From dfe30be31fdc593a4bf242ded6ca59265d729b6f Mon Sep 17 00:00:00 2001 From: Jed Laundry Date: Fri, 11 Aug 2023 13:51:11 +1200 Subject: [PATCH 1/5] Update zz_gen_azuredns.md --- docs/content/dns/zz_gen_azuredns.md | 30 +++++++++++++++++++++++++---- 1 file changed, 26 insertions(+), 4 deletions(-) diff --git a/docs/content/dns/zz_gen_azuredns.md b/docs/content/dns/zz_gen_azuredns.md index efd5f00a81..d0dd0694a8 100644 --- a/docs/content/dns/zz_gen_azuredns.md +++ b/docs/content/dns/zz_gen_azuredns.md @@ -41,6 +41,18 @@ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Azure CLI az login \ lego --domains example.com --email your_example@email.com --dns azuredns run + +### Using Managed Identity (Azure VM) +AZURE_TENANT_ID= +AZURE_SUBSCRIPTION_ID= +AZURE_RESOURCE_GROUP= + +### Using Managed Identity (Azure Arc) +AZURE_TENANT_ID= +AZURE_SUBSCRIPTION_ID= +AZURE_RESOURCE_GROUP= +IMDS_ENDPOINT=http://localhost:40342 +IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token ``` @@ -90,16 +102,26 @@ Link: #### Azure Managed Identity -Azure managed identity service allows linking Azure AD identities to Azure resources. \ +The Azure Managed Identity service allows linking Azure AD identities to Azure resources, without needing to manually manage client IDs and secrets. + Workloads running inside compute typed resource can inherit from this configuration to get rights on Azure resources. +#### Azure Managed Identity (with Azure Arc) + +The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure (such as on-prem virtual machines, or VMs in another cloud provider). + +While the upstream `azidentity` SDK will try to automatically identify and use the Azure Arc metadata service, if you get `azuredns: DefaultAzureCredential: failed to acquire a token.` error messages, you may need to set the environment variables: + * `IMDS_ENDPOINT=http://localhost:40342` + * `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token` + #### Workload identity for AKS -Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials. \ -This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand. \ +Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials. + +This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand. Here is a summary of the steps to follow to use it : -* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`. \ +* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`. * on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`. * create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL and add the namespace and name of your kubernetes service account. From c21d769311652501dab1dd5113da1a183840c410 Mon Sep 17 00:00:00 2001 From: Jed Laundry Date: Fri, 11 Aug 2023 14:02:50 +1200 Subject: [PATCH 2/5] Add managed identity setup instructions --- docs/content/dns/zz_gen_azuredns.md | 24 +++++++++++++++++++++++- 1 file changed, 23 insertions(+), 1 deletion(-) diff --git a/docs/content/dns/zz_gen_azuredns.md b/docs/content/dns/zz_gen_azuredns.md index d0dd0694a8..738932525f 100644 --- a/docs/content/dns/zz_gen_azuredns.md +++ b/docs/content/dns/zz_gen_azuredns.md @@ -104,7 +104,29 @@ Link: The Azure Managed Identity service allows linking Azure AD identities to Azure resources, without needing to manually manage client IDs and secrets. -Workloads running inside compute typed resource can inherit from this configuration to get rights on Azure resources. +Workloads with a Managed Identity can manage their own certificates, with permissions on specific domain names set using IAM assignments. For this to work, the Managed Identity requires the **Reader** role on the target DNS Zone, and the **DNS Zone Contributor** on the relevant `_acme-challenge` TXT records. + +For example, to allow a Managed Identity to create a certificate for "fw01.lab.example.com", using Azure CLI: + +```bash +export AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000" +export AZURE_RESOURCE_GROUP="rg1" +export SERVICE_PRINCIPAL_ID="00000000-0000-0000-0000-000000000000" + +export AZURE_DNS_ZONE="lab.example.com" +export AZ_HOSTNAME="fw01" +export AZ_RECORD_SET="_acme-challenge.${AZ_HOSTNAME}" + +az role assignment create \ +--assignee "${SERVICE_PRINCIPAL}" \ +--role "Reader" \ +--scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}" + +az role assignment create \ +--assignee "${SERVICE_PRINCIPAL}" \ +--role "DNS Zone Contributor" \ +--scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}/TXT/${AZ_RECORD_SET}" +``` #### Azure Managed Identity (with Azure Arc) From d0c148df5a00c8f388a7ede7874a49b0a7eadad8 Mon Sep 17 00:00:00 2001 From: Jed Laundry Date: Fri, 11 Aug 2023 14:03:23 +1200 Subject: [PATCH 3/5] update Managed Identity instructions --- docs/content/dns/zz_gen_azuredns.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/content/dns/zz_gen_azuredns.md b/docs/content/dns/zz_gen_azuredns.md index 738932525f..4583be185e 100644 --- a/docs/content/dns/zz_gen_azuredns.md +++ b/docs/content/dns/zz_gen_azuredns.md @@ -118,12 +118,12 @@ export AZ_HOSTNAME="fw01" export AZ_RECORD_SET="_acme-challenge.${AZ_HOSTNAME}" az role assignment create \ ---assignee "${SERVICE_PRINCIPAL}" \ +--assignee "${SERVICE_PRINCIPAL_ID}" \ --role "Reader" \ --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}" az role assignment create \ ---assignee "${SERVICE_PRINCIPAL}" \ +--assignee "${SERVICE_PRINCIPAL_ID}" \ --role "DNS Zone Contributor" \ --scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}/TXT/${AZ_RECORD_SET}" ``` From dac4afbcf9d556268873b608273108de75d4f699 Mon Sep 17 00:00:00 2001 From: Jed Laundry Date: Fri, 11 Aug 2023 03:20:57 +0000 Subject: [PATCH 4/5] add updated azuredms.toml --- providers/dns/azuredns/azuredns.toml | 54 +++++++++++++++++++++++++--- 1 file changed, 49 insertions(+), 5 deletions(-) diff --git a/providers/dns/azuredns/azuredns.toml b/providers/dns/azuredns/azuredns.toml index 43bc27b3e8..5477df2124 100644 --- a/providers/dns/azuredns/azuredns.toml +++ b/providers/dns/azuredns/azuredns.toml @@ -20,6 +20,18 @@ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Azure CLI az login \ lego --domains example.com --email your_example@email.com --dns azuredns run + +### Using Managed Identity (Azure VM) +AZURE_TENANT_ID= +AZURE_SUBSCRIPTION_ID= +AZURE_RESOURCE_GROUP= + +### Using Managed Identity (Azure Arc) +AZURE_TENANT_ID= +AZURE_SUBSCRIPTION_ID= +AZURE_RESOURCE_GROUP= +IMDS_ENDPOINT=http://localhost:40342 +IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token ''' Additional = ''' @@ -39,16 +51,48 @@ Link: #### Azure Managed Identity -Azure managed identity service allows linking Azure AD identities to Azure resources. \ -Workloads running inside compute typed resource can inherit from this configuration to get rights on Azure resources. +The Azure Managed Identity service allows linking Azure AD identities to Azure resources, without needing to manually manage client IDs and secrets. + +Workloads with a Managed Identity can manage their own certificates, with permissions on specific domain names set using IAM assignments. For this to work, the Managed Identity requires the **Reader** role on the target DNS Zone, and the **DNS Zone Contributor** on the relevant `_acme-challenge` TXT records. + +For example, to allow a Managed Identity to create a certificate for "fw01.lab.example.com", using Azure CLI: + +```bash +export AZURE_SUBSCRIPTION_ID="00000000-0000-0000-0000-000000000000" +export AZURE_RESOURCE_GROUP="rg1" +export SERVICE_PRINCIPAL_ID="00000000-0000-0000-0000-000000000000" + +export AZURE_DNS_ZONE="lab.example.com" +export AZ_HOSTNAME="fw01" +export AZ_RECORD_SET="_acme-challenge.${AZ_HOSTNAME}" + +az role assignment create \ +--assignee "${SERVICE_PRINCIPAL_ID}" \ +--role "Reader" \ +--scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}" + +az role assignment create \ +--assignee "${SERVICE_PRINCIPAL_ID}" \ +--role "DNS Zone Contributor" \ +--scope "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${AZURE_RESOURCE_GROUP}/providers/Microsoft.Network/dnszones/${AZURE_DNS_ZONE}/TXT/${AZ_RECORD_SET}" +``` + +#### Azure Managed Identity (with Azure Arc) + +The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure (such as on-prem virtual machines, or VMs in another cloud provider). + +While the upstream `azidentity` SDK will try to automatically identify and use the Azure Arc metadata service, if you get `azuredns: DefaultAzureCredential: failed to acquire a token.` error messages, you may need to set the environment variables: + * `IMDS_ENDPOINT=http://localhost:40342` + * `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token` #### Workload identity for AKS -Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials. \ -This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand. \ +Workload identity allows workloads running Azure Kubernetes Services (AKS) clusters to authenticate as an Azure AD application identity using federated credentials. + +This must be configured in kubernetes workload deployment in one hand and on the Azure AD application registration in the other hand. Here is a summary of the steps to follow to use it : -* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`. \ +* create a `ServiceAccount` resource, add following annotations to reference the targeted Azure AD application registration : `azure.workload.identity/client-id` and `azure.workload.identity/tenant-id`. * on the `Deployment` resource you must reference the previous `ServiceAccount` and add the following label : `azure.workload.identity/use: "true"`. * create a fedreated credentials of type `Kubernetes accessing Azure resources`, add the cluster issuer URL and add the namespace and name of your kubernetes service account. From 877c896d72071a20403f78ffde6b66174fa4c295 Mon Sep 17 00:00:00 2001 From: Fernandez Ludovic Date: Fri, 11 Aug 2023 15:45:30 +0200 Subject: [PATCH 5/5] review --- README.md | 2 +- cmd/zz_gen_cmd_dnshelp.go | 4 +-- docs/content/dns/zz_gen_azuredns.md | 45 ++++++++++++++++++---------- providers/dns/azuredns/azuredns.toml | 39 ++++++++++++++++-------- 4 files changed, 58 insertions(+), 32 deletions(-) diff --git a/README.md b/README.md index 596833bc6e..f3c691674c 100644 --- a/README.md +++ b/README.md @@ -55,7 +55,7 @@ Detailed documentation is available [here](https://go-acme.github.io/lego/dns). |---------------------------------------------------------------------------------|---------------------------------------------------------------------------------|---------------------------------------------------------------------------------|---------------------------------------------------------------------------------| | [Akamai EdgeDNS](https://go-acme.github.io/lego/dns/edgedns/) | [Alibaba Cloud DNS](https://go-acme.github.io/lego/dns/alidns/) | [all-inkl](https://go-acme.github.io/lego/dns/allinkl/) | [Amazon Lightsail](https://go-acme.github.io/lego/dns/lightsail/) | | [Amazon Route 53](https://go-acme.github.io/lego/dns/route53/) | [ArvanCloud](https://go-acme.github.io/lego/dns/arvancloud/) | [Aurora DNS](https://go-acme.github.io/lego/dns/auroradns/) | [Autodns](https://go-acme.github.io/lego/dns/autodns/) | -| [Azure (deprecated)](https://go-acme.github.io/lego/dns/azure/) | [AzureDNS](https://go-acme.github.io/lego/dns/azuredns/) | [Bindman](https://go-acme.github.io/lego/dns/bindman/) | [Bluecat](https://go-acme.github.io/lego/dns/bluecat/) | +| [Azure (deprecated)](https://go-acme.github.io/lego/dns/azure/) | [Azure DNS](https://go-acme.github.io/lego/dns/azuredns/) | [Bindman](https://go-acme.github.io/lego/dns/bindman/) | [Bluecat](https://go-acme.github.io/lego/dns/bluecat/) | | [Brandit](https://go-acme.github.io/lego/dns/brandit/) | [Bunny](https://go-acme.github.io/lego/dns/bunny/) | [Checkdomain](https://go-acme.github.io/lego/dns/checkdomain/) | [Civo](https://go-acme.github.io/lego/dns/civo/) | | [Cloud.ru](https://go-acme.github.io/lego/dns/cloudru/) | [CloudDNS](https://go-acme.github.io/lego/dns/clouddns/) | [Cloudflare](https://go-acme.github.io/lego/dns/cloudflare/) | [ClouDNS](https://go-acme.github.io/lego/dns/cloudns/) | | [CloudXNS](https://go-acme.github.io/lego/dns/cloudxns/) | [ConoHa](https://go-acme.github.io/lego/dns/conoha/) | [Constellix](https://go-acme.github.io/lego/dns/constellix/) | [Derak Cloud](https://go-acme.github.io/lego/dns/derak/) | diff --git a/cmd/zz_gen_cmd_dnshelp.go b/cmd/zz_gen_cmd_dnshelp.go index 51341af46a..79487d7366 100644 --- a/cmd/zz_gen_cmd_dnshelp.go +++ b/cmd/zz_gen_cmd_dnshelp.go @@ -300,9 +300,9 @@ func displayDNSHelp(w io.Writer, name string) error { case "azuredns": // generated from: providers/dns/azuredns/azuredns.toml - ew.writeln(`Configuration for AzureDNS.`) + ew.writeln(`Configuration for Azure DNS.`) ew.writeln(`Code: 'azuredns'`) - ew.writeln(`Since: 'v0.1.0'`) + ew.writeln(`Since: 'v4.13.0'`) ew.writeln() ew.writeln(`Credentials:`) diff --git a/docs/content/dns/zz_gen_azuredns.md b/docs/content/dns/zz_gen_azuredns.md index 4583be185e..5cb55f4a0b 100644 --- a/docs/content/dns/zz_gen_azuredns.md +++ b/docs/content/dns/zz_gen_azuredns.md @@ -1,10 +1,10 @@ --- -title: "AzureDNS" +title: "Azure DNS" date: 2019-03-03T16:39:46+01:00 draft: false slug: azuredns dnsprovider: - since: "v0.1.0" + since: "v4.13.0" code: "azuredns" url: "https://azure.microsoft.com/services/dns/" --- @@ -14,45 +14,53 @@ dnsprovider: -Configuration for [AzureDNS](https://azure.microsoft.com/services/dns/). +Configuration for [Azure DNS](https://azure.microsoft.com/services/dns/). - Code: `azuredns` -- Since: v0.1.0 +- Since: v4.13.0 -Here is an example bash command using the AzureDNS provider: +Here is an example bash command using the Azure DNS provider: ```bash ### Using client secret + AZURE_CLIENT_ID= \ AZURE_TENANT_ID= \ AZURE_CLIENT_SECRET= \ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using client certificate + AZURE_CLIENT_ID= \ AZURE_TENANT_ID= \ AZURE_CLIENT_CERTIFICATE_PATH= \ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Azure CLI + az login \ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Managed Identity (Azure VM) -AZURE_TENANT_ID= -AZURE_SUBSCRIPTION_ID= -AZURE_RESOURCE_GROUP= + +AZURE_TENANT_ID= \ +AZURE_SUBSCRIPTION_ID= \ +AZURE_RESOURCE_GROUP= \ +lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Managed Identity (Azure Arc) -AZURE_TENANT_ID= -AZURE_SUBSCRIPTION_ID= -AZURE_RESOURCE_GROUP= -IMDS_ENDPOINT=http://localhost:40342 -IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token + +AZURE_TENANT_ID= \ +AZURE_SUBSCRIPTION_ID= \ +AZURE_RESOURCE_GROUP= \ +IMDS_ENDPOINT=http://localhost:40342 \ +IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token \ +lego --domains example.com --email your_example@email.com --dns azuredns run + ``` @@ -104,7 +112,9 @@ Link: The Azure Managed Identity service allows linking Azure AD identities to Azure resources, without needing to manually manage client IDs and secrets. -Workloads with a Managed Identity can manage their own certificates, with permissions on specific domain names set using IAM assignments. For this to work, the Managed Identity requires the **Reader** role on the target DNS Zone, and the **DNS Zone Contributor** on the relevant `_acme-challenge` TXT records. +Workloads with a Managed Identity can manage their own certificates, with permissions on specific domain names set using IAM assignments. +For this to work, the Managed Identity requires the **Reader** role on the target DNS Zone, +and the **DNS Zone Contributor** on the relevant `_acme-challenge` TXT records. For example, to allow a Managed Identity to create a certificate for "fw01.lab.example.com", using Azure CLI: @@ -130,9 +140,12 @@ az role assignment create \ #### Azure Managed Identity (with Azure Arc) -The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure (such as on-prem virtual machines, or VMs in another cloud provider). +The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure +(such as on-prem virtual machines, or VMs in another cloud provider). -While the upstream `azidentity` SDK will try to automatically identify and use the Azure Arc metadata service, if you get `azuredns: DefaultAzureCredential: failed to acquire a token.` error messages, you may need to set the environment variables: +While the upstream `azidentity` SDK will try to automatically identify and use the Azure Arc metadata service, +if you get `azuredns: DefaultAzureCredential: failed to acquire a token.` error messages, +you may need to set the environment variables: * `IMDS_ENDPOINT=http://localhost:40342` * `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token` diff --git a/providers/dns/azuredns/azuredns.toml b/providers/dns/azuredns/azuredns.toml index 5477df2124..e84858739c 100644 --- a/providers/dns/azuredns/azuredns.toml +++ b/providers/dns/azuredns/azuredns.toml @@ -1,37 +1,45 @@ -Name = "AzureDNS" +Name = "Azure DNS" Description = '''''' URL = "https://azure.microsoft.com/services/dns/" Code = "azuredns" -Since = "v0.1.0" +Since = "v4.13.0" Example = ''' ### Using client secret + AZURE_CLIENT_ID= \ AZURE_TENANT_ID= \ AZURE_CLIENT_SECRET= \ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using client certificate + AZURE_CLIENT_ID= \ AZURE_TENANT_ID= \ AZURE_CLIENT_CERTIFICATE_PATH= \ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Azure CLI + az login \ lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Managed Identity (Azure VM) -AZURE_TENANT_ID= -AZURE_SUBSCRIPTION_ID= -AZURE_RESOURCE_GROUP= + +AZURE_TENANT_ID= \ +AZURE_SUBSCRIPTION_ID= \ +AZURE_RESOURCE_GROUP= \ +lego --domains example.com --email your_example@email.com --dns azuredns run ### Using Managed Identity (Azure Arc) -AZURE_TENANT_ID= -AZURE_SUBSCRIPTION_ID= -AZURE_RESOURCE_GROUP= -IMDS_ENDPOINT=http://localhost:40342 -IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token + +AZURE_TENANT_ID= \ +AZURE_SUBSCRIPTION_ID= \ +AZURE_RESOURCE_GROUP= \ +IMDS_ENDPOINT=http://localhost:40342 \ +IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token \ +lego --domains example.com --email your_example@email.com --dns azuredns run + ''' Additional = ''' @@ -53,7 +61,9 @@ Link: The Azure Managed Identity service allows linking Azure AD identities to Azure resources, without needing to manually manage client IDs and secrets. -Workloads with a Managed Identity can manage their own certificates, with permissions on specific domain names set using IAM assignments. For this to work, the Managed Identity requires the **Reader** role on the target DNS Zone, and the **DNS Zone Contributor** on the relevant `_acme-challenge` TXT records. +Workloads with a Managed Identity can manage their own certificates, with permissions on specific domain names set using IAM assignments. +For this to work, the Managed Identity requires the **Reader** role on the target DNS Zone, +and the **DNS Zone Contributor** on the relevant `_acme-challenge` TXT records. For example, to allow a Managed Identity to create a certificate for "fw01.lab.example.com", using Azure CLI: @@ -79,9 +89,12 @@ az role assignment create \ #### Azure Managed Identity (with Azure Arc) -The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure (such as on-prem virtual machines, or VMs in another cloud provider). +The Azure Arc agent provides the ability to use a Managed Identity on resources hosted outside of Azure +(such as on-prem virtual machines, or VMs in another cloud provider). -While the upstream `azidentity` SDK will try to automatically identify and use the Azure Arc metadata service, if you get `azuredns: DefaultAzureCredential: failed to acquire a token.` error messages, you may need to set the environment variables: +While the upstream `azidentity` SDK will try to automatically identify and use the Azure Arc metadata service, +if you get `azuredns: DefaultAzureCredential: failed to acquire a token.` error messages, +you may need to set the environment variables: * `IMDS_ENDPOINT=http://localhost:40342` * `IDENTITY_ENDPOINT=http://localhost:40342/metadata/identity/oauth2/token`