cert-manager rework

kubernetes/apps/cert-manager/app/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

kubernetes/apps/cert-manager/app/release.yaml

@@ -4,20 +4,41 @@ metadata:
   name: cert-manager
   namespace: cert-manager
 spec:
-  releaseName: cert-manager
+  interval: 1h
+  driftDetection:
+    mode: enabled
   chart:
     spec:
       chart: cert-manager
+      version: v1.15.0
       sourceRef:
         kind: HelmRepository
-        name: truecharts
-        namespace: flux-system
-  interval: 5m
+        namespace: cert-manager
+        name: cert-manager
+      interval: 1h
   install:
-    remediation:
-      retries: 3
+    crds: Create
+  upgrade:
+    crds: CreateReplace
   values:
-    certmanager:
-      prometheus:
-        servicemonitor:
-          enabled: false
+    installCRDs: true
+
+    podLabels:
+      rpi5.cluster.policy/egress-kubeapi: "true"
+      rpi5.cluster.policy/egress-namespace: "true"
+      rpi5.cluster.policy/egress-world: "true"
+      rpi5.cluster.policy/ingress-namespace: "true"
+    webhook:
+      podLabels:
+        rpi5.cluster.policy/egress-kubeapi: "true"
+    cainjector:
+      podLabels:
+        rpi5.cluster.policy/egress-kubeapi: "true"
+
+    global:
+      priorityClassName: system-cluster-critical
+
+    podDnsConfig:
+      nameservers:
+        - 1.1.1.1
+        - 1.0.0.1

kubernetes/apps/cert-manager/app/repository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: cert-manager
+  namespace: cert-manager
+spec:
+  interval: 1h
+  url: https://charts.jetstack.io

kubernetes/apps/cert-manager/cert-manager.yaml

@@ -6,9 +6,55 @@ metadata:
 spec:
   interval: 1h
   targetNamespace: cert-manager
-  path: ./kubernetes/templates/apps/cert-manager/app
+  path: ./kubernetes/apps/cert-manager/app
   prune: true
   sourceRef:
     kind: GitRepository
     namespace: flux-system
-    name: flux-system
+    name: flux-system
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: clusterissuer-secrets
+  namespace: flux-system
+spec:
+  interval: 1h
+  path: ./clusterissuer
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: home-cluster-ops-secrets
+  dependsOn:
+    - name: repositories
+      namespace: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: clusterissuer
+  namespace: flux-system
+spec:
+  suspend: true
+  interval: 1h
+  targetNamespace: cert-manager
+  path: ./kubernetes/apps/cert-manager/clusterissuers
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    namespace: flux-system
+    name: flux-system
+  dependsOn:
+    - name: clusterissuer-secrets
+      namespace: flux-system
+    - name: cert-manager
+      namespace: flux-system
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: clusterissuer-secrets

kubernetes/apps/cert-manager/clusterissuer/clusterissuer-cloudflare.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: clusterissuer
+  namespace: cert-manager
+spec:
+  acme:
+    email: ${email}
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - dns01:
+          cloudflare:
+            email: ${email}
+            apiKeySecretRef:
+              name: clusterissuer-secrets
+              key: cloudflare_api_token
+        selector:
+          dnsNames:
+            - "${cluster_cert_domain}"
+            - "*.${cluster_cert_domain}"