feat: update certificate issuer configurations and add origin CA issuer resources (#960)

* feat: update certificate issuer configurations and add origin CA issuer resources

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix: update resource reference for origin CA issuer in kustomization.yaml

Signed-off-by: Nikolai Emil Damm <[email protected]>

* fix: add missing resource reference for origin issuers in kustomization.yaml

Signed-off-by: Nikolai Emil Damm <[email protected]>

---------

Signed-off-by: Nikolai Emil Damm <[email protected]>

Author: devantler

k8s/bases/infrastructure/certificates/traefik-certificate.yaml

@@ -9,5 +9,7 @@ spec:
     - "${domain}"
     - "*.${domain}"
   issuerRef:
-    name: ${issuer}
-    kind: ClusterIssuer
+    group: ${issuer_group}
+    kind: ${issuer_kind}
+    name: ${issuer_name}
+    

k8s/clusters/dev/variables/variables-cluster-config-map.yaml

@@ -7,7 +7,8 @@ metadata:
 data:
   domain: dev.platform.devantler.tech
   email: [email protected]
-  acme_server: https://acme-v02.api.letsencrypt.org/directory
   github_app_client_id: Iv23liZ8GHRgpx32Em2y
-  issuer: acme-cloudflare
+  issuer_group: cert-manager.k8s.cloudflare.com
+  issuer_kind: ClusterOriginIssuer
+  issuer_name: cloudflare-origin
   traefik_service_type: ClusterIP

k8s/clusters/local/variables/variables-cluster-config-map.yaml

@@ -7,4 +7,6 @@ metadata:
 data:
   domain: local.platform.devantler.tech
   github_app_client_id: Iv23liZ8GHRgpx32Em2y
-  issuer: selfsigned
+  issuer_group: cert-manager.io
+  issuer_kind: ClusterIssuer
+  issuer_name: selfsigned

k8s/clusters/prod/variables/variables-cluster-config-map.yaml

@@ -7,7 +7,8 @@ metadata:
 data:
   domain: platform.devantler.tech
   email: [email protected]
-  acme_server: https://acme-v02.api.letsencrypt.org/directory
   github_app_client_id: Iv23liZ8GHRgpx32Em2y
-  issuer: acme-cloudflare
+  issuer_group: cert-manager.k8s.cloudflare.com
+  issuer_kind: ClusterOriginIssuer
+  issuer_name: cloudflare-origin
   traefik_service_type: ClusterIP

k8s/distributions/talos/infrastructure/cluster-issuers/acme-cloudflare-cluster-issuer.yaml

@@ -0,0 +1,19 @@
+apiVersion: cert-manager.k8s.cloudflare.com/v1
+kind: ClusterOriginIssuer
+metadata:
+  name: cloudflare-origin
+spec:
+  requestType: OriginECC
+  auth:
+    tokenRef:
+      name: cloudflare-api-token
+      key: api-token
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: ${cloudflare_api_token}

k8s/distributions/talos/infrastructure/cluster-issuers/cloudflare-origin-issuer.yaml

@@ -1,4 +1,4 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - acme-cloudflare-cluster-issuer.yaml
+  - cloudflare-origin-issuer.yaml

k8s/distributions/talos/infrastructure/cluster-issuers/kustomization.yaml

@@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ../../../../bases/infrastructure/controllers/
+  - origin-ca-issuer/
 patches:
   - target:
       kind: HelmRelease

k8s/distributions/talos/infrastructure/controllers/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: origin-ca-issuer
+  namespace: cert-manager
+spec:
+  interval: 10m
+  chart:
+    spec:
+      chart: origin-ca-issuer
+      version: 0.5.10
+      sourceRef:
+        kind: HelmRepository
+        name: origin-ca-issuer
+  # https://github.com/cloudflare/origin-ca-issuer/blob/trunk/deploy/charts/origin-ca-issuer/values.yaml
+  values: {}

k8s/distributions/talos/infrastructure/controllers/origin-ca-issuer/helm-release.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: origin-ca-issuer
+  namespace: cert-manager
+spec:
+  url: oci://ghcr.io/cloudflare/origin-ca-issuer-charts
+  type: oci