Initial argo deployment

This commit is contained in:
2026-05-17 20:44:31 -05:00
parent 97e9889251
commit 905b4619d6
33 changed files with 1322 additions and 0 deletions

View File

@@ -0,0 +1,29 @@
# ------------------------------------------------------------------------------
# Platform: cert-manager
# Wave 3 — depends on ESO (wave 1) for Cloudflare token secret
# ------------------------------------------------------------------------------
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
annotations:
argocd.argoproj.io/sync-wave: "3"
spec:
project: default
source:
repoURL: https://charts.jetstack.io
chart: cert-manager
targetRevision: v1.17.2
helm:
valuesFile: values.yaml
destination:
server: https://kubernetes.default.svc
namespace: cert-manager
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true

View File

@@ -0,0 +1,49 @@
# ------------------------------------------------------------------------------
# cert-manager ClusterIssuer — Let's Encrypt via Cloudflare DNS-01
#
# The cloudflare-api-token secret is populated by ESO from 1Password.
# See externalsecret.yaml for the ESO resource that creates it.
# ------------------------------------------------------------------------------
# Staging issuer — use this first to avoid LE rate limits during testing
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: ryan.blundon@protonmail.com
privateKeySecretRef:
name: letsencrypt-staging-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
selector:
dnsZones:
- mk-labs.cloud
---
# Production issuer — switch to this once staging certs are working
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
email: ryan.blundon@protonmail.com
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
- dns01:
cloudflare:
apiTokenSecretRef:
name: cloudflare-api-token
key: api-token
selector:
dnsZones:
- mk-labs.cloud

View File

@@ -0,0 +1,26 @@
# ------------------------------------------------------------------------------
# ExternalSecret — Cloudflare API Token
# Pulled from 1Password via Connect Server, materialized as a K8s secret
# in the cert-manager namespace for use by the ClusterIssuer.
#
# In 1Password, store the token as an item named "cloudflare" with a field
# named "api-token" in the "mk-labs" vault.
# ------------------------------------------------------------------------------
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cloudflare-api-token
namespace: cert-manager
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
refreshInterval: "1h"
target:
name: cloudflare-api-token
creationPolicy: Owner
data:
- secretKey: api-token
remoteRef:
key: cloudflare # 1Password item name
property: api-token # 1Password field name

View File

@@ -0,0 +1,23 @@
# ------------------------------------------------------------------------------
# cert-manager — Helm Values
# Chart: https://charts.jetstack.io
# ------------------------------------------------------------------------------
# Install CRDs via Helm (recommended — keeps CRDs in sync with chart version)
crds:
enabled: true
# Replicas — 1 is fine for homelab
replicaCount: 1
# Use Cloudflare DNS-01 recursive nameservers (same pattern as Traefik/lightning-lane)
# Only use 1.1.1.1 for DNS-01 challenge resolution — keeps it off internal DNS
extraArgs:
- --dns01-recursive-nameservers-only
- --dns01-recursive-nameservers=1.1.1.1:53
# Prometheus metrics for cinderella-castle
prometheus:
enabled: true
servicemonitor:
enabled: false # enable once Prometheus operator is in-cluster