Bring your own DNS domain

Context

here

By default, k8saas uses the subdomain kaas.thalesdigital.io or k8saas.thalesdigital.io. For instance: grafana.myinstance-prod.eu.k8saas.thalesdigital.io for Grafana

It is possible to use your own Azure DNS zone !

Grafana URL would be:

grafana.myinstance-prod.mydomain.thalesdigital.io

Use case

Expose several applications to end-users under the same subdomain
Migrate from PCF to k8saas keeping the previous subdomain

What to do ?

Step 1: Ask for an DNS App Registration

Ask for a k8saas app registration to allow the k8saas service to add entries in your DNS. The request need to be sent on the TrustNest K8SaaS Service catalog with the following information:

The k8saas support will provide you a clientID and/or a name of the app registration following this nomenclature: "dns-yourdomain-sp"

Step 2: DNS Zone Contributor role assignment

Once the app registration is received, you have to grant it the "DNS Zone Contributor" Role.

Using the Azure portal:

here

Once DONE, provide to the k8saas support the following information:

the ID of the subscription where the DNS zone is
the name of the resource group where the DNS zone is

Step 3: Change performed

Once the k8saas support term has performed the changed, you will receive a confirmation email. After that, you should be able to use to custom subdomain in ingress configuration.

HOWTO

Use 2 different domains with k8saas ?

This feature is not yet supported

TROUBLESHOOTING

Investigate why the TLS certificate is not valid ?

All the information are in events of the namespace; so during the deployment of your ingress, I recommend using the following command:

$ kubectl get events -n <your_namespace> -w

The following lines are important:

"Challenge scheduled for processing" - meaning the TLS certificate mechanism is ready
"Presented challenge using DNS-01 challenge mechanism" - meaning the TLS certificate mechanism uses DNS-01 challenge method. To understand better what it is: doc
"Created Challenge resource "grafana-tls-secret-XXXXX" for domain "grafana.k8saas-myinstance-prod.mysubdomain.thalesdigital.io"" - meaning a secret will be created in your namespace to store the content of the TLS certificate.
"Issuing certificate as Secret does not exist" - meaning there is no certificate in the secret yet. It's normal
"Created new CertificateRequest resource "grafana-tls-secret-7g2mn"" - meaning, new certificate is requested
"Domain "grafana.k8saas-myinstance-prod.mysubdomain.thalesdigital.io" verified with "DNS-01" validation" - please check if the domain correspond to what you want
"The certificate has been successfully issued" - The TLS certificate is ready

Once done, you can also check the status of the certificate using:

$ kubectl get certificate -n yournamespace
NAME                 READY   SECRET               AGE
app-tls-secret       True    app-tls-secret       44m

Context​

Use case​

What to do ?​

Step 1: Ask for an DNS App Registration​

Step 2: DNS Zone Contributor role assignment​

Step 3: Change performed​

HOWTO​

Use 2 different domains with k8saas ?​

TROUBLESHOOTING​

Investigate why the TLS certificate is not valid ?​