search

bplein / post-talos-setup

0 stars 0 forks source link

Setup notes: ClusterIssuer #3

Open magsol opened 1 month ago

magsol commented 1 month ago

Our configurations here also look nearly identical, with one or two very important differences.

I also use certmanager and its jetstack helm chart, with nearly identical flags (I think the version is slightly different but that's not important). In the prod issuer:

bplein commented 1 month ago

If you include an anonymized version here, I can post it as an alternate example.

magsol commented 1 month ago

Here's the ClusterIssuer I have set up:

letsencrypt-dns-prod.yaml

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod-dns
spec:
  acme:
    email: my_email@email.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-prod-dns
    solvers:
    - dns01:
        cloudflare:
          email: my_cf_email@email.com
          apiTokenSecretRef:
            name: cloudflare-api-credentials
            key: api-token
      selector:
        dnsZones:
          - "mypublicmastodon.com"

Emails and mastodon domains have been anonymized, otherwise it's verbatim.

Also apparently I use a custom values file for cert-manager, which I missed in my first post. Here it is:

cert-manager-values.yaml

installCRDs: false
replicaCount: 1
extraArgs:
  - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
  - --dns01-recursive-nameservers-only
podDnsPolicy: None
podDnsConfig:
  nameservers:
    - "1.1.1.1"
    - "9.9.9.9"

No modifications were made.

Finally, to install cert-manager, I first applied the CRDs that are available in the official GitHub repo:

k apply -f https://github.com/cert-manager/cert-manager/releases/download/VERSION/cert-manager.crds.yaml

Then I ran helm:

helm install cert-manager jetstack/cert-manager \
    --create-namespace \
    --namespace cert-manager \
    --version VERSION \
    --values=cert-manager-values.yaml