Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests Actions Packages Wiki Activity
Files
b0faaded6a600d8c79347e3afedaae16ed580e77
launchpad/cluster-resources/letsencrypt-issuer.yaml
Danijel Simeunovic 7716d16572 dns01
2026-05-28 09:28:29 +02:00

157 lines
5.2 KiB
YAML
Raw Blame History

---
# Staging ClusterIssuer for testing (higher rate limits, not browser-trusted)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Let's Encrypt staging server
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: danijels@gmail.com
privateKeySecretRef:
name: letsencrypt-staging-key
solvers:
# DNS-01 solver for wildcard certificates (*.example.com)
- dns01:
cloudflare:
email: danijels@gmail.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
selector:
dnsNames:
- '*.example.com'
- 'example.com'
# HTTP-01 fallback for non-wildcard certificates
- http01:
ingress:
class: traefik
---
# Production ClusterIssuer for browser-trusted certificates
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Let's Encrypt production server
server: https://acme-v02.api.letsencrypt.org/directory
email: danijels@gmail.com
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
# DNS-01 solver for wildcard certificates (*.example.com)
- dns01:
cloudflare:
email: danijels@gmail.com
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
selector:
dnsNames:
- '*.example.com'
- 'example.com'
# HTTP-01 fallback for non-wildcard certificates
- http01:
ingress:
class: traefik
# =============================================================================
# DNS PROVIDER EXAMPLES - Uncomment and configure based on your provider:
# =============================================================================
# -----------------------------------------------------------------------------
# Option 1: Cloudflare (recommended - supports API tokens with limited scope)
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
# --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
#
# dns01:
# cloudflare:
# email: your-cloudflare-email@example.com
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token
# -----------------------------------------------------------------------------
# Option 2: AWS Route53
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic route53-credentials \
# --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
#
# dns01:
# route53:
# region: us-east-1
# hostedZoneID: ZXXXXXXXXXXXXX # Optional: auto-detected if not specified
# accessKeyID: YOUR_ACCESS_KEY_ID
# secretAccessKeySecretRef:
# name: route53-credentials
# key: secret-access-key
# -----------------------------------------------------------------------------
# Option 3: Azure DNS
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic azuredns-config \
# --from-literal=client-secret=YOUR_CLIENT_SECRET -n cert-manager
#
# dns01:
# azureDNS:
# subscriptionID: YOUR_SUBSCRIPTION_ID
# resourceGroupName: YOUR_RESOURCE_GROUP
# hostedZoneName: example.com
# environment: AzurePublicCloud
# managedIdentity:
# clientID: YOUR_MANAGED_IDENTITY_CLIENT_ID # For AKS with pod identity
# # OR use service principal:
# # clientID: YOUR_SERVICE_PRINCIPAL_CLIENT_ID
# # clientSecretSecretRef:
# # name: azuredns-config
# # key: client-secret
# -----------------------------------------------------------------------------
# Option 4: Google Cloud DNS
# -----------------------------------------------------------------------------
# Create secret with service account JSON key:
# kubectl create secret generic clouddns-service-account \
# --from-file=service-account.json=path/to/key.json -n cert-manager
#
# dns01:
# cloudDNS:
# project: YOUR_GCP_PROJECT_ID
# hostedZoneName: example-com # Managed zone name in Cloud DNS
# serviceAccountSecretRef:
# name: clouddns-service-account
# key: service-account.json
# -----------------------------------------------------------------------------
# Option 5: GoDaddy
# -----------------------------------------------------------------------------
# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
#
# dns01:
# webhook:
# groupName: acme.yourcompany.com
# solverName: godaddy
# config:
# apiKeySecretRef:
# name: godaddy-api-credentials
# key: api-key
# apiSecretSecretRef:
# name: godaddy-api-credentials
# key: api-secret
# -----------------------------------------------------------------------------
# Option 6: Manual/Dynamic DNS (for homelab)
# -----------------------------------------------------------------------------
# Requires RFC2136 provider or external webhook
#
# dns01:
# rfc2136:
# nameserver: your-dns-server.example.com
# tsigKeyName: cert-manager-key
# tsigAlgorithm: HMACSHA256
# tsigSecretSecretRef:
# name: tsig-secret
# key: secret
Reference in New Issue View Git Blame Copy Permalink