How Do I configure Okteto with cert-manager and Azure Cloud DNS?

How do I configure the Okteto wildcard certificate with cert-manager and Azure Cloud DNS?

The recommended solution is to use Azure Workload Identity.

In order to do that, create an Azure Service Principal following the cert-manager recommendations.

Federate the Application Client ID with the cert-manager service account as explained here and add these options to your cert-manager Helm values configuration:

  extraArgs: [--issuer-ambient-credentials=true]
  serviceAccount:
    annotations:
      azure.workload.identity/client-id: <<your-application-client-id>>

Once your cert-manager is configured this way, create the following Issuer in the okteto namespace:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: okteto-letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  "<<your-email>>"
    privateKeySecretRef:
      name: okteto-letsencrypt-acme
    solvers:
    - http01:
        ingress:
          serviceType: ClusterIP
          class: nginx
    - dns01:
        azureDNS:
          clientID: "<<your-application-client-id>>"            
          subscriptionID: "<<your-subscription-id>>"            
          tenantID: "<<your-tenant-id>>"            
          resourceGroupName: "<<resource-group-name>>" 
          hostedZoneName: "<<your-okteto-subdomain>>"            
          environment: AzurePublicCloud

and the following Certificate:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
 name: okteto-letsencrypt
spec:
 secretName: okteto-letsencrypt
 duration: 8760h0m0s
 renewBefore: 600h0m0s # 25d
 issuerRef:
   name: okteto-letsencrypt
   kind: Issuer
 dnsNames:
   - "*.<<your-okteto-subdomain>>"

Now, add the following to your Okteto Helm configuration file to tell Okteto and NGINX to use your certificate:

wildcardCertificate:
  create: false
  name: okteto-letsencrypt

ingress-nginx:
  controller:
    extraArgs:
      default-ssl-certificate: $(POD_NAMESPACE)/okteto-letsencrypt

Finally, upgrade your Okteto installation for the new configuration to be applied.

For troubleshooting, you can check the cert manager logs, and the events associated to the resources Challenge , Order and CertificateRequest.

When installing cert-manager into azure I keep getting an

Error: INSTALLATION FAILED: failed post-install: timed out waiting for the condition

My helm install with the debug flag is:

helm install -f values.yaml --debug \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.9.1 \
  --set prometheus.enabled=false \
  --set webhook.timeoutSeconds=30

the values.yaml:

extraArgs: [--issuer-ambient-credentials=true]
serviceAccount:
  annotations:
    azure.workload.identity/client-id: xxxxxxxx-yyyy-zzzzzzzzz-aaaaaaaaaaaa

the debugging output is:

install.go:192: [debug] Original chart version: "v1.9.1"
install.go:209: [debug] CHART PATH: /root/.cache/helm/repository/cert-manager-v1.9.1.tgz

client.go:128: [debug] creating 1 resource(s)
client.go:128: [debug] creating 38 resource(s)
client.go:310: [debug] Starting delete for "cert-manager-startupapicheck" ServiceAccount
client.go:339: [debug] serviceaccounts "cert-manager-startupapicheck" not found
client.go:128: [debug] creating 1 resource(s)
client.go:310: [debug] Starting delete for "cert-manager-startupapicheck:create-cert" Role
client.go:339: [debug] roles.rbac.authorization.k8s.io "cert-manager-startupapicheck:create-cert" not found
client.go:128: [debug] creating 1 resource(s)
client.go:310: [debug] Starting delete for "cert-manager-startupapicheck:create-cert" RoleBinding
client.go:339: [debug] rolebindings.rbac.authorization.k8s.io "cert-manager-startupapicheck:create-cert" not found
client.go:128: [debug] creating 1 resource(s)
client.go:310: [debug] Starting delete for "cert-manager-startupapicheck" Job
client.go:339: [debug] jobs.batch "cert-manager-startupapicheck" not found
client.go:128: [debug] creating 1 resource(s)
client.go:540: [debug] Watching for changes to Job cert-manager-startupapicheck with timeout of 5m0s
client.go:568: [debug] Add/Modify event for cert-manager-startupapicheck: ADDED
client.go:607: [debug] cert-manager-startupapicheck: Jobs active: 1, jobs failed: 0, jobs succeeded: 0
Error: INSTALLATION FAILED: failed post-install: timed out waiting for the condition
helm.go:84: [debug] failed post-install: timed out waiting for the condition
INSTALLATION FAILED
main.newInstallCmd.func2
        helm.sh/helm/v3/cmd/helm/install.go:141
github.com/spf13/cobra.(*Command).execute
        github.com/spf13/cobra@v1.5.0/command.go:872
github.com/spf13/cobra.(*Command).ExecuteC
        github.com/spf13/cobra@v1.5.0/command.go:990
github.com/spf13/cobra.(*Command).Execute
        github.com/spf13/cobra@v1.5.0/command.go:918
main.main
        helm.sh/helm/v3/cmd/helm/helm.go:83
runtime.main
        runtime/proc.go:250
runtime.goexit
        runtime/asm_amd64.s:1571

Is this a known issue?

@gabriel Helm release install is failing on startup api check job.
We disable it on our install, you can do it too with:

startupapicheck:
  enabled: false

Or the equivalent flag based arg:

helm install -f values.yaml --debug \
  cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --create-namespace \
  --version v1.9.1 \
  --set startupapicheck.enabled=false \
  --set prometheus.enabled=false \
  --set webhook.timeoutSeconds=30