Skip to content

chore(k8s): support cert-manager #2

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
diegocaspi wants to merge 5 commits into
base: main
Choose a base branch
from
Open

chore(k8s): support cert-manager #2

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
24bcf21
chore(k8s): support cert-manager
diegocaspi Dec 22, 2025
3d71bb0
chore(k8s): support network cluodflare-dns
diegocaspi Dec 22, 2025
310258c
chore(k8s): support cloudflare-tunnel
diegocaspi Dec 22, 2025
a5c5c91
chore(k8s): network envoy gateway
diegocaspi Dec 22, 2025
c1eb53a
chore(k8s): network certificates
diegocaspi Dec 22, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
20 changes: 20 additions & 0 deletions kubernetes/apps/cert-manager/cert-manager/app/clusterissuer.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-production
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-issuer-secret
key: CLOUDFLARE_DNS_TOKEN
selector:
dnsZones:
- dcaspi.dev
18 changes: 18 additions & 0 deletions kubernetes/apps/cert-manager/cert-manager/app/externalsecret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cloudflare-issuer
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword
target:
name: cloudflare-issuer-secret
template:
data:
CLOUDFLARE_DNS_TOKEN: "{{ .CLOUDFLARE_DNS_TOKEN }}"
dataFrom:
- extract:
key: cloudflare
24 changes: 24 additions & 0 deletions kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,24 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cert-manager
spec:
chartRef:
kind: OCIRepository
name: cert-manager
interval: 1h
values:
crds:
enabled: true
dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
dns01RecursiveNameserversOnly: true
prometheus:
enabled: true
servicemonitor:
enabled: true
webhook:
replicaCount: 2
podDisruptionBudget:
enabled: true
9 changes: 9 additions & 0 deletions kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./clusterissuer.yaml
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./ocirepository.yaml
14 changes: 14 additions & 0 deletions kubernetes/apps/cert-manager/cert-manager/app/ocirepository.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: cert-manager
spec:
interval: 15m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: v1.19.2
url: oci://quay.io/jetstack/charts/cert-manager
28 changes: 28 additions & 0 deletions kubernetes/apps/cert-manager/cert-manager/ks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
spec:
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
name: cert-manager
namespace: cert-manager
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
name: letsencrypt-production
healthCheckExprs:
- apiVersion: cert-manager.io/v1
kind: ClusterIssuer
failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
interval: 1h
path: ./kubernetes/apps/cert-manager/cert-manager/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: cert-manager
11 changes: 11 additions & 0 deletions kubernetes/apps/cert-manager/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager

components:
- ../../components/namespace

resources:
- envoy-gateway/ks.yaml
27 changes: 27 additions & 0 deletions kubernetes/apps/network/certificates/export/certificate.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/cert-manager.io/certificate_v1.json
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dcaspi-dev
spec:
secretName: dcaspi-dev-tls
secretTemplate:
annotations:
cert-manager.io/alt-names: "*.dcaspi.dev,dcaspi.dev"
cert-manager.io/certificate-name: dcaspi-dev
cert-manager.io/common-name: dcaspi.dev
cert-manager.io/ip-sans: ""
cert-manager.io/issuer-group: ""
cert-manager.io/issuer-kind: ClusterIssuer
cert-manager.io/issuer-name: letsencrypt-production
cert-manager.io/uri-sans: ""
labels:
controller.cert-manager.io/fao: "true"
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: dcaspi.dev
dnsNames:
- dcaspi.dev
- "*.dcaspi.dev"
7 changes: 7 additions & 0 deletions kubernetes/apps/network/certificates/export/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- certificate.yaml
28 changes: 28 additions & 0 deletions kubernetes/apps/network/certificates/export/pushsecret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/pushsecret_v1alpha1.json
apiVersion: external-secrets.io/v1alpha1
kind: PushSecret
metadata:
name: dcaspi-dev-tls
spec:
secretStoreRefs:
- name: onepassword
kind: ClusterSecretStore
selector:
secret:
name: dcaspi-dev-tls
template:
data:
tls.crt: '{{ index . "tls.crt" | b64enc }}'
tls.key: '{{ index . "tls.key" | b64enc }}'
data:
- match:
secretKey: &key tls.crt
remoteRef:
remoteKey: turbo-ac-tls
property: *key
- match:
secretKey: &key tls.key
remoteRef:
remoteKey: turbo-ac-tls
property: *key
16 changes: 16 additions & 0 deletions kubernetes/apps/network/certificates/ks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,16 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: certificates-export
spec:
interval: 1h
path: ./kubernetes/apps/network/certificates/export
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: network
wait: false
19 changes: 19 additions & 0 deletions kubernetes/apps/network/cloudflare-dns/app/externalsecret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cloudflare-dns
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword
target:
name: cloudflare-dns-secret
template:
data:
CF_API_TOKEN: "{{ .CLOUDFLARE_DNS_TOKEN }}"
CF_ZONE_ID: "{{ .CLOUDFLARE_ZONE_ID }}"
dataFrom:
- extract:
key: cloudflare
46 changes: 46 additions & 0 deletions kubernetes/apps/network/cloudflare-dns/app/helmrelease.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: &app cloudflare-dns
spec:
chartRef:
kind: OCIRepository
name: cloudflare-dns
interval: 1h
values:
fullnameOverride: *app
provider:
name: cloudflare
env:
- name: &name CF_API_TOKEN
valueFrom:
secretKeyRef:
name: &secret cloudflare-dns-secret
key: *name
- name: &name CF_ZONE_ID
valueFrom:
secretKeyRef:
name: *secret
key: *name
extraArgs:
- --cloudflare-dns-records-per-page=1000
- --cloudflare-proxied
- --crd-source-apiversion=externaldns.k8s.io/v1alpha1
- --crd-source-kind=DNSEndpoint
- --gateway-name=envoy-external
- --zone-id-filter=$(CF_ZONE_ID)
triggerLoopOnEvent: true
policy: sync
sources:
- crd
- gateway-httproute
txtOwnerId: default
txtPrefix: k8s.
domainFilters:
- turbo.ac
serviceMonitor:
enabled: true
podAnnotations:
secret.reloader.stakater.com/reload: *secret
9 changes: 9 additions & 0 deletions kubernetes/apps/network/cloudflare-dns/app/kustomization.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,9 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization

resources:
- ./externalsecret.yaml
- ./helmrelease.yaml
- ./ocirepository.yaml
14 changes: 14 additions & 0 deletions kubernetes/apps/network/cloudflare-dns/app/ocirepository.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,14 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/ocirepository_v1.json
apiVersion: source.toolkit.fluxcd.io/v1
kind: OCIRepository
metadata:
name: cloudflare-dns
spec:
interval: 15m
layerSelector:
mediaType: application/vnd.cncf.helm.chart.content.v1.tar+gzip
operation: copy
ref:
tag: 1.19.0
url: oci://ghcr.io/home-operations/charts-mirror/external-dns
23 changes: 23 additions & 0 deletions kubernetes/apps/network/cloudflare-dns/ks.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cloudflare-dns
spec:
healthChecks:
- apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
name: cloudflare-dns
namespace: network
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: dnsendpoints.externaldns.k8s.io
interval: 1h
path: ./kubernetes/apps/network/cloudflare-dns/app
prune: true
sourceRef:
kind: GitRepository
name: flux-system
namespace: flux-system
targetNamespace: network
11 changes: 11 additions & 0 deletions kubernetes/apps/network/cloudflare-tunnel/app/dnsendpoint.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,11 @@
---
apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
name: cloudflare-tunnel
spec:
endpoints:
- dnsName: external.dcaspi.dev
recordType: CNAME
targets:
- ${CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com
19 changes: 19 additions & 0 deletions kubernetes/apps/network/cloudflare-tunnel/app/externalsecret.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1.json
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cloudflare-tunnel
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword
target:
name: cloudflare-tunnel-secret
template:
data:
TUNNEL_TOKEN: |-
{{ toJson (dict "a" .CLOUDFLARE_ACCOUNT_TAG "t" .CLOUDFLARE_TUNNEL_ID "s" .CLOUDFLARE_TUNNEL_SECRET) | b64enc }}
dataFrom:
- extract:
key: cloudflare
Loading