From e9ab217466b72d31cb05a1c95bc7e08af3fe5ad9 Mon Sep 17 00:00:00 2001 From: Valentin Haudiquet Date: Tue, 16 Jun 2026 10:15:53 +0200 Subject: [PATCH] cert-manager: add cert-manager for automatic certificate renewal Add cert-manager with DNS-01 challenge support: - Cloudflare (vhaudiquet.fr, buildpath.win) --- .github/dependabot.yml | 1 + .../cloudflare-api-token-secret.yaml | 47 +++++++++++++ .../system/cert-manager/clusterissuer.yaml | 24 +++++++ .../system/cert-manager/kustomization.yaml | 16 +++++ .../system/cert-manager/kustomizeconfig.yaml | 12 ++++ kubernetes/system/cert-manager/namespace.yaml | 6 ++ kubernetes/system/cert-manager/release.yaml | 19 ++++++ .../system/cert-manager/repository.yaml | 8 +++ kubernetes/system/cert-manager/values.yaml | 66 +++++++++++++++++++ 9 files changed, 199 insertions(+) create mode 100644 kubernetes/system/cert-manager/cloudflare-api-token-secret.yaml create mode 100644 kubernetes/system/cert-manager/clusterissuer.yaml create mode 100644 kubernetes/system/cert-manager/kustomization.yaml create mode 100644 kubernetes/system/cert-manager/kustomizeconfig.yaml create mode 100644 kubernetes/system/cert-manager/namespace.yaml create mode 100644 kubernetes/system/cert-manager/release.yaml create mode 100644 kubernetes/system/cert-manager/repository.yaml create mode 100644 kubernetes/system/cert-manager/values.yaml diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 8455141..ca3d149 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -54,6 +54,7 @@ updates: - "/kubernetes/production/vhaudiquet-fr" - "/kubernetes/system/blocky" - "/kubernetes/system/caddy" + - "/kubernetes/system/cert-manager" - "/kubernetes/system/coredns" - "/kubernetes/system/csi-driver-nfs" - "/kubernetes/system/external-dns" diff --git a/kubernetes/system/cert-manager/cloudflare-api-token-secret.yaml b/kubernetes/system/cert-manager/cloudflare-api-token-secret.yaml new file mode 100644 index 0000000..e9f2011 --- /dev/null +++ b/kubernetes/system/cert-manager/cloudflare-api-token-secret.yaml @@ -0,0 +1,47 @@ +# Cloudflare API Token for DNS-01 Challenges +# +# A Cloudflare API token with the following permissions: +# - Zone > DNS > Edit +# - Zone > Zone > Read +# +# Base64-encoded: +# echo -n "api-token" | base64 +# +# This file will be SOPS-encrypted on pre-commit +apiVersion: v1 +kind: Secret +metadata: + name: cloudflare-api-token + namespace: cert-manager + labels: + app.kubernetes.io/name: cert-manager + app.kubernetes.io/component: cloudflare-api-token +type: Opaque +data: + api-token: ENC[AES256_GCM,data:Ty7PlsPTOUd1zjY5Z+YuKwQ9DbKuvZo8FPz4jdhQFbLGfSwkC8GkOE8LeqxxxdNCDm59luaoPmIVhmrog9SbZLjRw9Mfmh9E,iv:dSpHCC4E8JadygLfG3T3UObPic92fDLm1SDw/j9FxUA=,tag:9KoD5LNqR1WfXbv2upGwiw==,type:str] +sops: + lastmodified: "2026-06-16T08:15:23Z" + mac: ENC[AES256_GCM,data:psnVaPRr7viLZPtR9CW0G8QJuO5fWHzlPs+iyuWPUSR3mqNadL9tZ5Waz90dlWpXrQnxXpna+mjTwKRYdIDiITEBMLE3dqMvDjPU4h74RhSO/HxgpU6GFQnm0V+yVh9qTnY6JAXM0lLelVvXLTi5mjQr6k/4+uoVUvQ8CvDOAnw=,iv:eJCaQGtzD67KRuMqWvNEWj+WN3YkyN6YEbWhrLM6Pv8=,tag:jrRSXYod7s5g/QoI3/i/xA==,type:str] + pgp: + - created_at: "2026-06-16T08:15:17Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7uy4qQr71wiAQ/+JlRMdXmo44Z0GBjsd4mfls2AHs9Jrcan674/rKx17Ixk + ucKBC+2GA9aLp3bGKB/7bExEgW9Wn0Ufa7Qf7KTjhr37Foz8FI4Nldq0v/GTQHTh + W/M/F+OtkBJDrcqN4cWIIfOTgkkTcgcChYaJYIpRinRzcTMCMC0EQQl6nZm3dFUw + 6yPWEnbPRbEXVExq6tnU+zcGHazD9e03lUJiEWC1M7ot0sxpmzwrIFrIfJrfbQ9n + 2fTlrYOKJk+M2XpiYojH8v6YCLKUTHCir1Nqfp2/xG/gT6zqfXODA2YRWxNQDMKr + 39kinwny02F5tbTRxteni3rtgYEgkXUbvogYSbjNOYicEZ3PqmRuniF+L+6Bxxq2 + 3u5J3nhU1BncFjeWA1ZzyvfwenRRI+faO/nPRSuWe7Dt5c3+AodeFqIRAQNFZmor + WgiLTz6oOhvY9ieAp4nmcVRxl91luJzq1abtAvDLz4XN37uCqF0gwv1BAXCMW4NC + 75IsfJU13Ctpccj5wQLuKMV2pQML1Q8MQluPr/dhqgAU3zFJVmGYtkvDemGEsMS/ + xW6mgRPJXmClcoNhLYT9T0flSSrVRsAnGcMeoPhTePLxrrqZmEmZFNxo1+aSLnwJ + RP05RIZY//88R7MJidPkqqXekIQ9dmZb7M+43k9Re1nmi/CQs+ZxtnhGoz/DpZDS + XgGcVSS9GOEUcq7EOkxZZFHCR2VNGnpUyLPRtzsUJh0eAxOU3M5XLThFBk7yw8Co + ov0TDoVOo1cqCLkdiEOM2CNkXBTjlRdJg7pQMO1ytXzkoc1EFTTK6QMy7O0FL5U= + =xoE8 + -----END PGP MESSAGE----- + fp: DC6910268E657FF70BA7EC289974494E76938DDC + encrypted_regex: ^(data|stringData|.*.key|.*.crt)$ + version: 3.10.2 diff --git a/kubernetes/system/cert-manager/clusterissuer.yaml b/kubernetes/system/cert-manager/clusterissuer.yaml new file mode 100644 index 0000000..3c1593c --- /dev/null +++ b/kubernetes/system/cert-manager/clusterissuer.yaml @@ -0,0 +1,24 @@ +# Let's Encrypt ClusterIssuer +# Supports multiple DNS providers via DNS-01 challenge + +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-production +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: vhaudiquet343@hotmail.fr + privateKeySecretRef: + name: letsencrypt-production-account-key + solvers: + # Cloudflare solver for vhaudiquet.fr and buildpath.win + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare-api-token + key: api-token + selector: + dnsZones: + - vhaudiquet.fr + - buildpath.win diff --git a/kubernetes/system/cert-manager/kustomization.yaml b/kubernetes/system/cert-manager/kustomization.yaml new file mode 100644 index 0000000..82702ae --- /dev/null +++ b/kubernetes/system/cert-manager/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: cert-manager +resources: + - namespace.yaml + - repository.yaml + - release.yaml + - cloudflare-api-token-secret.yaml + - ovh-api-credentials-secret.yaml + - clusterissuer.yaml +secretGenerator: + - name: cert-manager-values + files: + - values.yaml=values.yaml +configurations: + - kustomizeconfig.yaml diff --git a/kubernetes/system/cert-manager/kustomizeconfig.yaml b/kubernetes/system/cert-manager/kustomizeconfig.yaml new file mode 100644 index 0000000..c061c90 --- /dev/null +++ b/kubernetes/system/cert-manager/kustomizeconfig.yaml @@ -0,0 +1,12 @@ +--- +nameReference: + - kind: HelmRepository + version: v1 + fieldSpecs: + - path: spec/chart/spec/sourceRef/kind + kind: HelmRelease + - kind: HelmRelease + version: v2 + fieldSpecs: + - path: spec/valuesFrom/name + kind: Secret diff --git a/kubernetes/system/cert-manager/namespace.yaml b/kubernetes/system/cert-manager/namespace.yaml new file mode 100644 index 0000000..be73f02 --- /dev/null +++ b/kubernetes/system/cert-manager/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + labels: + app.kubernetes.io/name: cert-manager diff --git a/kubernetes/system/cert-manager/release.yaml b/kubernetes/system/cert-manager/release.yaml new file mode 100644 index 0000000..8ed5de5 --- /dev/null +++ b/kubernetes/system/cert-manager/release.yaml @@ -0,0 +1,19 @@ +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 1m + chart: + spec: + sourceRef: + kind: HelmRepository + name: cert-manager + namespace: cert-manager + chart: cert-manager + version: "v1.20.2" + interval: 1m + valuesFrom: + - kind: Secret + name: cert-manager-values diff --git a/kubernetes/system/cert-manager/repository.yaml b/kubernetes/system/cert-manager/repository.yaml new file mode 100644 index 0000000..2b98576 --- /dev/null +++ b/kubernetes/system/cert-manager/repository.yaml @@ -0,0 +1,8 @@ +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cert-manager + namespace: cert-manager +spec: + interval: 1h + url: https://charts.jetstack.io diff --git a/kubernetes/system/cert-manager/values.yaml b/kubernetes/system/cert-manager/values.yaml new file mode 100644 index 0000000..9b9ca26 --- /dev/null +++ b/kubernetes/system/cert-manager/values.yaml @@ -0,0 +1,66 @@ +# Cert-Manager Values +# Install CRDs as part of the Helm release +crds: + enabled: true + keep: true +# Enable DNS01 challenge providers +extraArgs: + - ENC[AES256_GCM,data:yzuTi9Hu7Dx95MQN+H/6gul381m64KYv5ZsHwg92BE/aUZyJzYArniIC+Nio+SygUXXb,iv:eBizFSW1T2/VvN3k8VRsEIpllHs5MA6Nr+jh9fCzZCs=,tag:sz9WBU687eTgnDXWoE02Nw==,type:str] +# Resource settings +resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi +webhook: + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi +cainjector: + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi +startupapicheck: + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi +sops: + lastmodified: "2026-06-16T08:15:29Z" + mac: ENC[AES256_GCM,data:ZB7igt7ciH6X0DmvDi2gzg1eA8EYXqq/VRBSbaLT9x2SUi+9ax9w0V+fcTwOTWlwCvHOtSAZ2RYgX/wKFmbnKgrwoSpskGFsRlY947oLkRTk4HbTRP5HbciAQsRw3AVB4pgkR7maVZ9n15gzNHTTkd9x1akAeGHJg9lzg9+N6rE=,iv:jqyi/ZGLjKFBe9XSj2WBBOUbn9xvV9Wf4wrYxSs4t/M=,tag:2u84qHa69IsYFtSwJ6yFqQ==,type:str] + pgp: + - created_at: "2026-06-16T08:15:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA7uy4qQr71wiARAAiNHNEJjBOd6AK/moP1Xw7nvOidkRtIqw+QJRmfhPDG7B + CQy3y2armtFYzaWhDcMfiy1SkcD91kadbfxAifb5/Oit48VTv03bXZDvyrEdRwcI + n81rt3GQuyNDCj9aSUVi1nT5GHETrvdnyJp3u1dzfc/0i7GK+FiCbGAGzSnGdN77 + +/caT5Jib+hIVskiOjhE85K3rTrh+aJMFKC6NG7Vw8GXh7N4r3EcazcX9KuJXxsn + NRT7XyYA8y15PlZQFkhRs1QCVvqH31WDwCEt0cE4r6Qn2aGy+v8ygJkum2sYPH7g + WZfC548mZrMrI9UNo10UfPCqGew/XpEla1/bgVByMHMdM9n961KRzCPtR349xXI4 + 1APX4WClQjbL/cXR2zMs19Y+GDjL7XF6rdSRDpEgTzQXb4f1ctswutcYxftvKI3c + EdfCGiRpVJx/wIuh82mL3SWqdi05Lekvt1zdLcG8Tx2+nF+52dWoyxNy1YMVyk0m + RXZFMZLHKumyDooairf1P11DOXcsa8FjZrqjvn6QI2LfmEGm3PQQQUXT8Wp/10e2 + 78Hr1rTGqQEzvSJu0FfDuundPws97ftPiuGcUD5hUj3rS6iGxdEp4trAPi0DCCd3 + g7m6fNX41O8n39EU0Kp2G9kfICMghGEVL5czzRA4EsLH35K8XqP0ig6ay5kVXWrS + XgFic5jk5GdxzUL7TFjtr9AFFaWhIZkyyXwvEod3Ur3gB64Pi/ktet6OZSWU/7Wn + eRKn9yEm+W5Xzn9eiN6TYDsCWQBY5nP80YVuj53AMSu3KbR7UGy+AbJF3T+V6lo= + =GscV + -----END PGP MESSAGE----- + fp: DC6910268E657FF70BA7EC289974494E76938DDC + encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$ + version: 3.10.2