Add cert-manager configurations and scripts for Porkbun and Let's Encrypt integration

- Create .env.example for API credentials
- Update .gitignore to include .env file
- Add cluster issuer configurations for internal CA and Let's Encrypt
- Implement porkbun-secret.sh for creating Kubernetes secrets
- Define Helm values for cert-manager, Gitea, and Pihole with TLS settings

.env.example

@@ -0,0 +1,3 @@
+# Porkbun API credentials
+PORKBUN_API_KEY=pk1_your_key_here
+PORKBUN_SECRET_API_KEY=sk1_your_key_here

.gitignore

@@ -1 +1,2 @@
+.env
 old.debian-data

manifests/cert-manager/cluster-issuer-internal.yaml

@@ -0,0 +1,33 @@
+# Internal CA for *.home.arpa
+# Apply: kubectl apply -f manifests/cert-manager/cluster-issuer-internal.yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: internal-ca
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: internal-ca-cert
+  namespace: cert-manager
+spec:
+  isCA: true
+  commonName: homelab-internal-ca
+  secretName: internal-ca-cert
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: internal-ca
+    kind: ClusterIssuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: internal-ca-issuer
+spec:
+  ca:
+    secretName: internal-ca-cert

manifests/cert-manager/cluster-issuer-letsencrypt.yaml

@@ -0,0 +1,31 @@
+# Let's Encrypt HTTP-01 issuer for *.nik4nao.com
+# Apply: kubectl apply -f manifests/cert-manager/cluster-issuer-letsencrypt.yaml
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: nik.afiq98@ymail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: traefik
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: nik.afiq98@ymail.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: traefik

manifests/cert-manager/porkbun-secret.sh

@@ -0,0 +1,24 @@
+#!/bin/bash
+# Usage: bash manifests/cert-manager/porkbun-secret.sh
+# Requires: .env file in repo root with PORKBUN_API_KEY and PORKBUN_SECRET_API_KEY
+
+set -e
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+ENV_FILE="$SCRIPT_DIR/../../.env"
+
+if [ ! -f "$ENV_FILE" ]; then
+  echo "Error: .env file not found at $ENV_FILE"
+  echo "Copy .env.example to .env and fill in your values"
+  exit 1
+fi
+
+source "$ENV_FILE"
+
+kubectl create secret generic porkbun-api-credentials \
+  --namespace cert-manager \
+  --from-literal=api-key="$PORKBUN_API_KEY" \
+  --from-literal=secret-api-key="$PORKBUN_SECRET_API_KEY" \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+echo "Secret applied successfully"

values/cert-manager.yaml

@@ -0,0 +1,12 @@
+# cert-manager Helm values
+# Deploy:
+#   helm repo add jetstack https://charts.jetstack.io
+#   helm repo update
+#   helm upgrade --install cert-manager jetstack/cert-manager \
+#     --namespace cert-manager --create-namespace \
+#     -f values/cert-manager.yaml
+
+crds:
+  enabled: true
+
+replicaCount: 1

values/gitea.yaml

@@ -15,11 +15,16 @@ ingress:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: internal-ca-issuer
   hosts:
     - host: gitea.home.arpa
       paths:
         - path: /
           pathType: Prefix
+  tls:
+    - secretName: gitea-tls
+      hosts:
+        - gitea.home.arpa
 
 gitea:
   admin:

values/pihole.yaml

@@ -28,9 +28,14 @@ ingress:
   annotations:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: internal-ca-issuer
   hosts:
     - pihole.home.arpa
   path: /admin
+  tls:
+    - secretName: pihole-tls
+      hosts:
+        - pihole.home.arpa
 
 adminPassword: password