From dc86a961be86987d2932006c2b8e968da0e0785c Mon Sep 17 00:00:00 2001 From: Nik Afiq Date: Fri, 6 Mar 2026 18:42:02 +0900 Subject: [PATCH] Add cert-manager configurations and scripts for Porkbun and Let's Encrypt integration - Create .env.example for API credentials - Update .gitignore to include .env file - Add cluster issuer configurations for internal CA and Let's Encrypt - Implement porkbun-secret.sh for creating Kubernetes secrets - Define Helm values for cert-manager, Gitea, and Pihole with TLS settings --- .env.example | 3 ++ .gitignore | 1 + .../cert-manager/cluster-issuer-internal.yaml | 33 +++++++++++++++++++ .../cluster-issuer-letsencrypt.yaml | 31 +++++++++++++++++ manifests/cert-manager/porkbun-secret.sh | 24 ++++++++++++++ values/cert-manager.yaml | 12 +++++++ values/gitea.yaml | 5 +++ values/pihole.yaml | 5 +++ 8 files changed, 114 insertions(+) create mode 100644 .env.example create mode 100644 manifests/cert-manager/cluster-issuer-internal.yaml create mode 100644 manifests/cert-manager/cluster-issuer-letsencrypt.yaml create mode 100755 manifests/cert-manager/porkbun-secret.sh create mode 100644 values/cert-manager.yaml diff --git a/.env.example b/.env.example new file mode 100644 index 0000000..b478059 --- /dev/null +++ b/.env.example @@ -0,0 +1,3 @@ +# Porkbun API credentials +PORKBUN_API_KEY=pk1_your_key_here +PORKBUN_SECRET_API_KEY=sk1_your_key_here \ No newline at end of file diff --git a/.gitignore b/.gitignore index 07fc6eb..dacd63b 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ +.env old.debian-data \ No newline at end of file diff --git a/manifests/cert-manager/cluster-issuer-internal.yaml b/manifests/cert-manager/cluster-issuer-internal.yaml new file mode 100644 index 0000000..c299d34 --- /dev/null +++ b/manifests/cert-manager/cluster-issuer-internal.yaml @@ -0,0 +1,33 @@ +# Internal CA for *.home.arpa +# Apply: kubectl apply -f manifests/cert-manager/cluster-issuer-internal.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: internal-ca +spec: + selfSigned: {} +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: internal-ca-cert + namespace: cert-manager +spec: + isCA: true + commonName: homelab-internal-ca + secretName: internal-ca-cert + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: internal-ca + kind: ClusterIssuer + group: cert-manager.io +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: internal-ca-issuer +spec: + ca: + secretName: internal-ca-cert \ No newline at end of file diff --git a/manifests/cert-manager/cluster-issuer-letsencrypt.yaml b/manifests/cert-manager/cluster-issuer-letsencrypt.yaml new file mode 100644 index 0000000..fab889c --- /dev/null +++ b/manifests/cert-manager/cluster-issuer-letsencrypt.yaml @@ -0,0 +1,31 @@ +# Let's Encrypt HTTP-01 issuer for *.nik4nao.com +# Apply: kubectl apply -f manifests/cert-manager/cluster-issuer-letsencrypt.yaml +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-prod +spec: + acme: + email: nik.afiq98@ymail.com + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-prod-account-key + solvers: + - http01: + ingress: + ingressClassName: traefik +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-staging +spec: + acme: + email: nik.afiq98@ymail.com + server: https://acme-staging-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: letsencrypt-staging-account-key + solvers: + - http01: + ingress: + ingressClassName: traefik \ No newline at end of file diff --git a/manifests/cert-manager/porkbun-secret.sh b/manifests/cert-manager/porkbun-secret.sh new file mode 100755 index 0000000..6c802ba --- /dev/null +++ b/manifests/cert-manager/porkbun-secret.sh @@ -0,0 +1,24 @@ +#!/bin/bash +# Usage: bash manifests/cert-manager/porkbun-secret.sh +# Requires: .env file in repo root with PORKBUN_API_KEY and PORKBUN_SECRET_API_KEY + +set -e + +SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)" +ENV_FILE="$SCRIPT_DIR/../../.env" + +if [ ! -f "$ENV_FILE" ]; then + echo "Error: .env file not found at $ENV_FILE" + echo "Copy .env.example to .env and fill in your values" + exit 1 +fi + +source "$ENV_FILE" + +kubectl create secret generic porkbun-api-credentials \ + --namespace cert-manager \ + --from-literal=api-key="$PORKBUN_API_KEY" \ + --from-literal=secret-api-key="$PORKBUN_SECRET_API_KEY" \ + --dry-run=client -o yaml | kubectl apply -f - + +echo "Secret applied successfully" \ No newline at end of file diff --git a/values/cert-manager.yaml b/values/cert-manager.yaml new file mode 100644 index 0000000..fdbfc39 --- /dev/null +++ b/values/cert-manager.yaml @@ -0,0 +1,12 @@ +# cert-manager Helm values +# Deploy: +# helm repo add jetstack https://charts.jetstack.io +# helm repo update +# helm upgrade --install cert-manager jetstack/cert-manager \ +# --namespace cert-manager --create-namespace \ +# -f values/cert-manager.yaml + +crds: + enabled: true + +replicaCount: 1 \ No newline at end of file diff --git a/values/gitea.yaml b/values/gitea.yaml index 4d1c358..b90e19e 100644 --- a/values/gitea.yaml +++ b/values/gitea.yaml @@ -15,11 +15,16 @@ ingress: annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: internal-ca-issuer hosts: - host: gitea.home.arpa paths: - path: / pathType: Prefix + tls: + - secretName: gitea-tls + hosts: + - gitea.home.arpa gitea: admin: diff --git a/values/pihole.yaml b/values/pihole.yaml index a764f54..6d2c91d 100644 --- a/values/pihole.yaml +++ b/values/pihole.yaml @@ -28,9 +28,14 @@ ingress: annotations: traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" + cert-manager.io/cluster-issuer: internal-ca-issuer hosts: - pihole.home.arpa path: /admin + tls: + - secretName: pihole-tls + hosts: + - pihole.home.arpa adminPassword: password