dns01

2026-05-28 09:28:29 +02:00
parent 0582cd9917
commit 7716d16572
2 changed files with 214 additions and 0 deletions
--- a/cluster-resources/letsencrypt-issuer.yaml
+++ b/cluster-resources/letsencrypt-issuer.yaml
@@ -12,6 +12,18 @@ spec:
    privateKeySecretRef:
      name: letsencrypt-staging-key
    solvers:
+    # DNS-01 solver for wildcard certificates (*.example.com)
+    - dns01:
+        cloudflare:
+          email: danijels@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      selector:
+        dnsNames:
+        - '*.example.com'
+        - 'example.com'
+    # HTTP-01 fallback for non-wildcard certificates
    - http01:
        ingress:
          class: traefik
@@ -30,6 +42,116 @@ spec:
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
+    # DNS-01 solver for wildcard certificates (*.example.com)
+    - dns01:
+        cloudflare:
+          email: danijels@gmail.com
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token
+      selector:
+        dnsNames:
+        - '*.example.com'
+        - 'example.com'
+    # HTTP-01 fallback for non-wildcard certificates
    - http01:
        ingress:
          class: traefik
+
+# =============================================================================
+# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
+# =============================================================================
+
+# -----------------------------------------------------------------------------
+# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
+#   --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
+#
+# dns01:
+#   cloudflare:
+#     email: your-cloudflare-email@example.com
+#     apiTokenSecretRef:
+#       name: cloudflare-api-token-secret
+#       key: api-token
+
+# -----------------------------------------------------------------------------
+# Option 2: AWS Route53
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic route53-credentials \
+#   --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
+#
+# dns01:
+#   route53:
+#     region: us-east-1
+#     hostedZoneID: ZXXXXXXXXXXXXX  # Optional: auto-detected if not specified
+#     accessKeyID: YOUR_ACCESS_KEY_ID
+#     secretAccessKeySecretRef:
+#       name: route53-credentials
+#       key: secret-access-key
+
+# -----------------------------------------------------------------------------
+# Option 3: Azure DNS
+# -----------------------------------------------------------------------------
+# Create secret with: kubectl create secret generic azuredns-config \
+#   --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
+#
+# dns01:
+#   azureDNS:
+#     subscriptionID: YOUR_SUBSCRIPTION_ID
+#     resourceGroupName: YOUR_RESOURCE_GROUP
+#     hostedZoneName: example.com
+#     environment: AzurePublicCloud
+#     managedIdentity:
+#       clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID  # For AKS with pod identity
+#     # OR use service principal:
+#     # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
+#     # clientSecretSecretRef:
+#     #   name: azuredns-config
+#     #   key: client-secret
+
+# -----------------------------------------------------------------------------
+# Option 4: Google Cloud DNS
+# -----------------------------------------------------------------------------
+# Create secret with service account JSON key:
+# kubectl create secret generic clouddns-service-account \
+#   --from-file=service-account.json=path/to/key.json -n cert-manager
+#
+# dns01:
+#   cloudDNS:
+#     project: YOUR_GCP_PROJECT_ID
+#     hostedZoneName: example-com  # Managed zone name in Cloud DNS
+#     serviceAccountSecretRef:
+#       name: clouddns-service-account
+#       key: service-account.json
+
+# -----------------------------------------------------------------------------
+# Option 5: GoDaddy
+# -----------------------------------------------------------------------------
+# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
+#
+# dns01:
+#   webhook:
+#     groupName: acme.yourcompany.com
+#     solverName: godaddy
+#     config:
+#       apiKeySecretRef:
+#         name: godaddy-api-credentials
+#         key: api-key
+#       apiSecretSecretRef:
+#         name: godaddy-api-credentials
+#         key: api-secret
+
+# -----------------------------------------------------------------------------
+# Option 6: Manual/Dynamic DNS (for homelab)
+# -----------------------------------------------------------------------------
+# Requires RFC2136 provider or external webhook
+#
+# dns01:
+#   rfc2136:
+#     nameserver: your-dns-server.example.com
+#     tsigKeyName: cert-manager-key
+#     tsigAlgorithm: HMACSHA256
+#     tsigSecretSecretRef:
+#       name: tsig-secret
+#       key: secret