feat: add Cloudflare ClusterIssuer and configure gateway HTTPS support with TLS termination

2026-05-06 22:29:54 +02:00
parent e2fec86130
commit c5aebbcd45
3 changed files with 60 additions and 0 deletions
@@ -3,6 +3,8 @@ apiVersion: gateway.networking.k8s.io/v1
 metadata:
  name: http
  namespace: kgateway-system
+  annotations:
+    cert-manager.io/cluster-issuer: "cloudflare-cluster-issuer"
 spec:
  gatewayClassName: kgateway
  listeners:
@@ -12,3 +14,15 @@ spec:
    allowedRoutes:
      namespaces:
        from: All
+  - protocol: HTTPS
+    port: 443
+    name: https
+    hostname: "*.homelab-test.hnrx.net"
+    allowedRoutes:
+      namespaces:
+        from: All
+    tls:
+        mode: Terminate
+        certificateRefs:
+          - name: homelab-test-hnrx-net-tls
+
@@ -0,0 +1,9 @@
+kind: Bundle
+metadata:
+  name: phase-secrets
+
+defaultNamespace: phase-secrets-operator
+
+dependsOn:
+  - name: fleet-base-setup-08-cert-manager
+  - name: fleet-base-setup-07-phase-secrets-operator
@@ -0,0 +1,37 @@
+apiVersion: secrets.phase.dev/v1alpha1
+kind: PhaseSecret
+metadata:
+  name: cloudflare-api-key-phase-secret
+  namespace: phase-secrets-operator
+spec:
+  phaseApp: 'cert-manager' # The name of your Phase application
+  phaseAppEnv: 'production' # OPTIONAL - The Phase App Environment to fetch secrets from
+  phaseAppEnvPath: '/' # OPTIONAL Path within the Phase application environment to fetch secrets from
+  phaseHost: 'https://phase.hnrx.net' # OPTIONAL - URL of a Phase Console instance
+  pollingInterval: 600 # OPTIONAL - Interval in seconds to poll for secret updates
+  authentication:
+    serviceToken:
+      serviceTokenSecretReference:
+        secretName: 'phase-service-token' # Name of the Phase Service Token with access to your application
+        secretNamespace: 'phase-secrets-operator'
+  managedSecretReferences:
+    - secretName: 'cloudflare-api-key' # Name of the Kubernetes managed secret that Phase will sync
+      secretNamespace: 'cert-manager'
+
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-cluster-issuer
+spec:
+  acme:
+    email: matthias.hinrichs@me.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: cluster-issuer-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-key
+              key: CLOUDFLARE_API_KEY