cert-manager: Add DNS.01 solver using Cloudflare

Using *acme-dns.io* is incredibly cumbersome. Since each unique subdomain requires its own set of credentials, the `acme-dns.json` file has to be updated every time a new certificate is added. This effectively precludes creating certificates via Ingress annotations. As Cloudflare's DNS service is free and anonymous as well, I thought I would try it out as an alternative to *acme-dns.io*. It seems to work well so far. One potential issue, though, is Cloudflare seems to have several nameservers, with multiple IP addresses each. This may require adding quite a few exceptions to the no-outbound-DNS rule on the firewall. I tried using the "recursive servers only" mode of *cert-manager*, however, as expected, the recursive servers all cache too aggressively. Since the negative cache TTL value in the SOA record for Cloudflare DNS zones is set to 1 hour and cannot be configured, ACME challenges can take at least that long in this mode. Thus, querying the authoritative servers directly is indeed the best option, even though it violates the no-outbound-DNS rule.
2023-05-08 19:56:23 -05:00 · 2023-05-08 19:56:23 -05:00 · c5d0052ed3
parent da211ef63c
commit c5d0052ed3
3 changed files with 25 additions and 0 deletions
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@ -1,4 +1,5 @@
 acme-dns.json
 cert-exporter.pem
 cert-manager.key
+cloudflare.api-token
 zerossl.secret
--- a/cert-manager/cluster-issuer.yaml
+++ b/cert-manager/cluster-issuer.yaml
@ -15,6 +15,12 @@ spec:
      name: zerossl-prod

    solvers:
+    - dns01:
+        cnameStrategy: Follow
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare
+            key: cloudflare.api-token
    - dns01:
        cnameStrategy: Follow
        acmeDNS:
@ -22,3 +28,14 @@ spec:
          accountSecretRef:
            name: acme-dns
            key: acme-dns.json
+      selector:
+        dnsNames:
+        - pyrocufflink.blue
+        - '*.pyrocufflink.blue'
+        - pyrocufflink.net
+        - '*.pyrocufflink.net'
+        - dustin.hatch.name
+        - '*.dustin.hatch.name'
+        - aimee-os.org
+        - '*.aimee-os.org'
+        - '*.import.firefly.pyrocufflink.blue'
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@ -35,3 +35,10 @@ secretGenerator:
  - acme-dns.json
  options:
    disableNameSuffixHash: true
+
+- name: cloudflare
+  namespace: cert-manager
+  files:
+  - cloudflare.api-token
+  options:
+    disableNameSuffixHash: true