The setup in the organization is, the domain is within organization, so is its dns server. The kubernetes cluster is setup within datacenter vmware infrastructure. And this cluster (k8s-dc.<org.domain>) must be internal and so are the applications deployed in the cluster.

Ingress controller is traefik is in use, metallb is provisioned with 10 IPs from same CIDR block of k8s cluster. And there is a wildcard record for LB IP which is pointed to traefik service. Things are working pretty fine so far and plain http applications are accessible through traefik ingress controller.

The issue is all started with enabling tls certs for applications. The organization cant open either ports 80/443 to internet for LetsEncrypt http01/tls01 challenge. So the idea is to go with dns01 challenge. The organization don't have acme supported external dns provider, so is it advisable to use azureDNS for subdomain delagation?

The sub domain in fact has been delegated to azure and its resolvable from internet. ClusterIssuer has been in place with all necessary azuredns config.

Status:

Acme: Last Registered Email: xyz@yzx.se Uri: https://acme-v02.api.letsencrypt.org/acme/acct/452015810 Conditions: Last Transition Time: 2022-03-15T15:26:23Z Message: The ACME account was registered with the ACME server Observed Generation: 1 Reason: ACMEAccountRegistered Status: True Type: Ready Events:

certiificaterequest is stuck in pending:

Status: Conditions: Last Transition Time: 2022-03-15T15:35:14Z Message: Certificate request has been approved by cert-manager.io Reason: cert-manager.io Status: True Type: Approved Last Transition Time: 2022-03-15T15:35:14Z Message: Waiting on certificate issuance from order rbac-test/cert-to-use-8gmj7-3966242034: "pending" Reason: Pending Status: False Type: Ready Events:

My question here is, the LB IP is internal to organization and the wildcard entry is made within organization. When the nslookup -type=NS k8s-dc.<org.domain> is made from within organization, the nameservers are resolved to internal nameservers but from outside internet, they are resolved to azureDNS. I think I'm missing something in the whole setup, how can I use azuredns for dns01 challenge for the internal domain of any organization?