fix: Add certificate configuration for Traefik (#955)

devantler · web-flow · commit 11d777560e78 · 2025-05-24T01:03:25.000+02:00
* fix(traefik): add certificate configuration and update kustomization files

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* feat(certificates): add root CA certificate file

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* feat(issuers): add ACME Cloudflare ClusterIssuer and related resources
fix(variables): update ConfigMaps and Secrets with email and ACME server details
chore(kustomization): refactor kustomization files for issuer resources

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix(kustomization): update resource reference to selfsigned-cluster-issuer.yaml

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix(hosts): correct traefik domain in hosts file
fix(variables): update domain format in variables-cluster-config-map.yaml

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix(variables): update issuer to acme-cloudflare in cluster config maps

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* feat(helm-release): add CRD installation and upgrade configuration

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* feat(certificates): add traefik certificate and update kustomization references

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

* fix(cluster-issuer): add namespace to cloudflare-api-token secret

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;

---------

Signed-off-by: Nikolai Emil Damm &lt;nikolaiemildamm@icloud.com&gt;
diff --git a/hosts b/hosts
@@ -0,0 +1 @@
+127.0.0.1 traefik.local.platform.devantler.tech
diff --git a/k8s/bases/infrastructure/certificates/kustomization.yaml b/k8s/bases/infrastructure/certificates/kustomization.yaml
@@ -1,3 +1,4 @@
+---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
diff --git a/k8s/bases/infrastructure/certificates/traefik-certificate.yaml b/k8s/bases/infrastructure/certificates/traefik-certificate.yaml
@@ -1,13 +1,13 @@
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: traefik-certificate
+  name: certificate
   namespace: traefik
 spec:
-  secretName: traefik-certificate-tls
+  secretName: certificate-tls
   dnsNames:
     - "${domain}"
     - "*.${domain}"
   issuerRef:
-    name: selfsigned-cluster-issuer
+    name: ${issuer}
     kind: ClusterIssuer
diff --git a/k8s/bases/infrastructure/controllers/cert-manager/helm-release.yaml b/k8s/bases/infrastructure/controllers/cert-manager/helm-release.yaml
@@ -12,6 +12,10 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: cert-manager
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
   # https://github.com/cert-manager/cert-manager/blob/master/deploy/charts/cert-manager/values.yaml
   values:
     podDisruptionBudget:
diff --git a/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml b/k8s/bases/infrastructure/controllers/traefik/helm-release.yaml
@@ -23,10 +23,6 @@ spec:
       # websecure:
       #   middlewares:
       #     - traefik-auth-headers@kubernetescrd
-    # tlsStore:
-    #   default:
-    #     defaultCertificate:
-    #       secretName: cluster-issuer-certificate-tls
     service:
       type: ${traefik_service_type:=LoadBalancer}
     ingressRoute:
@@ -35,6 +31,10 @@ spec:
         matchRule: Host(`traefik.${domain}`)
         entryPoints:
           - websecure
+    tlsStore:
+      default:
+        defaultCertificate:
+          secretName: certificate-tls
         # middlewares:
         #   - name: traefik-forward-auth
         # annotations:
diff --git a/k8s/bases/infrastructure/controllers/traefik/kustomization.yaml b/k8s/bases/infrastructure/controllers/traefik/kustomization.yaml
@@ -1,6 +1,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - namespace.yaml
   - helm-release.yaml
   - helm-repository.yaml
+  - namespace.yaml
diff --git a/k8s/bases/infrastructure/kustomization.yaml b/k8s/bases/infrastructure/kustomization.yaml
@@ -2,4 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - certificates/
   - metrics-server/
diff --git a/k8s/bases/infrastructure/middlewares/forward-auth/forward-auth.yaml b/k8s/bases/infrastructure/middlewares/forward-auth/forward-auth.yaml
@@ -12,7 +12,7 @@ spec:
       - Authorization
     tls:
       insecureSkipVerify: true
-      certSecret: cluster-issuer-certificate-tls
+      certSecret: certificate-tls
   headers:
     sslRedirect: true
     stsSeconds: 315360000
diff --git a/k8s/clusters/dev/variables/variables-cluster-config-map.yaml b/k8s/clusters/dev/variables/variables-cluster-config-map.yaml
@@ -6,5 +6,8 @@ metadata:
   namespace: flux-system
 data:
   domain: dev.platform.devantler.tech
+  email: ned@devantler.com
+  acme_server: https://acme-v02.api.letsencrypt.org/directory
   github_app_client_id: Iv23liZ8GHRgpx32Em2y
+  issuer: acme-cloudflare
   traefik_service_type: ClusterIP
diff --git a/k8s/clusters/dev/variables/variables-cluster-secret.enc.yaml b/k8s/clusters/dev/variables/variables-cluster-secret.enc.yaml
@@ -4,6 +4,7 @@ metadata:
     name: variables-cluster
     namespace: flux-system
 stringData:
+    cloudflare_api_token: ENC[AES256_GCM,data:zZgHu/1HJ09YQPGRUTNukJCNGux7+APqiHBEECE2KWA2QXaf5Bvd7A==,iv:xkmZo1lSXF/Hx3vMNl54O8TuT/nAGH4pig5Pp9kKaUc=,tag:Cj3jPc5Nj7AcJIaxWkBQNA==,type:str]
     cloudflared_tunnel_token: ENC[AES256_GCM,data:uTQEeJ45EG5TyUu9I5WSUZVqPHkR3XLZrssdCYm5skgVqXqCIcAirILlYyXWDCCSywxwDcPEnSlnj3Bk4ctvXdSskS9eptNv3VsO4KgYJW5Kwv8RCksgR8h3NmRSXSuMfNS5IOdmVGCp+8IjXD30+bFn98TsByPDX4sUanxQpwV1LJCoduZIckv5cGD1Hvj3T4LSqEv0Trk0KG6yYPlsG1KN8tNsDYwCF8D+Qwy7AAbeBzGT/2hGcQ==,iv:/JW5ftilZFMayltE2RkP1mvYd58mhBNz1lgRi8jM5zQ=,tag:s/IKkb1EH4wnK9SiHO8smA==,type:str]
     dex_client_secret: ENC[AES256_GCM,data:wDXfLk083EYkp3NgngWmclcOegU=,iv:0/JKWrVKcdOya6AyNWXfNh/WF7lFX12eqZMHJb7NXHc=,tag:zoLVCeBafJHRtnP2EHWLoQ==,type:str]
     github_app_client_secret: ENC[AES256_GCM,data:vvY+8+BujzBjj3UE82TOWS6ZKWRoN5a6rTHlE44MIzERqHPtcAJryA==,iv:YkPH3EOX2bSez5rJ5MieuPltRSNMKoXhWXzqClyOjQY=,tag:UNBKTekSzznLsfQmvlH7zQ==,type:str]
@@ -19,7 +20,7 @@ sops:
             eStldU55TjcwdGE4SjF0N3Q4TG9TRGcK1OworkGus/sekn6++t+YQP3QagKuAjeo
             AHzPZPAh7pZNFJ9cnvPwpUx6tlgRVpDUDhTZuNikFVYtCWw/PqRObw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-23T14:28:47Z"
-    mac: ENC[AES256_GCM,data:+O9zBD+jiI41hZA6y558r2wof6wPgRNq/IO5f6sBeayqBqn4VgQ5GYYrA9JADL3jQhM16zQsmLKzaHkMSyCZ7fQ/UayLoVBVZ7X8sjuVvMAH0j7CZy3xpAYh1viFvgx4dR9NpVAttkRadzv40QTLcUiFEZMrEW5QK3UQFB4ox1c=,iv:aZbp7yEeBYDz28Vkr09+SYOUDm2wQeHf6LCY+AQF2Yk=,tag:AMsJfUF2HbSe7dV7H7a+Vw==,type:str]
+    lastmodified: "2025-05-23T19:14:11Z"
+    mac: ENC[AES256_GCM,data:RN9MSm2p0EE7K7y1W+1B/kFLRcA6Nig8QnXI2eS1g5A9o0uhsbmK1uBNjWb25HH6EdaX66YQMd9KGJeR/d7zBQqFYkL3Gxt0aAZkMTdYk2Ans8seSRr91VUGmx9hCZTh6eBZY7TV2TAadBMVsmve5aXo2/8OwRausWIdsI5d504=,iv:0dER3TDBW+jpUU1MyWP3oU4VQuRa6qt8d/BZg1pXlk0=,tag:5XsMF9WC5iLI0sXNEL9zUA==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.10.2
diff --git a/k8s/clusters/local/variables/variables-cluster-config-map.yaml b/k8s/clusters/local/variables/variables-cluster-config-map.yaml
@@ -5,5 +5,6 @@ metadata:
   name: variables-cluster
   namespace: flux-system
 data:
-  domain: traefik.me
+  domain: local.platform.devantler.tech
   github_app_client_id: Iv23liZ8GHRgpx32Em2y
+  issuer: selfsigned
diff --git a/k8s/clusters/prod/variables/variables-cluster-config-map.yaml b/k8s/clusters/prod/variables/variables-cluster-config-map.yaml
@@ -6,5 +6,8 @@ metadata:
   namespace: flux-system
 data:
   domain: platform.devantler.tech
+  email: ned@devantler.com
+  acme_server: https://acme-v02.api.letsencrypt.org/directory
   github_app_client_id: Iv23liZ8GHRgpx32Em2y
+  issuer: acme-cloudflare
   traefik_service_type: ClusterIP
diff --git a/k8s/clusters/prod/variables/variables-cluster-secret.enc.yaml b/k8s/clusters/prod/variables/variables-cluster-secret.enc.yaml
@@ -4,6 +4,7 @@ metadata:
     name: variables-cluster
     namespace: flux-system
 stringData:
+    cloudflare_api_token: ENC[AES256_GCM,data:H3r78cKMZVHTFrEwq/kJ96tKJ11DNSz9yww6+Ihe2GApNhjZ8991rA==,iv:79Kxd9XS00jv3WtTuIAvtC5eHXbZSEmwyrFJHjuvAdI=,tag:C+uJ+Yr+bnVHsqQ+ITntZA==,type:str]
     cloudflared_tunnel_token: ENC[AES256_GCM,data:h+uCmkRbHa2tcA7oxK4r1fpzBdL0G7vX9Ijz+02RxkKpZ+n+sJ8Wr8AARjJ4hyV01SlwY0xrTSB/qgFYUcM00KpEDpirDQF9mV/5BQq9ZqRlnN0EKf70aurvg0BNPitan253X8X1IfqE9GOkiYOWovSk7vFTeTo/MXVrC6xokloxOpGk3XvdsaeL2x16PzvpPvopAh9jS/h2EMD4mMSjoVUTke4hXnvBBAQRN5dZR/3TOPEUIk0JBQ==,iv:uCovFD0ZKeBXR3u63hd+hcgekmt1zqulD8No1w33Hf0=,tag:tAYHBtgxJRONiJKtQnVohA==,type:str]
     dex_client_secret: ENC[AES256_GCM,data:N2lx0i3cU5/tvNOD8VGXD0Deui0=,iv:wd7GKLALtuptqKgcTW+PLQGcMJbce02dOd0m+y6ipZM=,tag:YG0w3pS7DkG+DWdg5K+Idg==,type:str]
     github_app_client_secret: ENC[AES256_GCM,data:MqpUJOm7rBTBnh/dMjmu8JZGxpuEIwBxclc7+4yuzJsn8Q4P0a6Jhw==,iv:sOBoblUdfzbl+IX2wu5gwGUmr5vOBgTMF1wD1WOxqpQ=,tag:0P62JkP4hk3z/iTpWkoHNw==,type:str]
@@ -19,7 +20,7 @@ sops:
             UU5CNmM0eHVwMURtSWJzRkRCdEk2c3MKKiisA8AGWwUEvDsgJ+oqwSlmscNR2+5z
             DCudOY0vl+rqhsHMGdkjRkK29LYuWBI125U2VZqMlPdMlhmRYcQAjA==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2025-05-23T14:34:51Z"
-    mac: ENC[AES256_GCM,data:un2AB2Ve0AcHZY9FNQ/pI+Xrcpp4ge8/8XppZBSd8tYdMHbBUoTRTbgzZwfbQdauvqml56GgptTW76rt7aT54vm/GntFtyDcCj54hj/1s1ASiDVn9hhjAV/rnoVz5CF5Q6n7MthB1UUDlVO+R5Ja7jhCfa0LbZxKeRL54h9VZro=,iv:c+7ftyAcZcrt/+P+wvRg9kbnmAhas6LSkSczMqNJ6SE=,tag:qyYcWFLmmB8LDaNXAg1jyQ==,type:str]
+    lastmodified: "2025-05-23T19:13:23Z"
+    mac: ENC[AES256_GCM,data:D0ckPVtCeF0NSHBwJnfX0XmrG5EQmxMu58LsiFejtk2Iomq8RX+sx0l1iual2nWicoopwxqSqr5tG0qQSoUc0PZjOnvPLHCnw0NxF2NLrxhFzG7yRfMLv1bAaFIHAA2vFaOfqhYcvjlvEZqCLUvfMCfsrS5FtsXGDQ1NCOD30MU=,iv:9VtP2a/BgUib4elpThyyPwWV/v7Z25apQH/LHciMZUI=,tag:cSE0ntgWL8YYmlwI6Fypkw==,type:str]
     encrypted_regex: ^(data|stringData)$
     version: 3.10.2
diff --git a/k8s/distributions/kind/infrastructure/cluster-issuers/selfsigned-cluster-issuer.yaml b/k8s/distributions/kind/infrastructure/cluster-issuers/selfsigned-cluster-issuer.yaml
@@ -1,6 +1,16 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
-  name: selfsigned-cluster-issuer
+  name: selfsigned
 spec:
-  selfSigned: {}
+  ca:
+    secretName: ca-key-pair
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ca-key-pair
+  namespace: cert-manager
+data:
+  tls.crt: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUZGekNDQTMrZ0F3SUJBZ0lRQ1FkKzdrdG95TXVWczcvbWlheFVCekFOQmdrcWhraUc5dzBCQVFzRkFEQ0IKb3pFZU1Cd0dBMVVFQ2hNVmJXdGpaWEowSUdSbGRtVnNiM0J0Wlc1MElFTkJNVHd3T2dZRFZRUUxERE51YVd0dgpiR0ZwWlcxcGJHUmhiVzFBVFdGakxteHZZMkZzWkc5dFlXbHVJQ2hPYVd0dmJHRnBJRVZ0YVd3Z1JHRnRiU2t4ClF6QkJCZ05WQkFNTU9tMXJZMlZ5ZENCdWFXdHZiR0ZwWlcxcGJHUmhiVzFBVFdGakxteHZZMkZzWkc5dFlXbHUKSUNoT2FXdHZiR0ZwSUVWdGFXd2dSR0Z0YlNrd0hoY05NalV3TlRJek1UY3hOelE0V2hjTk16VXdOVEl6TVRjeApOelE0V2pDQm96RWVNQndHQTFVRUNoTVZiV3RqWlhKMElHUmxkbVZzYjNCdFpXNTBJRU5CTVR3d09nWURWUVFMCkRETnVhV3R2YkdGcFpXMXBiR1JoYlcxQVRXRmpMbXh2WTJGc1pHOXRZV2x1SUNoT2FXdHZiR0ZwSUVWdGFXd2cKUkdGdGJTa3hRekJCQmdOVkJBTU1PbTFyWTJWeWRDQnVhV3R2YkdGcFpXMXBiR1JoYlcxQVRXRmpMbXh2WTJGcwpaRzl0WVdsdUlDaE9hV3R2YkdGcElFVnRhV3dnUkdGdGJTa3dnZ0dpTUEwR0NTcUdTSWIzRFFFQkFRVUFBNElCCmp3QXdnZ0dLQW9JQmdRQzZwMlJOVHdqaERkRWh0ZlFrYWJTWlFRbld4L1JpZ21vNDFGamxzb2NEMmxLYnRnVmQKOXl6a2Fxd2JkNHZSTFdLSm0xY0ZyZGw0Uk9vV0RnbENHVkZCTDEwalN2a3NIWEc0djFkaXo0MDhUOXRHZUNzLwpjaitjbDlHN0J0ZktkQlVJanU4SXhkZjBEWVgxZTVGYVhFMThPUlNjUjU1ZElDamRhdDFabStld2EydnZNK05uCi9nZkxENDgvbUh1bEZhWURVK05pRmlBNUM0a2tXb1JMR0djT0tLYW9tb0JrQnlUbDlTeWNRTE9lZzJ0WkJmbDQKaWQvMXJPSXB1cEF2MjJESW9qbitZeVR4RUZXOXE1Vit6VlZHdlN6amw5UlRUVDc4QStFZ0hPQnlocXpLOFJPQgptZjJhTmF0bVhmbGFac1JqZEtURjQyQkQxbENiM0xwc0ZQT1R5VU9haGp5TWFUNUVJWVBhRXc1OXI5RXlNUEN5CndaVml3b0Nua1E0cnRmTkxIT2JwZDhWTnExVHZzSFVSbVdJVEZsRWpBbHdVMThKdU03aC9wUFlFUElxRTFoZzIKd2Q1bkZCZzE3cUhJYSs4T200aGFBTkNpS2Y1c093NVhXWEs0UDFNWTRnYnptMmFCSzIreTl5Rm9USkMvV1RKTgovcE1heWF1WXhENi9sWmtDQXdFQUFhTkZNRU13RGdZRFZSMFBBUUgvQkFRREFnSUVNQklHQTFVZEV3RUIvd1FJCk1BWUJBZjhDQVFBd0hRWURWUjBPQkJZRUZJc0JIck1aTGNtcithUEVZR3BFQ0lyTW5EQVpNQTBHQ1NxR1NJYjMKRFFFQkN3VUFBNElCZ1FDRUZtV1gwZW9Rd2hYZGN0Q1hteUxneWYvb3JZcEhNOCtkamdUOVZjRHZXU3djTWNRagpVVFRhZVhvTGtKVVBkK1Z4N1hWVVZrY0gxOUw0RUJlRXdNQTZqNDJtNFNualFiVHJ6VktORFNBT2laU1VDK3g4CkJ5dE5FVEpLR3FtRFhuTjltaGdqcVpzaTB0MENjZC9kSDJuSVpHTXV5cXI2Y3hxYkJURG1Sdmk3ejhoMEJYeisKcS9BL3N3bkhUKzBvMTBIYXpKalBScnowTUZQeDEyK3NRTVI2WHdEUkUxQWs1UUEyZ0F1VmI1Z1ZEUCtuZk5aMApFaDJUbXh3M3AvL1ZqUjkySzRDaHg4MThWVE8wWlJZQkV6bUhsSmx3VmpnTlFDYWF5Z291dUk5VHlhYU1yNk5hCnVKbzlsUjRGaklGOUxjU3E2TXdrSHFIM0o0NHNhMjRic1VSU1VBb0QyTG9WbXlSaThTc0tkR215OWRGQlEwTWgKcTQ1QUpKOTVaZFNWckwrNU5KVG5pclRVZ1g1Q3RZbGl6disreVFTYlVKblAxays1U29ZekVFZVVYUHBld3RGRAovU0xId2VtZEx4a296N1hsTkdVTzR2MTQ5SXNmeFdjaUZiN1pkZ2xtN2FnY3NqaWR5ZTAyei9uMEQ3clZDZnIvCnVuejZydE5aMk9IWWUrND0KLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQ==
+  tls.key: LS0tLS1CRUdJTiBQUklWQVRFIEtFWS0tLS0tCk1JSUcvZ0lCQURBTkJna3Foa2lHOXcwQkFRRUZBQVNDQnVnd2dnYmtBZ0VBQW9JQmdRQzZwMlJOVHdqaERkRWgKdGZRa2FiU1pRUW5XeC9SaWdtbzQxRmpsc29jRDJsS2J0Z1ZkOXl6a2Fxd2JkNHZSTFdLSm0xY0ZyZGw0Uk9vVwpEZ2xDR1ZGQkwxMGpTdmtzSFhHNHYxZGl6NDA4VDl0R2VDcy9jaitjbDlHN0J0ZktkQlVJanU4SXhkZjBEWVgxCmU1RmFYRTE4T1JTY1I1NWRJQ2pkYXQxWm0rZXdhMnZ2TStObi9nZkxENDgvbUh1bEZhWURVK05pRmlBNUM0a2sKV29STEdHY09LS2FvbW9Ca0J5VGw5U3ljUUxPZWcydFpCZmw0aWQvMXJPSXB1cEF2MjJESW9qbitZeVR4RUZXOQpxNVYrelZWR3ZTempsOVJUVFQ3OEErRWdIT0J5aHF6SzhST0JtZjJhTmF0bVhmbGFac1JqZEtURjQyQkQxbENiCjNMcHNGUE9UeVVPYWhqeU1hVDVFSVlQYUV3NTlyOUV5TVBDeXdaVml3b0Nua1E0cnRmTkxIT2JwZDhWTnExVHYKc0hVUm1XSVRGbEVqQWx3VTE4SnVNN2gvcFBZRVBJcUUxaGcyd2Q1bkZCZzE3cUhJYSs4T200aGFBTkNpS2Y1cwpPdzVYV1hLNFAxTVk0Z2J6bTJhQksyK3k5eUZvVEpDL1dUSk4vcE1heWF1WXhENi9sWmtDQXdFQUFRS0NBWUJ1CkVRT09xd3A3VytCMDFvMFBZOTRCZVY3SjdzTm55NnZEczBSd3Z1UHJHN1VXNlRFbEJmck0vekphU0JhRTFSU0UKUEx3R04weEVKYTg4TGk2N2NaNStwK1Z1U0duQzMrSU5wWmRzUnlQcjZ0Tk5MTk9qNkVVbW5FZ3ExNUFzYkdOeQoxb2FTVDhoV3ZCckFkWXR6RTNjRng4c2xsUDRId0UwWXRFbXU2OGFtTzlJOERnY05iYmsrdndBajZsRVBPa0xaCk40Q2dlSmVyeStlbExsTlF6U1VJTG1TSWpBTWwrU2lEQ2g2eVRWMGVIalVSRy9yT1g4OVhXZ2xMdmg0RWVvSUgKNGcvWmdWV25HQUNiem5POC9paGY3UEdXVzc4TzNTTitMdVJmWTVaZGVEaEx0MlRUYzUzVlFPZWZhSVIwK0dzZwp4dVgyYXNTNWFkRUZMb0ZkNlRkTEFEVDZMU1pDYlpKd0VyT2ZobW4rVU84Q2k5MFFEbmR1elExYjRNL1B0ZVRzCjIrU1FNMTloZGlpdGc2b2MwMk1EYTlrSW9RcUxQekJWVU83Ni9BcksvakJOTFZLenZ2VTk2NCtyV2dsK2JCQm4KUFVMUlltU0dCOTh1QjVSdzZXeFpuSS9XNC9ua3F5UEFwQnJmaTBweXA3eGVTNkdLWjBuUEpuZ3VreWk3UkFFQwpnY0VBNW9tbzIwUzUza3BnYXFVZ3JHVUsrVjVVREJNZW1sbVlZR2d5ZkpIUnNPZjRhZXZ6dWNPMGFwbkI3UkRyCjNkZGdvZzZpdHNHdjZWUlpKODZHd1ZKWERreFhzbk5paDJRaWM4aWt3NnJwMXNWTTFUbFZQWDdTQVpTZStKdjMKT0ZOZ0t4ZXJvTTFnK0J2SDBCKysrQXBYcXl1dkZ6aXdBdW9YWGNRcHBocjRWR2J5TWtwRE5abWVjQjUxMDh0Ugo0dC8vdEprS1lrTk4xQXhxSXBZUGE5K1ZnOXZiaU1za1dxMk85MGY0UEtRLzBmWjNQeDNia0dtVDZ3STdVRGZkCjFtVlpBb0hCQU05RThCUVp1SHN6TGpwTDY4aVQ1U1pSakg3Z211UHFTNGQzeWRZSWlSS0dQOTlZbk1MUUhla20KR2RRaHFqUzhBb1JnT2hDY1R4ODBPTVpmRGJVYWQ1d2JQYUk5ZTNmWWNUNEdDMGhyWkdsNkVZNHhWVmtFcUdXNApZVUtMU2h6aGxWOVE3K1pGQzBKaFNXWTY5TjRuN2M5MTlzc1U4Uzl5bm9xRERzcHFiMEpRNnBZYVJGMHU2Nml1CnFqODBKVEdmU1JhSm5OdmU2VE1lZ3dudzNka3hyWmlZQnY2TEJCWFF3ai96Si9LQUgrOVROR1VqZ1lVRTAxNysKcGp6SndBRnFRUUtCd1FEZm5JYjhxQnpoVUtOVXpmWnpRVTd6c2xzem14Z0Qvd09kLzNONUFMZTBNRXp6OExubgpaYnlKNmJvQWlIbEFKTGpHZUF1NzJRTVgvNGk2NDhneG0veDFFZmUrVDgweUpoNkUwQW1CQVRidjYxQXJRZ0U4Ck5OYmVVWm9nNnFkUkt3NE12bGpyRUVzT1hXUGlxK2hBRDBnWjc3VlZnTmE0L1BiTkxJaDVaWStaem9EOTVxcHEKUXljNitWQ3dybll1NmJiTkplUzhpeXZpa21nZ1JBMlJSTDF4dUwrb1grSlRVaVZxRlpUaXZTNXFLZlpnY2tXVwpQZElNRVk0V3NSbXI2NEVDZ2NFQWd6bE9GaXZDbEoxdW94SDJFV014TFBWc1VkZTV1SnBaZjBianpsSlJGaDFRCnl3SzdITXZPWkJIdlFGS2dCQXNVUE9ML1lBeldPeGRBNnJhN1l2R0MwSjZlZ3QwU0VtcENKOWFEeGpIWHZMKy8KNVpwdVFwR2tXK0pFRVhGR1ZzcXJXMUZPMFNiZFhnVmlCd3RFaEhJYktjR3hvaGw4S1dJVDVmWGJvMk9IVlNFTgpwRUsxRFpuck1UeUVKTWZLMUlQWUxpQ3A0cnBhUWpjTEYzd2J1S3F2RVhFTzNKRCs0U0R1R3JiRGo5QjJaM3J5CkxTWXhsaG5jQ01TSVV1d1lWODBCQW9IQUh6TXFwQ1A4d2Vma0ZBYUN4N09mOEZ5SDQ0WGx3cVFTeG9HbTNUK1cKQUIxVGhucEdtQU82ZU5hVmE2Tkd4WGVhMnIycEtmcTJUSitVYnFnSE1sek53YXFrbTB3OFpqamtDbDlGMXRQQgp6RFBrTlNlMEc5UzM0OHFWRUQ4Sk5VakdEYWppK2QrWXNMZ3pUSDJnWGVQVVJkV0tvNy8ybVB3b2xqa29ZZDJ2ClpHcVRrNWpxRmZvaE9sNnZodmZVTEVDTHk3L3MxVTc4OHBGenB2ZS85OFhmd0JOMDBDZktsU2lkbFN4SmFLQm4Kc0tNTENpNStrcDB1R0lwZjA3OEFvTTZTCi0tLS0tRU5EIFBSSVZBVEUgS0VZLS0tLS0=
diff --git a/k8s/distributions/kind/infrastructure/kustomization.yaml b/k8s/distributions/kind/infrastructure/kustomization.yaml
@@ -4,7 +4,6 @@ kind: Kustomization
 resources:
   - ../../../bases/infrastructure/
   - cluster-issuers/
-  - traefik/
 patches:
   - target:
       kind: HelmRelease
diff --git a/k8s/distributions/talos/infrastructure/cluster-issuers/acme-cloudflare-cluster-issuer.yaml b/k8s/distributions/talos/infrastructure/cluster-issuers/acme-cloudflare-cluster-issuer.yaml
@@ -0,0 +1,25 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: acme-cloudflare
+spec:
+  acme:
+    email: ${email}
+    server: ${acme_server}
+    privateKeySecretRef:
+      name: acme-cloudflare-issuer-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: ${cloudflare_api_token}
diff --git a/k8s/distributions/talos/infrastructure/cluster-issuers/kustomization.yaml b/k8s/distributions/talos/infrastructure/cluster-issuers/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - acme-cloudflare-cluster-issuer.yaml
diff --git a/k8s/distributions/talos/infrastructure/kustomization.yaml b/k8s/distributions/talos/infrastructure/kustomization.yaml
@@ -4,4 +4,5 @@ kind: Kustomization
 resources:
   - ../../../bases/infrastructure/
   - cloudflared/
+  - cluster-issuers/
   - kubelet-serving-cert-approver/
diff --git a/root-ca.pem b/root-ca.pem
@@ -0,0 +1,30 @@
+-----BEGIN CERTIFICATE-----
+MIIFFzCCA3+gAwIBAgIQCQd+7ktoyMuVs7/miaxUBzANBgkqhkiG9w0BAQsFADCB
+ozEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMTwwOgYDVQQLDDNuaWtv
+bGFpZW1pbGRhbW1ATWFjLmxvY2FsZG9tYWluIChOaWtvbGFpIEVtaWwgRGFtbSkx
+QzBBBgNVBAMMOm1rY2VydCBuaWtvbGFpZW1pbGRhbW1ATWFjLmxvY2FsZG9tYWlu
+IChOaWtvbGFpIEVtaWwgRGFtbSkwHhcNMjUwNTIzMTcxNzQ4WhcNMzUwNTIzMTcx
+NzQ4WjCBozEeMBwGA1UEChMVbWtjZXJ0IGRldmVsb3BtZW50IENBMTwwOgYDVQQL
+DDNuaWtvbGFpZW1pbGRhbW1ATWFjLmxvY2FsZG9tYWluIChOaWtvbGFpIEVtaWwg
+RGFtbSkxQzBBBgNVBAMMOm1rY2VydCBuaWtvbGFpZW1pbGRhbW1ATWFjLmxvY2Fs
+ZG9tYWluIChOaWtvbGFpIEVtaWwgRGFtbSkwggGiMA0GCSqGSIb3DQEBAQUAA4IB
+jwAwggGKAoIBgQC6p2RNTwjhDdEhtfQkabSZQQnWx/Rigmo41FjlsocD2lKbtgVd
+9yzkaqwbd4vRLWKJm1cFrdl4ROoWDglCGVFBL10jSvksHXG4v1diz408T9tGeCs/
+cj+cl9G7BtfKdBUIju8Ixdf0DYX1e5FaXE18ORScR55dICjdat1Zm+ewa2vvM+Nn
+/gfLD48/mHulFaYDU+NiFiA5C4kkWoRLGGcOKKaomoBkByTl9SycQLOeg2tZBfl4
+id/1rOIpupAv22DIojn+YyTxEFW9q5V+zVVGvSzjl9RTTT78A+EgHOByhqzK8ROB
+mf2aNatmXflaZsRjdKTF42BD1lCb3LpsFPOTyUOahjyMaT5EIYPaEw59r9EyMPCy
+wZViwoCnkQ4rtfNLHObpd8VNq1TvsHURmWITFlEjAlwU18JuM7h/pPYEPIqE1hg2
+wd5nFBg17qHIa+8Om4haANCiKf5sOw5XWXK4P1MY4gbzm2aBK2+y9yFoTJC/WTJN
+/pMayauYxD6/lZkCAwEAAaNFMEMwDgYDVR0PAQH/BAQDAgIEMBIGA1UdEwEB/wQI
+MAYBAf8CAQAwHQYDVR0OBBYEFIsBHrMZLcmr+aPEYGpECIrMnDAZMA0GCSqGSIb3
+DQEBCwUAA4IBgQCEFmWX0eoQwhXdctCXmyLgyf/orYpHM8+djgT9VcDvWSwcMcQj
+UTTaeXoLkJUPd+Vx7XVUVkcH19L4EBeEwMA6j42m4SnjQbTrzVKNDSAOiZSUC+x8
+BytNETJKGqmDXnN9mhgjqZsi0t0Ccd/dH2nIZGMuyqr6cxqbBTDmRvi7z8h0BXz+
+q/A/swnHT+0o10HazJjPRrz0MFPx12+sQMR6XwDRE1Ak5QA2gAuVb5gVDP+nfNZ0
+Eh2Tmxw3p//VjR92K4Chx818VTO0ZRYBEzmHlJlwVjgNQCaaygouuI9TyaaMr6Na
+uJo9lR4FjIF9LcSq6MwkHqH3J44sa24bsURSUAoD2LoVmyRi8SsKdGmy9dFBQ0Mh
+q45AJJ95ZdSVrL+5NJTnirTUgX5CtYlizv++yQSbUJnP1k+5SoYzEEeUXPpewtFD
+/SLHwemdLxkoz7XlNGUO4v149IsfxWciFb7Zdglm7agcsjidye02z/n0D7rVCfr/
+unz6rtNZ2OHYe+4=
+-----END CERTIFICATE-----

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+127.0.0.1 traefik.local.platform.devantler.tech`
Original file line number	Diff line number	Diff line change
`@@ -1,3 +1,4 @@`
	`1`	`+---`
`1`	`2`	`apiVersion: kustomize.config.k8s.io/v1beta1`
`2`	`3`	`kind: Kustomization`
`3`	`4`	`resources:`