From c5d0052ed303d59948667ace11e026021cfa4b56 Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Mon, 8 May 2023 19:56:23 -0500
Subject: [PATCH] cert-manager: Add DNS.01 solver using Cloudflare

Using *acme-dns.io* is incredibly cumbersome.  Since each unique
subdomain requires its own set of credentials, the `acme-dns.json` file
has to be updated every time a new certificate is added.  This
effectively precludes creating certificates via Ingress annotations.

As Cloudflare's DNS service is free and anonymous as well, I thought I
would try it out as an alternative to *acme-dns.io*.  It seems to work
well so far.  One potential issue, though, is Cloudflare seems to have
several nameservers, with multiple IP addresses each.  This may require
adding quite a few exceptions to the no-outbound-DNS rule on the
firewall.  I tried using the "recursive servers only" mode of
*cert-manager*, however, as expected, the recursive servers all cache
too aggressively.  Since the negative cache TTL value in the SOA record
for Cloudflare DNS zones is set to 1 hour and cannot be configured, ACME
challenges can take at least that long in this mode.  Thus, querying the
authoritative servers directly is indeed the best option, even though it
violates the no-outbound-DNS rule.
---
 cert-manager/.gitignore          |  1 +
 cert-manager/cluster-issuer.yaml | 17 +++++++++++++++++
 cert-manager/kustomization.yaml  |  7 +++++++
 3 files changed, 25 insertions(+)

diff --git a/cert-manager/.gitignore b/cert-manager/.gitignore
index fdf8270..4a4f92f 100644
--- a/cert-manager/.gitignore
+++ b/cert-manager/.gitignore
@@ -1,4 +1,5 @@
 acme-dns.json
 cert-exporter.pem
 cert-manager.key
+cloudflare.api-token
 zerossl.secret
diff --git a/cert-manager/cluster-issuer.yaml b/cert-manager/cluster-issuer.yaml
index f294c65..727618c 100644
--- a/cert-manager/cluster-issuer.yaml
+++ b/cert-manager/cluster-issuer.yaml
@@ -15,6 +15,12 @@ spec:
       name: zerossl-prod
 
     solvers:
+    - dns01:
+        cnameStrategy: Follow
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare
+            key: cloudflare.api-token
     - dns01:
         cnameStrategy: Follow
         acmeDNS:
@@ -22,3 +28,14 @@ spec:
           accountSecretRef:
             name: acme-dns
             key: acme-dns.json
+      selector:
+        dnsNames:
+        - pyrocufflink.blue
+        - '*.pyrocufflink.blue'
+        - pyrocufflink.net
+        - '*.pyrocufflink.net'
+        - dustin.hatch.name
+        - '*.dustin.hatch.name'
+        - aimee-os.org
+        - '*.aimee-os.org'
+        - '*.import.firefly.pyrocufflink.blue'
diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml
index de2099f..a33f1bc 100644
--- a/cert-manager/kustomization.yaml
+++ b/cert-manager/kustomization.yaml
@@ -35,3 +35,10 @@ secretGenerator:
   - acme-dns.json
   options:
     disableNameSuffixHash: true
+
+- name: cloudflare
+  namespace: cert-manager
+  files:
+  - cloudflare.api-token
+  options:
+    disableNameSuffixHash: true