Created
July 10, 2023 16:04
-
-
Save Dani4kor/93c17df6eda059e2c4621b21e2e61f0b to your computer and use it in GitHub Desktop.
wildcard letencrypt certificate(cert-manager) with DNS challange in CF (Cloudflare) in k8s/k3s with ingress-nginx controller
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| What i need: | |
| - wildcard letencrypt certificate(cert-manager) with DNS challange in CF (Cloudflare) in k8s/k3s with ingress-nginx controller | |
| as example below you need this steps: | |
| - install cert-manager | |
| - get cloudflare API TOKEN for DNS managment | |
| - setup wildcard DNS A record pointed to hetzner LB(ingress-nginx) ip | |
| - create secret with cloudflare API TOKEN | |
| - create kind: ClusterIssuer | |
| - create kind: Certificate | |
| - add reflector & edit kind: Certificate | |
| ## create secret | |
| apiVersion: v1 | |
| kind: Secret | |
| metadata: | |
| name: cloudflare-api-key-secret | |
| namespace: cert-manager | |
| labels: | |
| cert-manager.io/cluster-issuer: cloudflare-dns | |
| type: Opaque | |
| stringData: | |
| api-token: API_TOKEN_CLOUDFALRE | |
| ## create ClusterIssuer | |
| apiVersion: cert-manager.io/v1 | |
| kind: ClusterIssuer | |
| metadata: | |
| name: cloudflare-dns | |
| namespace: cert-manager | |
| spec: | |
| acme: | |
| server: https://acme-v02.api.letsencrypt.org/directory | |
| email: EMAIL_LETSENCRYPT | |
| privateKeySecretRef: | |
| name: cloudflare-dns-key | |
| solvers: | |
| - dns01: | |
| cloudflare: | |
| email: CLOUDFLARE_EMAIL # AKA LOGIN | |
| apiTokenSecretRef: | |
| name: cloudflare-api-key-secret | |
| key: api-token | |
| ## create certificate | |
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: wildcard-cert | |
| namespace: cert-manager | |
| spec: | |
| secretName: wildcard-cert-secret | |
| dnsNames: | |
| - "*.domain.com" | |
| issuerRef: | |
| name: cloudflare-dns | |
| kind: ClusterIssuer | |
| ## add reflector | |
| # setup reflector https://github.com/emberstack/kubernetes-reflector | |
| # edit cert-manager kind: Certificate | |
| # at end you can add reflector annotations to cert-manager according to cert-manager docs | |
| # https://cert-manager.io/docs/tutorials/syncing-secrets-across-namespaces/ | |
| apiVersion: cert-manager.io/v1 | |
| kind: Certificate | |
| metadata: | |
| name: wildcard-cert | |
| namespace: cert-manager | |
| spec: | |
| secretName: wildcard-cert-secret | |
| dnsNames: | |
| - "*.domain.com" | |
| issuerRef: | |
| name: cloudflare-dns | |
| kind: ClusterIssuer | |
| secretTemplate: | |
| annotations: | |
| reflector.v1.k8s.emberstack.com/reflection-allowed: "true" | |
| reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "dev,stage,prod" | |
| reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" | |
| reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "dev,stage,prod" | |
| ## edit ingress of deployment or whatever | |
| # edit kind: ingress | |
| ... | |
| spec: | |
| tls: | |
| - hosts: | |
| - dns-test.domain.com # access your web app with https://dns-test.domain.com | |
| secretName: wildcard-cert-secret | |
| ... | |
| ## possible issues | |
| # disable proxy_protocol for ingress-nginx in controller and configmap (for realip you can use CF-Connecting-IP as example) | |
| prolongation DNS can take time 1-5 minute to challange DNS | |
| ## Q&A | |
| # reflector need to access secret with certificate in different namespaces | |
| # hope you find this helpfull |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment