feat: DNS

Signed-off-by: Rémi Verchère <remi@verchere.fr>

content/posts/2021/2021-09-23-dns-01-challenge-wildcard-cert-kubernetes.md

@@ -24,3 +24,148 @@ You can read more about it here: https://letsencrypt.org/docs/challenge-types/
 To request such a certificate in a Kubernetes cluster, you need to automatically update the DNS records from your provider. Only major cloud providers are natively supported by default, but you can extend it using webhooks.
 
 In this article, we will see how to quickly set up a k8s cluster, configuring cert-manager to handle DNS-01 challenge and get wildcard certificates.
+
+## Setup & Prerequisites
+
+For this setup, I will use the following platform and tools:
+
+- Scaleway Kubernetes Kapsule to bootstrap a k8s cluster
+- Scaleway DNS, as we can manage it with cert-manager webhooks
+- Terraform to quickly setup everything
+- k8s Lens to easily view the k8s resources
+
+I will not cover Terraform installation or other kubectl & helm tools, you can find good resources somewhere else.
+
+## Cluster provisioning
+
+Using Terraform, you can provision a Kapsule cluster. We just use a scaleway_k8s_cluster and a scaleway_k8s_pool resource:
+
+```tf
+terraform {
+  required_providers {
+    scaleway = {
+      source = "scaleway/scaleway"
+      version = "2.1.0"
+    }
+  }
+  required_version = ">= 0.13"
+}
+
+provider "scaleway" {
+  zone            = "fr-par-1"
+  region          = "fr-par"
+}
+
+resource "scaleway_k8s_cluster" "k8s_cluster" {
+  name = var.k8s_cluster_name
+  version = "1.22.2"
+  cni = "cilium"
+}
+
+resource "scaleway_k8s_pool" "k8s_pool" {
+  cluster_id = scaleway_k8s_cluster.k8s_cluster.id
+  name = var.k8s_pool_name
+  node_type = "DEV1-M"
+  size = 2
+  autohealing = true
+}
+
+resource "local_file" "kubeconfig" {
+  content = scaleway_k8s_cluster.k8s_cluster.kubeconfig[0].config_file
+  filename = "${path.module}/${scaleway_k8s_cluster.k8s_cluster.name}-kubeconfig"
+  file_permission = "0600"
+}
+```
+
+Now we can provision the cluster:
+
+```shell
+$ terraform init
+$ terraform plan -out k8s_scaleway.out
+$ terraform apply k8s_scaleway.out
+```
+
+Wait few minutes and we will have a functional cluster with Nginx as an ingress controller, with a load-balancer, and a cert-manager configured. We will also find a kubeconfig file ready for playing with the cluster!
+
+## DNS Setup
+
+We can configure DNS entry to link the load balancer IP address to our cluster domain. I could do it automatically, but there is no Terraform resource for Scaleway right now (planned for the next release, see [here](https://github.com/scaleway/terraform-provider-scaleway/blob/master/docs/resources/domain_record.md)).
+
+For this setup, my domain is scw.vrchr.fr, so any URL ending with it will be redirect to the k8s cluster through the load balancer.
+
+![scw.vrch.fr](/2021/09/2021-09-23-dns-scaleway.png)
+
+Edit: the cluster just created does not exists anymore as you are reading this, as it was only online for this article. So don’t try to resolve the following FQDN ;)
+
+## Wildcard Certificate with DNS-01
+
+### Scaleway webhook
+
+Remember, for some providers we need to use cert manager webhooks to manage the DNS entries. So we install it:
+
+```shell
+$ git clone https://github.com/scaleway/cert-manager-webhook-scaleway.git
+$ cd cert-manager-webhook-scaleway
+$ helm install scaleway-webhook deploy/scaleway-webhook --set secret.accessKey=changeme --set secret.secretKey=changeme --set certManager.serviceAccountName=jetstack-cert-manager --namespace=cert-manager
+```
+
+Be careful of the serviceAccountName which has to be the same as the one created with the cert-manager Helm chart.
+
+So now we can see, using our preferred tool, the deployments and all the cert-manager configs and custom resources:
+
+![cert-manager deployments](/2021/09§2021-09-23-cert-manager.png)
+
+![cert-manager CRDs](/2021/09§2021-09-23-cert-manager-crd.png)
+
+### Issuer and Certificates
+
+Next, we have to create a certificate issuer, which will be responsible to request the TLS certificates. This is a Custom Resource, with the property “dns01”. We create a ClusterIssuer instead of Issuer to be able to manage certificates cluster-wide:
+
+```yaml
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: scaleway-issuer-prod
+spec:
+  acme:
+    email: name@company.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: scaleway-private-key-secret
+    solvers:
+    - dns01:
+        webhook:
+          groupName: acme.scaleway.com
+          solverName: scaleway
+```
+
+```shell
+$ kubectl apply -f cert_issuer.yaml
+```
+
+We can add another issuer for staging certificates if needed.
+
+Now, Let’s create a certificate request! We’ll make request one for “*.scw.vrchr.fr”, which will be stored in a secret called “wildcard-scw-vrchr-fr-tls”:
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-scw-vrchr-fr-tls
+  namespace: default
+spec:
+  dnsNames:
+  - "*.scw.vrchr.fr"
+  issuerRef:
+    name: scaleway-issuer-prod
+    kind: ClusterIssuer
+  secretName: wildcard-scw-vrchr-fr-tls
+```
+
+What happens now?
+
+Let’s Encrypt detects a Certificate Request, and makes the request to the servers
+It uses the webhook to create a TXT DNS entry, here it’s : _acme-challenge.scw.vrchr.fr
+The server will check the DNS entry, and validate the request. Be patient, DNS propagation can be long…
+The certificate is now created, and a secret is now in you cluster!
\ No newline at end of file