feat: Added letsencrypt cluster issuer

2025-12-01 02:51:25 +01:00
parent dedfa503eb
commit f672b14404
7 changed files with 122 additions and 0 deletions
--- a/.sops.yaml
+++ b/.sops.yaml
@@ -0,0 +1,8 @@
 creation_rules:
  - path_regex: .*.yaml
    encrypted_regex: ^(data|stringData)$
    pgp: >-
      1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E!
    age: >-
      age1860txadrlqrjwnqh0g466re2nt8jk7xhj640pq9gpsddpg23uynqsp2hul,
      age1hktythzvsnth6u5en2lvag0tftnj9r03w7rpnzfgzgf5w95qxycq2azufj
--- a/clusters/testing/kustomization.yaml
+++ b/clusters/testing/kustomization.yaml
@@ -4,3 +4,5 @@ resources:
  - flux-system/
  - ../../controllers/artifacts.yaml
  - ../../controllers/cert-manager/cert-manager.yaml
  - ../../configs/artifacts.yaml
  - ../../configs/letsencrypt/letsencrypt.yaml
--- a/configs/artifacts.yaml
+++ b/configs/artifacts.yaml
@@ -0,0 +1,16 @@
 apiVersion: source.extensions.fluxcd.io/v1beta1
 kind: ArtifactGenerator
 metadata:
  name: configs
  namespace: flux-system
 spec:
  sources:
    - alias: foundation
      kind: GitRepository
      name: flux-system
  artifacts:
    - name: letsencrypt
      originRevision: "@foundation"
      copy:
        - from: "@foundation/configs/letsencrypt/**"
          to: "@artifact/"
--- a/configs/letsencrypt/cluster-issuer.yaml
+++ b/configs/letsencrypt/cluster-issuer.yaml
@@ -0,0 +1,17 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt
 spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: tim.huizinga@gmail.com
    privateKeySecretRef:
      name: letsencrypt
    solvers:
      - dns01:
          cloudflare:
            email: tim.huizinga@gmail.com
            apiTokenSecretRef:
              name: cloudflare-token
              key: token
--- a/configs/letsencrypt/kustomization.yaml
+++ b/configs/letsencrypt/kustomization.yaml
@@ -0,0 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - secret-cloudflare-token.enc.yaml
  - cluster-issuer.yaml
--- a/configs/letsencrypt/letsencrypt.yaml
+++ b/configs/letsencrypt/letsencrypt.yaml
@@ -0,0 +1,21 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1
 kind: Kustomization
 metadata:
  name: letsencrypt
  namespace: flux-system
 spec:
  interval: 1h
  retryInterval: 2m
  timeout: 5m
  dependsOn:
    - name: cert-manager
  sourceRef:
    kind: ExternalArtifact
    name: letsencrypt
  decryption:
    provider: sops
    secretRef:
      name: sops-gpg
  path: ./
  prune: true
  wait: true
--- a/configs/letsencrypt/secret-cloudflare-token.enc.yaml
+++ b/configs/letsencrypt/secret-cloudflare-token.enc.yaml
@@ -0,0 +1,53 @@
 apiVersion: v1
 kind: Secret
 metadata:
    name: cloudflare-token
    namespace: cert-manager
 type: Opaque
 stringData:
    token: ENC[AES256_GCM,data:uwFPBz9+EMnpXUgvkJ0u9/iEFbpJ2Rz+oX2pqwcJrH04r8E91weFOA==,iv:m9yka2XMfbuu0d/12RvG7UPWvxJEZ0UeDG+OMqxTpkg=,tag:F7EDh3PCHk2yE0MDIjmo2g==,type:str]
 sops:
    age:
        - recipient: age1860txadrlqrjwnqh0g466re2nt8jk7xhj640pq9gpsddpg23uynqsp2hul
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBuZGVBS1dpRlVQemlRR2gv
            WFQraFRxV1hGTVZ1UlNPeXV5Z1VTQ0o2QVFjCjZmYzh0dmhDczllU1pUdGs3Ti82
            blBOZTAwSUVMTVlJcHNRNVA1NytTMk0KLS0tIGtwR0dYOUxOaUVWb041SXQ5cktU
            b0QwUVJNVDBTUkcwcWxmV3R4Rm4wNjQKC/hMgUvkTlROHPiBZcJ1ALu2zqknkFhw
            qDBjJmwpCApaLKrFMxgMEMySNbN2l04fnCQQtZ97ZH87C1lj5WFT8A==
            -----END AGE ENCRYPTED FILE-----
        - recipient: age1hktythzvsnth6u5en2lvag0tftnj9r03w7rpnzfgzgf5w95qxycq2azufj
          enc: |
            -----BEGIN AGE ENCRYPTED FILE-----
            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOSDA1NkJGdUsyR3hUeG85
            TUpldmk1V054SDNyNHdlVEhtM3NSMlBjc3hJCk9yQXd5ajl5VnFsZytMWHA5dlNN
            Q2pxNHVMd01mMEwwT0pKVnBBYjByWXMKLS0tIE9uQ3pzMW90MEhZUGtxVUkrZFJH
            VXJSejR2bzRLamdoemhSRkwwRGxnVDAKOVvuGT6ZO+JB33RrCF0oqyA0GXAznGOE
            gT/7i9aMKuJfJr5RhfK1GY6JJf18mHt+jwM2epjtcFYzZpMjh2zjcg==
            -----END AGE ENCRYPTED FILE-----
    lastmodified: "2025-12-01T01:33:08Z"
    mac: ENC[AES256_GCM,data:9pXCN0JoIFc7OXJvJFBtd/BGP9aByPFq+8KKUqv0MKXVWJWXxzTzN8yoinxsPrw0KSLOJ98ieDIHj2ukVMpuOILOzDELArDsiP0/TAq387V9S7vx+Z2OnCSVuHoW97fvvqSxqhyAuZ8a4alNQ83TtOdZ2gK6VMxWMKizZWdpGeI=,iv:KaEJ6avIlBSTBSIdi/xDF249WEbzubLviBTaDHSwp5A=,tag:TbwJvDuYJY8EdL6yxekWzQ==,type:str]
    pgp:
        - created_at: "2025-12-01T01:33:08Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----
            hQIMA7pKPTYH5bqOAQ//XvRMEPLhIX1a7oAq5bBY/rl8o5NiBl2z78Bi2ddZ5Fnt
            J1f9syNMfYCrtkrZ5dgGcbELYcdP0QFajyDYWDViz4elmdqsvdzIPY7DAdzj7NQU
            gZhoJyBSK5EP4x/89fFdd9zR54nVH8K9036bp4KEGzu611YxdwHT9EtheTSM12S/
            ZVvVrN0wq6ld9NH0PxEimGL1GhGn+dpVczN1CL1Qh81dz1FpvADd7AJQ7JprkbN8
            SBSG+omRBhuZaoXTurihgL702q/zzX0/ZyQ24ONsaQGWXJmdXx+lRBgfmWPL9w8b
            6tcAwfCyOw6QTaTPipOvtHG3M6rhl3AxPWFm2eIv1oXtFGMAbmxOCDfGzy+Tkuva
            JdlObrgU1v9CAxeKSeqetEZWHY/kPiUSlRUD+C4sHxJBO0MEzxQzNBlh7NgGBOPh
            Ldum/jZbcCJCOyPXS1Q4bW89gwaTVTeOVpadSwwsJap8+13E2sar3BES2tIGiGTZ
            e44S5pS/ycSMLQHxmPgyVnMTtMcRU5qtmEo6hjhrB05bppGQFAiCDilM6PHFJ+oN
            1IDOXCoqiDwS2Yxm7IQrw/7WvHqngTwwJyxjy6q4bgocgrnSqKzqoE0pBZvX1oGN
            1Num+9u+XwWAb2m9QUJAiWy9R16AgDD9Gp3ekArwztlMSWrXnIGz/zUL+ehh3avS
            XgH1P2d8+QPjhrXq9Hyu9wANeL1Z1qQFKTTe9ReqRUc+B4Ts8ACf26FYSneksgJd
            2lyesmgmrGlFzGCVdPCBOuCPCicP/w28WzYUI7amzraPa5kHEhl3wzkQiTE710c=
            =XaqU
            -----END PGP MESSAGE-----
          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E!
    encrypted_regex: ^(data|stringData)$
    version: 3.11.0