apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod namespace: cert-manager spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: name@yourname.xzy privateKeySecretRef: name: letsencrypt-prod solvers: - dns01: cloudflare: email: <cloudflare account email> apiTokenSecretRef: name: cloudflare-api-token-secret key: apiKey
PythonIn the Pulumi Python SDK, Kubernetes resources can be created using the
pulumi_kubernetes
package. Your YAML configuration can be implemented in Python usingpulumi_kubernetes.certificates.v1.ClusterIssuer
. Note that you have to replace placeholder values like<cloudflare account email>
with actual values or references to existing secrets within your environment.Below you'll find the Pulumi program that creates a
ClusterIssuer
for Let's Encrypt with the ACME DNS01 solver using Cloudflare for DNS challenges:import pulumi import pulumi_kubernetes as k8s # Define the ClusterIssuer for Let's Encrypt using the ACME DNS01 solver with Cloudflare letsencrypt_prod_cluster_issuer = k8s.certificates.v1.ClusterIssuer( "letsencrypt-prod", metadata=k8s.meta.v1.ObjectMetaArgs( name="letsencrypt-prod", namespace="cert-manager", ), spec=k8s.certificates.v1.ClusterIssuerSpecArgs( acme=k8s.certificates.v1.ClusterIssuerSpecAcmeArgs( server="https://acme-v02.api.letsencrypt.org/directory", email="name@yourname.xzy", private_key_secret_ref=k8s.core.v1.SecretKeySelectorArgs( name="letsencrypt-prod", ), solvers=[ k8s.certificates.v1.ClusterIssuerSpecAcmeSolversArgs( dns01=k8s.certificates.v1.ClusterIssuerSpecAcmeSolversDns01Args( cloudflare=k8s.certificates.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareArgs( email="cloudflare_account_email@example.com", api_token_secret_ref=k8s.core.v1.SecretKeySelectorArgs( name="cloudflare-api-token-secret", key="apiKey", ), ), ), ), ], ), ), ) # For documentation on ClusterIssuer using Pulumi, refer to the Kubernetes provider: # https://www.pulumi.com/registry/packages/kubernetes/api-docs/certificates/v1/clusterissuer/
Replace
"cloudflare_account_email@example.com"
with your actual Cloudflare account email or a Pulumi config reference if the email should be kept secret. Ensure that the secretcloudflare-api-token-secret
with the keyapiKey
exists in your Kubernetes cluster, as it's being referenced by theClusterIssuer
.The Pulumi program will provision the
ClusterIssuer
resource in your Kubernetes cluster when run with the appropriate credentials configured in your environment.