feat(caddy): use cert-manager for TLS certificates

- Add Certificate CRDs for vhaudiquet.fr, wildcard, and buildpath.win - Keep semery.fr certs in certificates-secret.yaml (manual until OVH API) - Update Caddyfile to use new TLS certificate paths (tls.crt/tls.key) - Update values.yaml to mount cert-manager secrets for Cloudflare domains - Mount semery.fr certs from caddy-certificates secret with item mappings Certificates for Cloudflare domains will be auto-renewed by cert-manager.
2026-06-27 11:42:38 +00:00 · 2026-06-16 12:08:07 +02:00
parent 86023b3721
commit 4774208668
4 changed files with 120 additions and 28 deletions
@@ -0,0 +1,52 @@
+# Certificates managed by cert-manager
+# These will automatically renew before expiry
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vhaudiquet-fr
+  namespace: caddy
+spec:
+  secretName: vhaudiquet-fr-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: vhaudiquet.fr
+  dnsNames:
+    - vhaudiquet.fr
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days before expiry
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-vhaudiquet-fr
+  namespace: caddy
+spec:
+  secretName: wildcard-vhaudiquet-fr-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "*.vhaudiquet.fr"
+  dnsNames:
+    - "*.vhaudiquet.fr"
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days before expiry
+---
+# semery.fr certificates are managed manually in certificates-secret.yaml
+# until OVH DNS API credentials are added for DNS-01 challenges
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: buildpath-win
+  namespace: caddy
+spec:
+  secretName: buildpath-win-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: buildpath.win
+  dnsNames:
+    - buildpath.win
+  duration: 2160h # 90 days
+  renewBefore: 360h # 15 days before expiry