Cloudflare Certificates
If your cluster is not accessible publicly you can leverage DNS validation with Let's Encrypt.
This documentation is based on the https://cert-manager.io/docs/configuration/acme/dns01/cloudflare/
Prerequesites
To start this guide, you'll need:
- A deployed Hydrolix cluster using Cloudflare to manage DNS zones for the Hydrolix cluster hostname.
Create token to alter zone
To use Cloudflare, you may use one of two types of tokens. API Tokens allow application-scoped keys bound to specific zones and permissions, while API Keys are globally-scoped keys that carry the same permissions as your account.
API Tokens are recommended for higher security, since they have more restrictive permissions and are more easily revocable.
Tokens can be created at User Profile > API Tokens > API Tokens. The following settings are recommended:
- Permissions:
- Zone - DNS -Edit
- Zone - Zone - Read
- Zone Resources:
- Include - All Zones
Once the token is created we need to create a secret and store that information into your Kubernetes cluster:
apiVersion: v1
kind: Secret
metadata:
name: cloudflare-api-token-secret
type: Opaque
stringData:
api-token: $API_TOKEN - TO BE REPLACE
Once you generate the secret configuration you can store it in the yaml file cloudflare-secret.yaml
and deploy it in your cluster:
kubectl apply -f cloudflare-secret.yaml
Create a Certificate Issuer
In this step, we'll create an Issuer leveraging Let's Encrypt production certificate authority. The Issuer contains the following information:
- name - name of the issuer used to generate new certificate requests
- ACME server - server used to generate the ACME challenge
- email - email used for the certificate information
- solvers - used to validate ownership of the domain
The following example generates a certificate using Let's Encrypt. It validates the domain ownership using DNS and manages the creation of the proof via Cloudflare:
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: letsencrypt-production-cloudflare
namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: $YOUREMAILMANAGINGCERTIFICATE - TO BE REPLACE
privateKeySecretRef:
name: letsencrypt-production-cloudflare
solvers:
- dns01:
cloudflare:
email: $YOUR_EMAIL_ON_CLOUDFLARE_USED_TO_CREATE_THE_TOKEN - TO BE REPLACE
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: api-token
Store the configuration in the file issuer-prod-lets-enc-cloudflare.yaml
. Use the following command to deploy it to your cluster:
kubectl apply -f issuer-prod-lets-enc-cloudflare.yaml
Create a Certificate Request Configuration
After deploying your certificate issuer you can now create a new certificate request including your domain.
An important requirement for Hydrolix is to store the certificate into the secretName: traefik-tls
.
That's the default location used by Hydrolix to load the certificate.
Here's a configuration example:
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: $YOURNAMESPACE - TO BE REPLACE
namespace: $YOURNAMESPACE - TO BE REPLACE
spec:
secretName: traefik-tls
issuerRef:
name: letsencrypt-production-cloudflare
commonName: $YOURDOMAIN - TO BE REPLACE
dnsNames:
- $YOURDOMAIN - TO BE REPLACE
After generating this certificate request you can store it in the yaml file cert-req.yaml
and deploy it in your cluster:
kubectl apply -f cert-req.yaml
Return to the Add a Custom Certificate guide to validate your results.
Updated about 2 months ago