--- # Staging ClusterIssuer for testing (higher rate limits, not browser-trusted) apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging spec: acme: # Let's Encrypt staging server server: https://acme-staging-v02.api.letsencrypt.org/directory email: danijels@gmail.com privateKeySecretRef: name: letsencrypt-staging-key solvers: # DNS-01 solver for wildcard certificates (*.example.com) - dns01: cloudflare: email: danijels@gmail.com apiTokenSecretRef: name: cloudflare-api-token-secret key: api-token selector: dnsNames: - '*.example.com' - 'example.com' # HTTP-01 fallback for non-wildcard certificates - http01: ingress: class: traefik --- # Production ClusterIssuer for browser-trusted certificates apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod spec: acme: # Let's Encrypt production server server: https://acme-v02.api.letsencrypt.org/directory email: danijels@gmail.com privateKeySecretRef: name: letsencrypt-prod-key solvers: # DNS-01 solver for wildcard certificates (*.example.com) - dns01: cloudflare: email: danijels@gmail.com apiTokenSecretRef: name: cloudflare-api-token-secret key: api-token selector: dnsNames: - '*.example.com' - 'example.com' # HTTP-01 fallback for non-wildcard certificates - http01: ingress: class: traefik # ============================================================================= # DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider: # ============================================================================= # ----------------------------------------------------------------------------- # Option 1: Cloudflare (recommended - supports API tokens with limited scope) # ----------------------------------------------------------------------------- # Create secret with: kubectl create secret generic cloudflare-api-token-secret \ # --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager # # dns01: # cloudflare: # email: your-cloudflare-email@example.com # apiTokenSecretRef: # name: cloudflare-api-token-secret # key: api-token # ----------------------------------------------------------------------------- # Option 2: AWS Route53 # ----------------------------------------------------------------------------- # Create secret with: kubectl create secret generic route53-credentials \ # --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager # # dns01: # route53: # region: us-east-1 # hostedZoneID: ZXXXXXXXXXXXXX # Optional: auto-detected if not specified # accessKeyID: YOUR_ACCESS_KEY_ID # secretAccessKeySecretRef: # name: route53-credentials # key: secret-access-key # ----------------------------------------------------------------------------- # Option 3: Azure DNS # ----------------------------------------------------------------------------- # Create secret with: kubectl create secret generic azuredns-config \ # --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager # # dns01: # azureDNS: # subscriptionID: YOUR_SUBSCRIPTION_ID # resourceGroupName: YOUR_RESOURCE_GROUP # hostedZoneName: example.com # environment: AzurePublicCloud # managedIdentity: # clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID # For AKS with pod identity # # OR use service principal: # # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID # # clientSecretSecretRef: # # name: azuredns-config # # key: client-secret # ----------------------------------------------------------------------------- # Option 4: Google Cloud DNS # ----------------------------------------------------------------------------- # Create secret with service account JSON key: # kubectl create secret generic clouddns-service-account \ # --from-file=service-account.json=path/to/key.json -n cert-manager # # dns01: # cloudDNS: # project: YOUR_GCP_PROJECT_ID # hostedZoneName: example-com # Managed zone name in Cloud DNS # serviceAccountSecretRef: # name: clouddns-service-account # key: service-account.json # ----------------------------------------------------------------------------- # Option 5: GoDaddy # ----------------------------------------------------------------------------- # Requires external webhook: https://github.com/snowdrop/godaddy-webhook # # dns01: # webhook: # groupName: acme.yourcompany.com # solverName: godaddy # config: # apiKeySecretRef: # name: godaddy-api-credentials # key: api-key # apiSecretSecretRef: # name: godaddy-api-credentials # key: api-secret # ----------------------------------------------------------------------------- # Option 6: Manual/Dynamic DNS (for homelab) # ----------------------------------------------------------------------------- # Requires RFC2136 provider or external webhook # # dns01: # rfc2136: # nameserver: your-dns-server.example.com # tsigKeyName: cert-manager-key # tsigAlgorithm: HMACSHA256 # tsigSecretSecretRef: # name: tsig-secret # key: secret