuredns:
          clientID: 5f1d054a-6b78-4af6-8a2b-aaaaaaaaaaaa # appID shown above.
          clientSecretSecretRef:
            key: client-secret
            name: azuredns-config
          hostedZoneName: {your-domain.example.com}
          resourceGroupName: {Resource group that include AzureDNS. Not AKS's}
          subscriptionID: e000d296-c414-4552-a6b1-cccccccccccc # Replace to yours.
          tenantID: 2c606659-30f9-4cb1-aa65-bbbbbbbbbbbb # Shown above.
        name: prod-dns
    email: {your email}
# 8<---8<--- snip

1. Create certficate

Same as another providers.

Hope your help.

Awesome @monaka-hashhub ! Works for me as well. A few tweaks:

Use az account list --output table to get your subscription ID.

Also, we are using RBAC to lock things down, so the standard az ad sp create-for-rbac did not work for us. We create a ServicePrincipal with explicit DNS permissions on the resource-group hosting the DNS service:

az ad sp create-for-rbac --name AKSCertManager --role="DNS Zone Contributor" --scopes="/subscriptions/<subscriptionId>/resourceGroups/<resourceGroupHostingDNSZone>"

Very cool! Thanks to everyone involved in this thread. Glad I happened across this as I was having a lot of trouble getting the http01 validation to work with ambassador and this works great. I'll add that you can also scope the service principal to the actual zone you want to target as well. Don't need to apply it at the sub or resource group level if you want to be more granular (though I suppose resource group level would be great if you had a collection of zones).

Would anyone we able to write this up and create a PR against the documentation for this?

I've not used Azure DNS myself, and will need to get myself setup with an account to test all this out. It'd be great if someone could get this written up properly explaining how someone should set up the Azure DNS provider 😄

@munnerz I have some docs written. Where do you want them?

@damienwebdev In https://github.com/jetstack/cert-manager/blob/master/docs/reference/issuers/acme/dns01.rst I imagine.