Setting up TLS and DNS on Azure

DNS zone creation

Create a common resource group dedicated to all your DNS zones:

$ az group create --name rg-dns --location westeurope
  "id": "/subscriptions/49721339-fe83-4562-afec-783c3f00c06f/resourceGroups/rg-dns",
  "location": "westeurope",
  "managedBy": null,
  "name": "rg-dns",
  "properties": {
    "provisioningState": "Succeeded"
  "tags": null,
  "type": "Microsoft.Resources/resourceGroups"

Create an Azure DNS zone with the name of your domain:

$ az network dns zone create -g rg-dns -n
  "etag": "00000002-0000-0000-e2d9-80ef0df0d601",
  "id": "/subscriptions/49721339-fe83-4562-afec-783c3f00c06f/resourceGroups/rg-dns/providers/Microsoft.Network/dnszones/",
  "location": "global",
  "maxNumberOfRecordSets": 10000,
  "name": "",
  "nameServers": [
  "numberOfRecordSets": 2,
  "registrationVirtualNetworks": null,
  "resolutionVirtualNetworks": null,
  "resourceGroup": "rg-dns",
  "tags": {},
  "type": "Microsoft.Network/dnszones",
  "zoneType": "Public"

Domain DNS servers configuration

In your registrar admin panel, find the DNS servers section of the domain you want to use and replace the default ones by those from the first step:

dns servers section

dns servers update

Test the DNS delegation by adding a A record in the Azure DNS zone you’ve previously created:

$ az network dns record-set a add-record -g rg-dns -z -n potato -a
  "arecords": [
      "ipv4Address": ""
  "etag": "a80b3397-dd76-4ad8-a789-0fd1dbd02d99",
  "fqdn": "",
  "id": "/subscriptions/49721339-fe83-4562-afec-783c3f00c06f/resourceGroups/rg-dns/providers/Microsoft.Network/dnszones/",
  "metadata": null,
  "name": "potato",
  "provisioningState": "Succeeded",
  "resourceGroup": "rg-dns",
  "targetResource": {
    "id": null
  "ttl": 3600,
  "type": "Microsoft.Network/dnszones/A"

Then check it:

$ nslookup

Non-authoritative answer:

You can finally remove this test A record: $ az network dns record-set a remove-record --resource-group rg-dns --zone-name --record-set-name "potato" --ipv4-address

Cluster creation

Generate a new infrastructure repository and a new a new cluster repository, then put this at the end of your infrastructure repository

subdomain = "jx"
apex_domain = ""
apex_domain_integration_enabled = "true"
apex_resource_group_name = "rg-dns"

Commit these changes:

$ git add
$ git commit -m "chore: DNS configuration"

And create the cluster:

$ terraform init
$ terraform plan
$ terraform apply

Cluster configuration

Once the cluster creation and the boot job is completed, configure TLS in jx-requirements.yaml in your cluster repository (don’t forget to retrieve the boot changes before with git pull):

    externalDNS: true
    kind: ingress
    namespaceSubDomain: -jx.
      email: ""
      enabled: true
      production: false

Commit and push these changes:

$ git add
$ git commit -m "chore: domain and TLS configuration"
$ git push

After the boot job, verify with: jx verify tls --production=false --timeout 20m

When you’re happy with your changes, you can set production to true to get a real certificate, then after the boot job, verify it with: jx verify tls --production=true --timeout 20m

Last modified June 16, 2021: fix: semver (174bc38eec)