I’m going to try to set up the cert-manager Cloudflare integration using an API key, so that it can automatically create the DNS records: Cloudflare | cert-manager
I’ve also installed the kubectl plugin: Kubectl plugin | cert-manager
(Be careful if you’re on Mac, the default installation instructions are for Linux.) On Mac:
curl -L -o kubectl-cert-manager.tar.gz https://github.com/jetstack/cert-manager/releases/latest/download/kubectl-cert_manager-darwin-amd64.tar.gz
tar xzf kubectl-cert-manager.tar.gz
sudo mv kubectl-cert_manager /usr/local/bin
Note: I found out that kubectl get all -A doesn’t list issuers or clusterissuers.
$ kubectl get issuer -A
No resources found
$ kubectl get clusterissuer -A
NAME READY AGE
letsencrypt True 3h25m
kubectl edit clusterissuer/letsencrypt:
...
spec:
acme:
email: ops@convox.com
privateKeySecretRef:
name: letsencrypt
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- http01:
ingress:
class: nginx
...
So it looks like Convox sets up an http01 solver. I should be able to follow these instructions to change this to a dns01 solver and pass in my cloudflare credentials, so it can automatically create the required DNS records.
The only thing I’m concerned about is how this works with terraform. If I update my rack, will that blow away all of the changes I’m making via kubectl? Or is this a persistent change that won’t be affected? (I’ll try to test this out after I’ve got it working, by changing a param and updating the rack.)