gsdavidp/home-server
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
a48ac16c145a53077f64b0e35cf051a7771f9db6
home-server/clusters/noble/apps/cert-manager
History
Nikholas Pcenicni a48ac16c14 Update .gitignore to include .env file and enhance README.md with instructions for deploying secrets. Refactor noble.yml to improve Kubernetes health check handling and update templates for error reporting. Modify cert-manager and metallb tasks to apply secrets from .env and adjust timeout settings. Clarify Newt installation requirements in tasks. These changes aim to streamline deployment processes and improve documentation clarity.
2026-03-28 15:36:52 -04:00
..
clusterissuer-letsencrypt-prod.yaml
Update cert-manager configurations to use DNS-01 challenge with Cloudflare for both production and staging ClusterIssuers. Modify README.md to reflect the new DNS-01 setup and provide instructions for creating the necessary Cloudflare API token secret. This change enhances certificate issuance reliability when using Cloudflare's proxy services.
2026-03-28 02:41:51 -04:00
clusterissuer-letsencrypt-staging.yaml
Update cert-manager configurations to use DNS-01 challenge with Cloudflare for both production and staging ClusterIssuers. Modify README.md to reflect the new DNS-01 setup and provide instructions for creating the necessary Cloudflare API token secret. This change enhances certificate issuance reliability when using Cloudflare's proxy services.
2026-03-28 02:41:51 -04:00
kustomization.yaml
Enable pre-upgrade job for Longhorn in values.yaml, update MetalLB README for clarity on LoadBalancer IP assignment, and enhance Talos configuration with node IP validation for VIPs. Update cluster build documentation to reflect new application versions and configurations.
2026-03-27 23:45:00 -04:00
namespace.yaml
Enable pre-upgrade job for Longhorn in values.yaml, update MetalLB README for clarity on LoadBalancer IP assignment, and enhance Talos configuration with node IP validation for VIPs. Update cluster build documentation to reflect new application versions and configurations.
2026-03-27 23:45:00 -04:00
README.md
Update .gitignore to include .env file and enhance README.md with instructions for deploying secrets. Refactor noble.yml to improve Kubernetes health check handling and update templates for error reporting. Modify cert-manager and metallb tasks to apply secrets from .env and adjust timeout settings. Clarify Newt installation requirements in tasks. These changes aim to streamline deployment processes and improve documentation clarity.
2026-03-28 15:36:52 -04:00
values.yaml
Enable pre-upgrade job for Longhorn in values.yaml, update MetalLB README for clarity on LoadBalancer IP assignment, and enhance Talos configuration with node IP validation for VIPs. Update cluster build documentation to reflect new application versions and configurations.
2026-03-27 23:45:00 -04:00

README.md

cert-manager — noble

Prerequisites: Traefik (ingress class traefik), DNS for *.apps.noble.lab.pcenicni.dev → Traefik LB for app traffic.

ACME (Lets Encrypt) uses DNS-01 via Cloudflare for zone pcenicni.dev. Create an API token with Zone → DNS → Edit and Zone → Zone → Read (or use the “Edit zone DNS” template), then:

Option A — Ansible: copy .env.sample to .env in the repo root, set CLOUDFLARE_DNS_API_TOKEN, run ansible/playbooks/noble.yml (or deploy.yml). The cert-manager role creates cloudflare-dns-api-token from .env after the chart installs.

Option B — kubectl:

kubectl -n cert-manager create secret generic cloudflare-dns-api-token \
  --from-literal=api-token='YOUR_CLOUDFLARE_API_TOKEN' \
  --dry-run=client -o yaml | kubectl apply -f -

Without this Secret, ClusterIssuer will not complete certificate orders.

  1. Create the namespace:

    kubectl apply -f clusters/noble/apps/cert-manager/namespace.yaml

  2. Install the chart (CRDs included via values.yaml):

    helm repo add jetstack https://charts.jetstack.io
helm repo update
helm upgrade --install cert-manager jetstack/cert-manager \
  --namespace cert-manager \
  --version v1.20.0 \
  -f clusters/noble/apps/cert-manager/values.yaml \
  --wait

  3. Optionally edit spec.acme.email in both ClusterIssuer manifests (default certificates@noble.lab.pcenicni.dev) — Lets Encrypt uses this for expiry and account notices. Do not use example.com (ACME rejects it).

  4. Apply ClusterIssuers (staging then prod, or both):

    kubectl apply -k clusters/noble/apps/cert-manager

  5. Confirm:

    kubectl get clusterissuer

Use cert-manager.io/cluster-issuer: letsencrypt-staging on Ingresses while testing; switch to letsencrypt-prod when ready.

HTTP-01 is not configured: if the hostname is proxied (orange cloud) in Cloudflare, Lets Encrypt may hit Cloudflares edge and get 404 for /.well-known/acme-challenge/. DNS-01 avoids that.

Reference in New Issue View Git Blame Copy Permalink