Skip to main content

Bring your own DNS domain

Context

custome dns

By default, k8saas uses the subdomain kaas.thalesdigital.io or k8saas.thalesdigital.io. For instance: grafana.myinstance-prod.eu.k8saas.thalesdigital.io for Grafana

It is possible to use your own Azure DNS zone !

Grafana URL would be:

  • grafana.myinstance-prod.mydomain.thalesdigital.io

Use case

  • Expose several applications to end-users under the same subdomain
  • Migrate from PCF to k8saas keeping the previous subdomain

What to do ?

Step 1: DNS Zone Contributor role assignment

You will need to give DNS Zone Contributor to the cluster Workload Identity, The name of the workload should look like this:

k8saas-rbo-sandbox-wid

Using the Azure portal:

here

here

here

here

here

Once DONE, provide to the k8saas support the following information:

  • the ID of the subscription where the DNS zone is
  • the name of the resource group where the DNS zone is

Step 2: Change performed

Once the k8saas support term has performed the changed, you will receive a confirmation email. After that, you should be able to use to custom subdomain in ingress configuration.

TROUBLESHOOTING

Investigate why the TLS certificate is not valid ?

All the information are in events of the namespace; so during the deployment of your ingress, I recommend using the following command:

$ kubectl get events -n <your_namespace> -w

The following lines are important:

  • "Challenge scheduled for processing" - meaning the TLS certificate mechanism is ready
  • "Presented challenge using DNS-01 challenge mechanism" - meaning the TLS certificate mechanism uses DNS-01 challenge method. To understand better what it is: doc
  • "Created Challenge resource "grafana-tls-secret-XXXXX" for domain "grafana.k8saas-myinstance-prod.mysubdomain.thalesdigital.io"" - meaning a secret will be created in your namespace to store the content of the TLS certificate.
  • "Issuing certificate as Secret does not exist" - meaning there is no certificate in the secret yet. It's normal
  • "Created new CertificateRequest resource "grafana-tls-secret-7g2mn"" - meaning, new certificate is requested
  • "Domain "grafana.k8saas-myinstance-prod.mysubdomain.thalesdigital.io" verified with "DNS-01" validation" - please check if the domain correspond to what you want
  • "The certificate has been successfully issued" - The TLS certificate is ready

Once done, you can also check the status of the certificate using:

$ kubectl get certificate -n yournamespace
NAME READY SECRET AGE
app-tls-secret True app-tls-secret 44m
note

We do not support multiple domain at the moment.