K8s + Traefik + cert-manager + DNS01 TLS
kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.3/cert-manager.yaml
User Profile > API Tokens > API Tokens
- Permissions:
- Zone - DNS - Edit
- Zone - Zone - Read
- Zone Resources:
- Include - All Zones
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
namespace: cert-manager
type: Opaque
data:
api-token: ${CF_API_TOKEN}
Note: namespace: cert-manager
is very important! See ClusterIssuer w/ Cloudflare DNS01 cannot find Secret
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
email: ${EMAIL}
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-prod
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-https
spec:
redirectScheme:
scheme: https
permanent: true
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ${SERVICE_NAME}-tls-ingress
annotations:
spec.ingressClassName: traefik
cert-manager.io/cluster-issuer: letsencrypt-prod
traefik.ingress.kubernetes.io/router.middlewares: default-redirect-https@kubernetescrd
spec:
rules:
- host: ${DOMAIN}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ${SERVICE_NAME}
port:
number: ${SERVICE_PORT}
tls:
- secretName: ${SERVICE_NAME}-tls
hosts:
- ${DOMAIN}