Update .env.sample and Ansible configurations to enhance Pangolin Integration API setup. Add detailed comments for environment variables and clarify usage in README. Implement HTTP-01 challenge support in cert-manager configurations for Let's Encrypt, ensuring proper resource management for domain validation.

2026-05-15 01:10:51 -04:00
parent 2fb86f5930
commit 6e76a400b6
7 changed files with 318 additions and 33 deletions
--- a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
+++ b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
@@ -11,8 +11,7 @@ spec:
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
-      # DNS-01 — works when public HTTP to Traefik is wrong (e.g. hostname proxied through Cloudflare
-      # returns 404 for /.well-known/acme-challenge). Requires Secret cloudflare-dns-api-token in cert-manager.
+      # DNS-01 — Cloudflare token covers pcenicni.dev only. Requires Secret cloudflare-dns-api-token in cert-manager.
      - dns01:
          cloudflare:
            apiTokenSecretRef:
@@ -21,3 +20,8 @@ spec:
        selector:
          dnsZones:
            - pcenicni.dev
+      # HTTP-01 fallback — used for all other zones (e.g. nikflix.ca via Pangolin → Newt → Traefik).
+      # Requires a Pangolin HTTP resource + target for each hostname before LE can reach /.well-known/acme-challenge/.
+      - http01:
+          ingress:
+            ingressClassName: traefik