From 61bd4a4e4caa72db93dafaa1d1dd40eaec616e4a Mon Sep 17 00:00:00 2001
From: Jonathan Leech-Pepin <jonathan@leechpepin.com>
Date: Fri, 31 Jan 2025 16:14:03 -0500
Subject: [PATCH] Add wildcard cert for internal

---
 namespaces/cert-manager/chart.yaml            | 14 ++++++++++
 namespaces/cert-manager/cloudflare-token.yaml | 28 +++++++++++++++++++
 namespaces/cert-manager/cluster-issuer.yaml   | 22 +++++++++++++++
 .../cert-manager/consultjlpdotcom-cert.yaml   | 15 ++++++++++
 .../jlptechdotconsulting-cert.yaml            | 15 ++++++++++
 .../cert-manager/leechpepindotcom-cert.yaml   | 15 ++++++++++
 namespaces/cert-manager/namespace.yaml        |  7 +++++
 namespaces/homelab/gateway.yaml               |  2 +-
 8 files changed, 117 insertions(+), 1 deletion(-)
 create mode 100644 namespaces/cert-manager/chart.yaml
 create mode 100644 namespaces/cert-manager/cloudflare-token.yaml
 create mode 100644 namespaces/cert-manager/cluster-issuer.yaml
 create mode 100644 namespaces/cert-manager/consultjlpdotcom-cert.yaml
 create mode 100644 namespaces/cert-manager/jlptechdotconsulting-cert.yaml
 create mode 100644 namespaces/cert-manager/leechpepindotcom-cert.yaml
 create mode 100644 namespaces/cert-manager/namespace.yaml

diff --git a/namespaces/cert-manager/chart.yaml b/namespaces/cert-manager/chart.yaml
new file mode 100644
index 0000000..3b91f1e
--- /dev/null
+++ b/namespaces/cert-manager/chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: cert-manager
+  namespace: kube-system
+spec:
+  chart: cert-manager
+  repo: https://charts.jetstack.io
+  targetNamespace: cert-manager
+  createNamespace: true
+  valuesContent: |-
+    installCRDs: true
+    prometheus:
+      enabled: false
diff --git a/namespaces/cert-manager/cloudflare-token.yaml b/namespaces/cert-manager/cloudflare-token.yaml
new file mode 100644
index 0000000..7dfe326
--- /dev/null
+++ b/namespaces/cert-manager/cloudflare-token.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: secrets.infisical.com/v1alpha1
+kind: InfisicalSecret
+metadata:
+  name: certmanager-secrets
+  namespace: infisical
+  labels:
+    label-to-be-passed-to-managed-secret: homelab
+  annotations:
+    example.com/annotation-to-be-passed-to-managed-secret: "homelab"
+spec:
+  hostAPI: https://app.infisical.com/api
+  resyncInterval: 10
+  authentication:
+    # Universal Auth
+    universalAuth:
+      secretsScope:
+        projectSlug: homelab-n-f-yj
+        envSlug: prod
+        secretsPath: "/cert-manager" # Root is "/"
+        recursive: true # Whether or not to use recursive mode (Fetches all secrets in an environment from a given secret path, and all folders inside the path) / defaults to false
+      credentialsRef:
+        secretName: universal-auth-credentials
+        secretNamespace: infisical
+  managedSecretReference:
+    secretName: certmanager-secrets
+    secretNamespace: cert-manager
+    creationPolicy: "Orphan" ## Owner | Orphan
diff --git a/namespaces/cert-manager/cluster-issuer.yaml b/namespaces/cert-manager/cluster-issuer.yaml
new file mode 100644
index 0000000..381ef8c
--- /dev/null
+++ b/namespaces/cert-manager/cluster-issuer.yaml
@@ -0,0 +1,22 @@
+# ClusterIssuer for Let's Encrypt
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: jonathan@leechpepin.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: certmanager-secrets
+              key: CLOUDFLARE_API_TOKEN
+        selector:
+          dnsZones:
+            - "leechpepin.com"
+            - "consultjlp.com"
+            - "jlptech.consulting"
diff --git a/namespaces/cert-manager/consultjlpdotcom-cert.yaml b/namespaces/cert-manager/consultjlpdotcom-cert.yaml
new file mode 100644
index 0000000..978bd6b
--- /dev/null
+++ b/namespaces/cert-manager/consultjlpdotcom-cert.yaml
@@ -0,0 +1,15 @@
+# Wildcard Certificate
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-leechpepin
+  namespace: homelab
+spec:
+  secretName: wildcard-leechpepin-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  commonName: "*.consultjlp.com"
+  dnsNames:
+    - "*.consultjlp.com"
+    - "consultjlp.com"
diff --git a/namespaces/cert-manager/jlptechdotconsulting-cert.yaml b/namespaces/cert-manager/jlptechdotconsulting-cert.yaml
new file mode 100644
index 0000000..d22e8df
--- /dev/null
+++ b/namespaces/cert-manager/jlptechdotconsulting-cert.yaml
@@ -0,0 +1,15 @@
+# Wildcard Certificate
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-leechpepin
+  namespace: homelab
+spec:
+  secretName: wildcard-leechpepin-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  commonName: "*.jlptech.consulting"
+  dnsNames:
+    - "*.jlptech.consulting"
+    - "jlptech.consulting"
diff --git a/namespaces/cert-manager/leechpepindotcom-cert.yaml b/namespaces/cert-manager/leechpepindotcom-cert.yaml
new file mode 100644
index 0000000..46630cb
--- /dev/null
+++ b/namespaces/cert-manager/leechpepindotcom-cert.yaml
@@ -0,0 +1,15 @@
+# Wildcard Certificate
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-leechpepin
+  namespace: homelab
+spec:
+  secretName: wildcard-leechpepin-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  commonName: "*.leechpepin.com"
+  dnsNames:
+    - "*.leechpepin.com"
+    - "leechpepin.com"
diff --git a/namespaces/cert-manager/namespace.yaml b/namespaces/cert-manager/namespace.yaml
new file mode 100644
index 0000000..abdab4c
--- /dev/null
+++ b/namespaces/cert-manager/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    homelab-access: "true"
+  name: cert-manager
diff --git a/namespaces/homelab/gateway.yaml b/namespaces/homelab/gateway.yaml
index 17b6861..6dea9e5 100644
--- a/namespaces/homelab/gateway.yaml
+++ b/namespaces/homelab/gateway.yaml
@@ -29,7 +29,7 @@ spec:
         mode: Terminate
         certificateRefs:
           - kind: Secret
-            name: infisical-self-signed-cert
+            name: wildcard-leechpepin-tls
     - allowedRoutes:
         namespaces:
           from: Selector