vhaudiquet/homeprod
1
0
Fork 0
mirror of https://github.com/vhaudiquet/homeprod.git synced 2026-06-27 11:42:38 +00:00
Code Issues Packages Projects Releases Wiki Activity

cert-manager: add cert-manager for automatic certificate renewal

Browse Source 
Add cert-manager with DNS-01 challenge support:
- Cloudflare (vhaudiquet.fr, buildpath.win)
This commit is contained in:
Valentin Haudiquet
2026-06-16 10:15:53 +02:00
parent 68d024de92
commit e9ab217466
9 changed files with 199 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.github/dependabot.yml
+1
View File
@@ -54,6 +54,7 @@ updates:
- "/kubernetes/production/vhaudiquet-fr" - "/kubernetes/production/vhaudiquet-fr"
- "/kubernetes/system/blocky" - "/kubernetes/system/blocky"
- "/kubernetes/system/caddy" - "/kubernetes/system/caddy"
- "/kubernetes/system/cert-manager"
- "/kubernetes/system/coredns" - "/kubernetes/system/coredns"
- "/kubernetes/system/csi-driver-nfs" - "/kubernetes/system/csi-driver-nfs"
- "/kubernetes/system/external-dns" - "/kubernetes/system/external-dns"
kubernetes/system/cert-manager/cloudflare-api-token-secret.yaml
+47
View File
@@ -0,0 +1,47 @@
# Cloudflare API Token for DNS-01 Challenges
#
# A Cloudflare API token with the following permissions:
# - Zone > DNS > Edit
# - Zone > Zone > Read
#
# Base64-encoded:
# echo -n "api-token" | base64
#
# This file will be SOPS-encrypted on pre-commit
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token
namespace: cert-manager
labels:
app.kubernetes.io/name: cert-manager
app.kubernetes.io/component: cloudflare-api-token
type: Opaque
data:
api-token: ENC[AES256_GCM,data:Ty7PlsPTOUd1zjY5Z+YuKwQ9DbKuvZo8FPz4jdhQFbLGfSwkC8GkOE8LeqxxxdNCDm59luaoPmIVhmrog9SbZLjRw9Mfmh9E,iv:dSpHCC4E8JadygLfG3T3UObPic92fDLm1SDw/j9FxUA=,tag:9KoD5LNqR1WfXbv2upGwiw==,type:str]
sops:
lastmodified: "2026-06-16T08:15:23Z"
mac: ENC[AES256_GCM,data:psnVaPRr7viLZPtR9CW0G8QJuO5fWHzlPs+iyuWPUSR3mqNadL9tZ5Waz90dlWpXrQnxXpna+mjTwKRYdIDiITEBMLE3dqMvDjPU4h74RhSO/HxgpU6GFQnm0V+yVh9qTnY6JAXM0lLelVvXLTi5mjQr6k/4+uoVUvQ8CvDOAnw=,iv:eJCaQGtzD67KRuMqWvNEWj+WN3YkyN6YEbWhrLM6Pv8=,tag:jrRSXYod7s5g/QoI3/i/xA==,type:str]
pgp:
- created_at: "2026-06-16T08:15:17Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiAQ/+JlRMdXmo44Z0GBjsd4mfls2AHs9Jrcan674/rKx17Ixk
ucKBC+2GA9aLp3bGKB/7bExEgW9Wn0Ufa7Qf7KTjhr37Foz8FI4Nldq0v/GTQHTh
W/M/F+OtkBJDrcqN4cWIIfOTgkkTcgcChYaJYIpRinRzcTMCMC0EQQl6nZm3dFUw
6yPWEnbPRbEXVExq6tnU+zcGHazD9e03lUJiEWC1M7ot0sxpmzwrIFrIfJrfbQ9n
2fTlrYOKJk+M2XpiYojH8v6YCLKUTHCir1Nqfp2/xG/gT6zqfXODA2YRWxNQDMKr
39kinwny02F5tbTRxteni3rtgYEgkXUbvogYSbjNOYicEZ3PqmRuniF+L+6Bxxq2
3u5J3nhU1BncFjeWA1ZzyvfwenRRI+faO/nPRSuWe7Dt5c3+AodeFqIRAQNFZmor
WgiLTz6oOhvY9ieAp4nmcVRxl91luJzq1abtAvDLz4XN37uCqF0gwv1BAXCMW4NC
75IsfJU13Ctpccj5wQLuKMV2pQML1Q8MQluPr/dhqgAU3zFJVmGYtkvDemGEsMS/
xW6mgRPJXmClcoNhLYT9T0flSSrVRsAnGcMeoPhTePLxrrqZmEmZFNxo1+aSLnwJ
RP05RIZY//88R7MJidPkqqXekIQ9dmZb7M+43k9Re1nmi/CQs+ZxtnhGoz/DpZDS
XgGcVSS9GOEUcq7EOkxZZFHCR2VNGnpUyLPRtzsUJh0eAxOU3M5XLThFBk7yw8Co
ov0TDoVOo1cqCLkdiEOM2CNkXBTjlRdJg7pQMO1ytXzkoc1EFTTK6QMy7O0FL5U=
=xoE8
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(data|stringData|.*.key|.*.crt)$
version: 3.10.2
kubernetes/system/cert-manager/clusterissuer.yaml
+24
View File
@@ -0,0 +1,24 @@
# Let's Encrypt ClusterIssuer
# Supports multiple DNS providers via DNS-01 challenge
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: vhaudiquet343@hotmail.fr
privateKeySecretRef:
name: letsencrypt-production-account-key
solvers:
# Cloudflare solver for vhaudiquet.fr and buildpath.win
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
selector:
dnsZones:
- vhaudiquet.fr
- buildpath.win
kubernetes/system/cert-manager/kustomization.yaml
+16
View File
@@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager
resources:
- namespace.yaml
- repository.yaml
- release.yaml
- cloudflare-api-token-secret.yaml
- ovh-api-credentials-secret.yaml
- clusterissuer.yaml
secretGenerator:
- name: cert-manager-values
files:
- values.yaml=values.yaml
configurations:
- kustomizeconfig.yaml
kubernetes/system/cert-manager/kustomizeconfig.yaml
+12
View File
@@ -0,0 +1,12 @@
---
nameReference:
- kind: HelmRepository
version: v1
fieldSpecs:
- path: spec/chart/spec/sourceRef/kind
kind: HelmRelease
- kind: HelmRelease
version: v2
fieldSpecs:
- path: spec/valuesFrom/name
kind: Secret
kubernetes/system/cert-manager/namespace.yaml
+6
View File
@@ -0,0 +1,6 @@
apiVersion: v1
kind: Namespace
metadata:
name: cert-manager
labels:
app.kubernetes.io/name: cert-manager
kubernetes/system/cert-manager/release.yaml
+19
View File
@@ -0,0 +1,19 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1m
chart:
spec:
sourceRef:
kind: HelmRepository
name: cert-manager
namespace: cert-manager
chart: cert-manager
version: "v1.20.2"
interval: 1m
valuesFrom:
- kind: Secret
name: cert-manager-values
kubernetes/system/cert-manager/repository.yaml
+8
View File
@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 1h
url: https://charts.jetstack.io
kubernetes/system/cert-manager/values.yaml
+66
View File
@@ -0,0 +1,66 @@
# Cert-Manager Values
# Install CRDs as part of the Helm release
crds:
enabled: true
keep: true
# Enable DNS01 challenge providers
extraArgs:
- ENC[AES256_GCM,data:yzuTi9Hu7Dx95MQN+H/6gul381m64KYv5ZsHwg92BE/aUZyJzYArniIC+Nio+SygUXXb,iv:eBizFSW1T2/VvN3k8VRsEIpllHs5MA6Nr+jh9fCzZCs=,tag:sz9WBU687eTgnDXWoE02Nw==,type:str]
# Resource settings
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
webhook:
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
cainjector:
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
startupapicheck:
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
cpu: 100m
memory: 128Mi
sops:
lastmodified: "2026-06-16T08:15:29Z"
mac: ENC[AES256_GCM,data:ZB7igt7ciH6X0DmvDi2gzg1eA8EYXqq/VRBSbaLT9x2SUi+9ax9w0V+fcTwOTWlwCvHOtSAZ2RYgX/wKFmbnKgrwoSpskGFsRlY947oLkRTk4HbTRP5HbciAQsRw3AVB4pgkR7maVZ9n15gzNHTTkd9x1akAeGHJg9lzg9+N6rE=,iv:jqyi/ZGLjKFBe9XSj2WBBOUbn9xvV9Wf4wrYxSs4t/M=,tag:2u84qHa69IsYFtSwJ6yFqQ==,type:str]
pgp:
- created_at: "2026-06-16T08:15:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMA7uy4qQr71wiARAAiNHNEJjBOd6AK/moP1Xw7nvOidkRtIqw+QJRmfhPDG7B
CQy3y2armtFYzaWhDcMfiy1SkcD91kadbfxAifb5/Oit48VTv03bXZDvyrEdRwcI
n81rt3GQuyNDCj9aSUVi1nT5GHETrvdnyJp3u1dzfc/0i7GK+FiCbGAGzSnGdN77
+/caT5Jib+hIVskiOjhE85K3rTrh+aJMFKC6NG7Vw8GXh7N4r3EcazcX9KuJXxsn
NRT7XyYA8y15PlZQFkhRs1QCVvqH31WDwCEt0cE4r6Qn2aGy+v8ygJkum2sYPH7g
WZfC548mZrMrI9UNo10UfPCqGew/XpEla1/bgVByMHMdM9n961KRzCPtR349xXI4
1APX4WClQjbL/cXR2zMs19Y+GDjL7XF6rdSRDpEgTzQXb4f1ctswutcYxftvKI3c
EdfCGiRpVJx/wIuh82mL3SWqdi05Lekvt1zdLcG8Tx2+nF+52dWoyxNy1YMVyk0m
RXZFMZLHKumyDooairf1P11DOXcsa8FjZrqjvn6QI2LfmEGm3PQQQUXT8Wp/10e2
78Hr1rTGqQEzvSJu0FfDuundPws97ftPiuGcUD5hUj3rS6iGxdEp4trAPi0DCCd3
g7m6fNX41O8n39EU0Kp2G9kfICMghGEVL5czzRA4EsLH35K8XqP0ig6ay5kVXWrS
XgFic5jk5GdxzUL7TFjtr9AFFaWhIZkyyXwvEod3Ur3gB64Pi/ktet6OZSWU/7Wn
eRKn9yEm+W5Xzn9eiN6TYDsCWQBY5nP80YVuj53AMSu3KbR7UGy+AbJF3T+V6lo=
=GscV
-----END PGP MESSAGE-----
fp: DC6910268E657FF70BA7EC289974494E76938DDC
encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
version: 3.10.2