gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update cert-manager configurations to use DNS-01 challenge with Cloudflare for both production and staging ClusterIssuers. Modify README.md to reflect the new DNS-01 setup and provide instructions for creating the necessary Cloudflare API token secret. This change enhances certificate issuance reliability when using Cloudflare's proxy services.

Browse Source
This commit is contained in:
Nikholas Pcenicni
2026-03-28 02:41:51 -04:00
parent ee7669c788
commit fc985932fe
4 changed files with 32 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
clusters/noble/apps/cert-manager/README.md
View File

@@ -1,6 +1,16 @@
# cert-manager — noble
**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB.
**Prerequisites:** **Traefik** (ingress class **`traefik`**), DNS for **`*.apps.noble.lab.pcenicni.dev`** → Traefik LB for app traffic.
**ACME (Lets Encrypt)** uses **DNS-01** via **Cloudflare** for zone **`pcenicni.dev`**. Create an API token with **Zone → DNS → Edit** and **Zone → Zone → Read** (or use the “Edit zone DNS” template), then:
```bash
kubectl -n cert-manager create secret generic cloudflare-dns-api-token \
--from-literal=api-token='YOUR_CLOUDFLARE_API_TOKEN' \
--dry-run=client -o yaml | kubectl apply -f -
```
Without this Secret, **`ClusterIssuer`** will not complete certificate orders.
1. Create the namespace:
@@ -35,3 +45,5 @@
```
Use **`cert-manager.io/cluster-issuer: letsencrypt-staging`** on Ingresses while testing; switch to **`letsencrypt-prod`** when ready.
**HTTP-01** is not configured: if the hostname is **proxied** (orange cloud) in Cloudflare, Lets Encrypt may hit Cloudflares edge and get **404** for `/.well-known/acme-challenge/`. DNS-01 avoids that.

13
clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-prod.yaml
View File

@@ -11,6 +11,13 @@ spec:
privateKeySecretRef:
name: letsencrypt-prod-account-key
solvers:
- http01:
ingress:
class: traefik
# DNS-01 — works when public HTTP to Traefik is wrong (e.g. hostname proxied through Cloudflare
# returns 404 for /.well-known/acme-challenge). Requires Secret cloudflare-dns-api-token in cert-manager.
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-dns-api-token
key: api-token
selector:
dnsZones:
- pcenicni.dev

11
clusters/noble/apps/cert-manager/clusterissuer-letsencrypt-staging.yaml
View File

@@ -11,6 +11,11 @@ spec:
privateKeySecretRef:
name: letsencrypt-staging-account-key
solvers:
- http01:
ingress:
class: traefik
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-dns-api-token
key: api-token
selector:
dnsZones:
- pcenicni.dev