Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/jerryshell/k8s-traefik-cert-manager-dns01-tls
K8s Traefik cert-manager DNS01 TLS
https://github.com/jerryshell/k8s-traefik-cert-manager-dns01-tls
cert-manager cloudflare dns01 homelab k8s kubernetes tls traefik
Last synced: about 2 hours ago
JSON representation
K8s Traefik cert-manager DNS01 TLS
- Host: GitHub
- URL: https://github.com/jerryshell/k8s-traefik-cert-manager-dns01-tls
- Owner: jerryshell
- License: agpl-3.0
- Created: 2024-04-06T06:05:03.000Z (7 months ago)
- Default Branch: master
- Last Pushed: 2024-09-07T13:20:07.000Z (2 months ago)
- Last Synced: 2024-09-07T14:51:43.365Z (2 months ago)
- Topics: cert-manager, cloudflare, dns01, homelab, k8s, kubernetes, tls, traefik
- Homepage:
- Size: 14.6 KB
- Stars: 0
- Watchers: 2
- Forks: 0
- Open Issues: 0
-
Metadata Files:
- Readme: README.md
- License: LICENSE
Awesome Lists containing this project
README
# K8s Traefik cert-manager DNS01 TLS
[K8s](https://kubernetes.io/) + [Traefik](https://traefik.io/traefik/) + [cert-manager](https://cert-manager.io/) + [DNS01 TLS](https://cert-manager.io/docs/configuration/acme/dns01/)
## Install cert-manager
```bash
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
```
## Cloudflare API Token
[User Profile > API Tokens > API Tokens](https://dash.cloudflare.com/profile/api-tokens)
- Permissions:
- Zone - DNS - Edit
- Zone - Zone - Read
- Zone Resources:
- Include - All Zones
```yaml
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
data:
api-token: ${CF_API_TOKEN}
```
Note: `namespace: cert-manager` is very important! See [ClusterIssuer w/ Cloudflare DNS01 cannot find Secret](https://github.com/cert-manager/cert-manager/issues/263#issuecomment-1196019275)
## Letsencrypt Production ClusterIssuer
```yaml
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: ${EMAIL}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
```
## Traefik redirect-https Middleware
```yaml
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
spec:
redirectScheme:
scheme: https
permanent: true
```
## TLS Ingress
```yaml
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ${SERVICE_NAME}-tls-ingress
annotations:
spec.ingressClassName: traefik
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
rules:
- host: ${DOMAIN}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ${SERVICE_NAME}
port:
number: ${SERVICE_PORT}
tls:
- secretName: ${SERVICE_NAME}-tls
hosts:
- ${DOMAIN}
```
## LICENSE
[GNU Affero General Public License v3.0](https://choosealicense.com/licenses/agpl-3.0/)