Add letsencrypt

05-ingress-controller-nginx/README.md

@@ -18,6 +18,8 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-mandelmapper
+  annotations:
+    cert-manager.io/issuer: letsencrypt
 spec:
   ingressClassName: nginx
   rules:
@@ -31,6 +33,10 @@ spec:
             name: mandelmapper
             port:
               number: 6161
+  tls:
+    - hosts:
+      - mandelmap.home.stevenpolley.net
+      secretName: mandelmap-cert
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
@@ -53,6 +59,7 @@ apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: ingress-myserviceb
+  cert-manager.io/issuer: letsencrypt
 spec:
   ingressClassName: nginx
   rules:
@@ -70,7 +77,7 @@ spec:
       - myserviceb.foo.org
       secretName: example-tls
 ---
-# A secret must also be provided, likely by a cert-manager of some kind
+# A secret must also be provided, this will be created by cert-manager
 apiVersion: v1
 kind: Secret
 metadata:

06-cert-manager/README.md

@@ -8,11 +8,27 @@ Install cert-manager - check for latest version.
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.3/cert-manager.yaml
 ```
 
-After cert manager is installed, create the Let's Encrypt issuer:
+After cert manager is installed, create API tokens (not keys, but tokens) on cloudflare (User Profile > API Tokens > API Tokens) with permissions:
+
+Permissions:
+
+* Zone - DNS - Edit
+* Zone - Zone - Read
+
+Zone Resources:
+
+* Include - All Zones
+
+Configure a the API token as a secret in Kubernetes and replace the <APITOKEN> in the below command with the token from cloudflare.
+
+```bash
+kubectl create secret generic cloudflare-api-token-secret --namespace=cert-manager --type=Opaque --from-literal=api-token=<APIKEY>
+```
+
+Create the Let's Encrypt ClusterIssuer:
 
 ```yaml
 
 # Be sure to edit the file and set the production URL if not a test cluster
 kubectl apply -f lets-encrypt-issuer.yaml
 ```
-

06-cert-manager/lets-encrypt-issuer.yaml

@@ -1,14 +1,13 @@
 apiVersion: cert-manager.io/v1
-kind: Issuer
+kind: ClusterIssuer
 metadata:
   name: letsencrypt
-  namespace: default
 spec:
   acme:
     # The ACME server URL
     # production is https://acme-v02.api.letsencrypt.org/directory
     # stagiong is https://acme-staging-v02.api.letsencrypt.org/directory
-    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    server: https://acme-v02.api.letsencrypt.org/directory
     # Email address used for ACME registration
     email: himself@stevenpolley.net
     # Name of a secret used to store the ACME account private key
@@ -18,6 +17,8 @@ spec:
     solvers:
     # An empty 'selector' means that this solver matches all domains
     - selector: {}
-      http01:
+      dns01:
-        ingress:
+        cloudflare:
-          ingressClassName: nginx
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token