I try to help a client to setup istio + cert-manager + azure dns toolsets working on their AKS cluster.
My plan is to
- Get istio installed in istio-system namespace
- Get cert-manager install separately
- Set A record and configure the domain in azure dns.
- Configure ClusterIssuer for azure dns
You can follow along with the istio installation guild to use istioctl to get it installed pretty quickly. And you could use helm to install cert-manager by using the tool of the choice by yourself. Such as helm
So once you have all of these installed. you will need to configure the ClusterIssuer. Prior to it, you need to get your secret to present challenge to azure dns. There is full documentation for it on cert-manager’s official website. just search “dns01 > azuredns”
The above works pretty straight forward, the tricky part is coming from the certificate creation. you may getting the following error when you generate the cert.
error: unable to recognize “STDIN”: no matches for kind “Certificate” in version “certmanager.k8s.io/v1alpha1”
So you might working this off on the istio documentation, however the istio documentation didn’t update the apiVersion for cert manager. so instead of using “certmanager.k8s.io/v1alpha1”, you have to use “apiVersion: cert-manager.io/v1alpha2”
However, you may see the following error as well:
error: error validating "STDIN": error validating data: ValidationError(Certificate.spec): unknown field "acme" in io.cert-manager.v1alpha2.Certificate.spec; if you choose to ignore these errors, turn validation off with --validate=false
This is also tricky, the resolution is to remove the acme part from your cert yaml file. and it should work.