gitops/cert-manager: add dns challenger cluster issuer, add

deployment/service with socat proxy that works around my internet provider's medling into dns traffic on port 53.
2026-02-20 02:11:50 +01:00
parent 409f8247e6
commit 1cd7625220
5 changed files with 92 additions and 0 deletions
--- a/gitops/home-kubernetes/cert-manager/clusterissuer_dns01-prod.yaml
+++ b/gitops/home-kubernetes/cert-manager/clusterissuer_dns01-prod.yaml
@@ -0,0 +1,22 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod-dns
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: kacerr.cz@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt-dns-account-key
+    solvers:
+    - dns01:
+        rfc2136:
+          nameserver: dns-update-proxy.cert-manager.svc.cluster.local:53
+          tsigKeyName: acme-update-key
+          tsigAlgorithm: HMACSHA512
+          tsigSecretSecretRef:
+            name: acme-update-key
+            key: acme-update-key
+      selector:
+        dnsZones:
+          - "lab.home.hrajfrisbee.cz"
--- a/gitops/home-kubernetes/cert-manager/deployment_dns-updater-proxy.yaml
+++ b/gitops/home-kubernetes/cert-manager/deployment_dns-updater-proxy.yaml
@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dns-update-proxy
+  namespace: cert-manager
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dns-update-proxy
+  template:
+    metadata:
+      labels:
+        app: dns-update-proxy
+    spec:
+      containers:
+      - name: socat-tcp
+        image: alpine/socat
+        args:
+        - TCP-LISTEN:53,fork,reuseaddr
+        - TCP:87.236.195.209:5353
+        ports:
+        - containerPort: 53
+          protocol: TCP
+      - name: socat-udp
+        image: alpine/socat
+        args:
+        - -T5
+        - UDP-RECVFROM:53,fork,reuseaddr
+        - UDP:87.236.195.209:5353
+        ports:
+        - containerPort: 53
+          protocol: UDP
--- a/gitops/home-kubernetes/cert-manager/externalsecret_acme-key.yaml
+++ b/gitops/home-kubernetes/cert-manager/externalsecret_acme-key.yaml
@@ -0,0 +1,18 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: acme-update-key
+  namespace: cert-manager
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend  # or your store
+    kind: ClusterSecretStore
+  target:
+    name: acme-update-key
+    creationPolicy: Owner
+  data:
+    - secretKey: acme-update-key
+      remoteRef:
+        key: k8s_home/cert-manager
+        property: acme-update-key
--- a/gitops/home-kubernetes/cert-manager/helmrelease.yaml
+++ b/gitops/home-kubernetes/cert-manager/helmrelease.yaml
@@ -19,6 +19,8 @@ spec:
  upgrade:
    crds: CreateReplace
  values:
+    global:
+      logLevel: 6
    crds:
      enabled: false
    config:
--- a/gitops/home-kubernetes/cert-manager/service_dns-updater-proxy.yaml
+++ b/gitops/home-kubernetes/cert-manager/service_dns-updater-proxy.yaml
@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: dns-update-proxy
+  namespace: cert-manager
+spec:
+  selector:
+    app: dns-update-proxy
+  ports:
+  - name: dns-tcp
+    port: 53
+    targetPort: 53
+    protocol: TCP
+  - name: dns-udp
+    port: 53
+    targetPort: 53
+    protocol: UDP