From 101593512fe39e43b664cc97c32611e73f6eb3e8 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A1rcio=20Fernandes?= <marcio.fernandes@outlook.pt>
Date: Fri, 29 May 2026 12:24:30 +0000
Subject: [PATCH] add cert manager

---
 casa-limbosolutions-com/certificate.yaml      |  4 +-
 services/cert-manager/.gitignore              |  2 +
 services/cert-manager/README.md               | 94 +++++++++++++++++++
 .../cert-manager/cloudflare-api-token.yaml    | 15 +++
 .../letsencrypt-clusterissuer-prod.yaml       | 28 ++++++
 .../letsencrypt-clusterissuer-staging.yaml    | 29 ++++++
 6 files changed, 171 insertions(+), 1 deletion(-)
 create mode 100644 services/cert-manager/.gitignore
 create mode 100644 services/cert-manager/README.md
 create mode 100644 services/cert-manager/cloudflare-api-token.yaml
 create mode 100644 services/cert-manager/letsencrypt-clusterissuer-prod.yaml
 create mode 100644 services/cert-manager/letsencrypt-clusterissuer-staging.yaml

diff --git a/casa-limbosolutions-com/certificate.yaml b/casa-limbosolutions-com/certificate.yaml
index d933da7..ff764a2 100644
--- a/casa-limbosolutions-com/certificate.yaml
+++ b/casa-limbosolutions-com/certificate.yaml
@@ -1,4 +1,6 @@
-# to run on icarus
+# Proxima iteração arranjar uma maneira de copiar os certificados entre namespaces, ainda foi a mão
+# ter em atenção que ao copiar é melhor apagar anotations do cert manager para o mesmo nao ser gerido por mais do que um namespcace
+
 
 apiVersion: cert-manager.io/v1
 kind: Certificate
diff --git a/services/cert-manager/.gitignore b/services/cert-manager/.gitignore
new file mode 100644
index 0000000..acdcc16
--- /dev/null
+++ b/services/cert-manager/.gitignore
@@ -0,0 +1,2 @@
+.env.d/**
+.env
\ No newline at end of file
diff --git a/services/cert-manager/README.md b/services/cert-manager/README.md
new file mode 100644
index 0000000..912e632
--- /dev/null
+++ b/services/cert-manager/README.md
@@ -0,0 +1,94 @@
+# cert-manager
+
+- [cloudflare](#cloudflare)
+- [api secrets](#api-secrets)
+- [Cluster Issuer](#cluster-issuer)
+  - [Staging](#staging)
+    - [Deploy](#deploy)
+    - [Describe](#describe)
+  - [Production](#production)
+    - [Deploy (Production)](#deploy-production)
+    - [Describe (Production)](#describe-production)
+- [helm chart](#helm-chart)
+
+## cloudflare
+
+## api secrets
+
+[cloudflare-api-token.yaml](./cloudflare-api-token.yaml).
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./cloudflare-api-token.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+## Cluster Issuer
+
+### Staging
+
+#### Deploy
+
+[letsencrypt-clusterissuer-staging.yaml](./letsencrypt-clusterissuer-staging.yaml).
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./letsencrypt-clusterissuer-staging.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+#### Describe
+
+```bash
+kubectl describe clusterissuer letsencrypt-staging
+```
+
+### Production
+
+#### Deploy (Production)
+
+[letsencrypt-clusterissuer-prod.yaml](./letsencrypt-clusterissuer-prod.yaml).
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./letsencrypt-clusterissuer-prod.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+```bash
+set -a
+source ./.env
+set +a
+envsubst < ./letsencrypt-clusterissuer-staging.yaml \
+| kubectl apply -n kube-system -f -
+```
+
+#### Describe (Production)
+
+```bash
+kubectl describe clusterissuer letsencrypt-prod
+```
+
+**Force cert refresh:**
+
+``` bash
+kubectl delete certificaterequest -l cert-manager.io/certificate-name=monitoring-limbosolutions-com-tls
+kubectl delete order  -l cert-manager.io/certificate-name=monitoring-limbosolutions-com-tls
+```
+
+## helm chart
+
+``` bash
+helm repo add jetstack https://charts.jetstack.io  --force-update  
+helm upgrade --install cert-manager jetstack/cert-manager \
+--namespace kube-system \
+--version=v1.20.2 \
+--create-namespace \
+--set crds.enabled=true
+```
diff --git a/services/cert-manager/cloudflare-api-token.yaml b/services/cert-manager/cloudflare-api-token.yaml
new file mode 100644
index 0000000..9126834
--- /dev/null
+++ b/services/cert-manager/cloudflare-api-token.yaml
@@ -0,0 +1,15 @@
+#########################################################################
+# requires ./.env
+# ./.env example:
+# EMAIL="myemail@example.com"
+# check README.md for more information
+##########################################################################
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: kube-system
+type: Opaque
+stringData:
+  api-token: ${CLOUDFLARE_API_TOKEN}
\ No newline at end of file
diff --git a/services/cert-manager/letsencrypt-clusterissuer-prod.yaml b/services/cert-manager/letsencrypt-clusterissuer-prod.yaml
new file mode 100644
index 0000000..c9f4880
--- /dev/null
+++ b/services/cert-manager/letsencrypt-clusterissuer-prod.yaml
@@ -0,0 +1,28 @@
+#########################################################################
+# requires ./.env
+# ./.env example:
+# EMAIL="myemail@example.com"
+# check README.md for more information
+##########################################################################
+
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  namespace: kube-system
+spec:
+  acme:
+    email: "${EMAIL}"
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - selector:
+        dnsZones:
+        - "limbosolutions.com"
+      dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-token
diff --git a/services/cert-manager/letsencrypt-clusterissuer-staging.yaml b/services/cert-manager/letsencrypt-clusterissuer-staging.yaml
new file mode 100644
index 0000000..8f92601
--- /dev/null
+++ b/services/cert-manager/letsencrypt-clusterissuer-staging.yaml
@@ -0,0 +1,29 @@
+#########################################################################
+# requires ./.env
+# ./.env example:
+# EMAIL="myemail@example.com"
+# CLOUDFLARE_API_TOKEN="clouddlare api key"
+# check README.md for more information
+##########################################################################
+
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  namespace: kube-system
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Replace with your domain email.
+    email: "${EMAIL}"
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+       - dns01:
+          cloudflare:
+            email: ${EMAIL}
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key:  api-token
+
+