From b366532c88023905084f965dc79483cfaf8cf86b Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 29 Jul 2024 20:54:49 -0500
Subject: [PATCH] cert-manager, step-ca: Bypass cluster DNS

Having name overrides for in-cluster services breaks ACME challenges,
because the server tries to connect to the Service instead of the
Ingress.  To fix this, we need to configure both _cert-manager_ and
_step-ca_ to *only* resolve names using the network-wide DNS server.
---
 cert-manager/kustomization.yaml | 15 +++++++++++++++
 step-ca/kustomization.yaml      | 15 +++++++++++++++
 2 files changed, 30 insertions(+)

diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
index 1da8f04..24ab378 100644
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -28,3 +28,18 @@ secretGenerator:
   - cloudflare.api-token
   options:
     disableNameSuffixHash: true
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: Deployment
+    metadata:
+      name: cert-manager
+      namespace: cert-manager
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None
diff --git a/step-ca/kustomization.yaml b/step-ca/kustomization.yaml
index 98f9995..a6489da 100644
--- a/step-ca/kustomization.yaml
+++ b/step-ca/kustomization.yaml
@@ -21,3 +21,18 @@ configMapGenerator:
   files:
   - root_ca.crt
   - intermediate_ca.crt
+
+patches:
+- patch: |
+    apiVersion: apps/v1
+    kind: StatefulSet
+    metadata:
+      name: step-ca
+      namespace: step-ca
+    spec:
+      template:
+        spec:
+          dnsConfig:
+            nameservers:
+            - 172.30.0.1
+          dnsPolicy: None