Documentation
ProductPricingDocsBlog

Cloudflare Certificates

Suggest Edits

If your cluster is not accessible publicly you can leverage DNS validation with Let's Encrypt.
This documentation is based on the https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/

Prerequesites

To start this guide, you'll need:

  • A deployed Hydrolix cluster using Cloudflare to manage DNS zones for the Hydrolix cluster hostname.

Create token to alter zone

To use Cloudflare, you may use one of two types of tokens. API Tokens allow application-scoped keys bound to specific zones and permissions, while API Keys are globally-scoped keys that carry the same permissions as your account.

API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.

Tokens can be created at User Profile > API Tokens > API Tokens. The following settings are recommended:

  • Permissions:
    • Zone - DNS -Edit
    • Zone - Zone - Read
  • Zone Resources:
    • Include - All Zones

Once the token is created we need to create a secret and store that information into your Kubernetes cluster:

apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token-secret
type: Opaque
stringData:
  api-token: $API_TOKEN - TO BE REPLACE

Once you generate the secret configuration you can store it in the yaml file cloudflare-secret.yaml and deploy it in your cluster:

kubectl apply -f cloudflare-secret.yaml

Create a Certificate Issuer

In this step, we'll create an Issuer leveraging Let's Encrypt production certificate authority. The Issuer contains the following information:

  • name - name of the issuer used to generate new certificate requests
  • ACME server - server used to generate the ACME challenge
  • email - email used for the certificate information
  • solvers - used to validate ownership of the domain

The following example generates a certificate using Let's Encrypt. It validates the domain ownership using DNS and manages the creation of the proof via Cloudflare:

apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: letsencrypt-production-cloudflare
  namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: $YOUREMAILMANAGINGCERTIFICATE - TO BE REPLACE
    privateKeySecretRef:
      name: letsencrypt-production-cloudflare
    solvers:
    - dns01:
        cloudflare:
          email: $YOUR_EMAIL_ON_CLOUDFLARE_USED_TO_CREATE_THE_TOKEN - TO BE REPLACE
          apiTokenSecretRef:
            name: cloudflare-api-token-secret
            key: api-token

Store the configuration in the file issuer-prod-lets-enc-cloudflare.yaml. Use the following command to deploy it to your cluster:

kubectl apply -f issuer-prod-lets-enc-cloudflare.yaml

Create a Certificate Request Configuration

After deploying your certificate issuer you can now create a new certificate request including your domain.
An important requirement for Hydrolix is to store the certificate into the secretName: traefik-tls.
That's the default location used by Hydrolix to load the certificate.
Here's a configuration example:

apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: $YOURNAMESPACE - TO BE REPLACE
  namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
  secretName: traefik-tls
  issuerRef:
    name: letsencrypt-production-cloudflare
  commonName: $YOURDOMAIN - TO BE REPLACE
  dnsNames:
  - $YOURDOMAIN - TO BE REPLACE

After generating this certificate request you can store it in the yaml file cert-req.yaml and deploy it in your cluster:

kubectl apply -f cert-req.yaml

Return to the Add a Custom Certificate guide to validate your results.

Updated 29 days ago