cert-manager, step-ca: Bypass cluster DNS

Having name overrides for in-cluster services breaks ACME challenges, because the server tries to connect to the Service instead of the Ingress. To fix this, we need to configure both _cert-manager_ and _step-ca_ to *only* resolve names using the network-wide DNS server.
2024-07-29 20:54:49 -05:00 · 2024-07-29 20:54:49 -05:00 · b366532c88
parent 079c3871b9
commit b366532c88
2 changed files with 30 additions and 0 deletions
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -28,3 +28,18 @@ secretGenerator:
  - cloudflare.api-token
  options:
    disableNameSuffixHash: true
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: cert-manager
+      namespace: cert-manager
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None
--- a/step-ca/kustomization.yaml
+++ b/step-ca/kustomization.yaml
@ -21,3 +21,18 @@ configMapGenerator:
  files:
  - root_ca.crt
  - intermediate_ca.crt
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: step-ca
+      namespace: step-ca
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None