Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Feature request: add dns01 into template #5

Closed
dc232 opened this issue Dec 20, 2021 · 4 comments
Closed

Feature request: add dns01 into template #5

dc232 opened this issue Dec 20, 2021 · 4 comments
Labels
enhancement New feature or request

Comments

@dc232
Copy link

dc232 commented Dec 20, 2021

was wondering if template could be upgrades to support dns1 configs such as

apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  __cloudflareemail__
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector:
        dnsNames:
        - '*.vinsonjewellers.com'
        - vinsonjewellers.com
      dns01:
        cloudflare:
          email: __cloudflareemail__
          apiKeySecretRef:
            name: cloudflare-api-key-secret
            key: API
@bohdantverdyi
Copy link
Member

bohdantverdyi commented Dec 21, 2021
edited
Loading

Hey, at least you can add your additional cluster issuer.

Also you can add your own yaml for cluster issuer in module.

Variable called: cluster_issuer_yaml . Just give your own yaml of cluster issuer to this variable, and module will replace default http issuer with your yaml.

Make sure that name of new cluster issuer is not same as in module, in case when you are adding second cluster issuer.

resource "kubectl_manifest" "cloudflare_cluster_issuer" {

  validate_schema = false

  yaml_body = <<EOF
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email:  __cloudflareemail__
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - selector:
        dnsNames:
        - '*.vinsonjewellers.com'
        - vinsonjewellers.com
      dns01:
        cloudflare:
          email: __cloudflareemail__
          apiKeySecretRef:
            name: cloudflare-api-key-secret
            key: API
EOF
  depends_on = [module.cert_manager]
}

Anyway good idea to implement support of dns01 issuer in this module :)

@timothyclarke
Copy link
Contributor

timothyclarke commented Jan 18, 2022
edited
Loading

In terms of a "second" cluster issuer. It's typically less confusing (and easier to debug) if you keep to 1 cluster issuer but have multiple solvers eg

    solvers:
    - dns01:
        route53:
          region: __CLUSTER_REGION__
          ambient: true
      selector:
        dnsZones:
        - internal.example.com
    - dns01:
        cloudflare:
          email: __cloudflareemail__
          apiKeySecretRef:
            name: cloudflare-api-key-secret
            key: API
      selector:
        dnsZones:
        - public.example.com
    - http01:
        ingress:
          class: nginx

Aka internal.example.com is on route53, public.example.com is on cloudflare and everything else uses a http01 solver.

@timothyclarke timothyclarke mentioned this issue Jan 18, 2022
Merged
@bohdantverdyi
Copy link
Member

bohdantverdyi commented Jan 18, 2022
edited
Loading

@timothyclarke Looks really good, let me check locally how it works in real life )

@bohdantverdyi
Copy link
Member

@timothyclarke Thanks for PR.

@dc232 Feature has been added.

@bohdantverdyi bohdantverdyi added the enhancement New feature or request label Jan 18, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@timothyclarke @dc232 @bohdantverdyi