From 8613e1ccce201af5b7979da9f27bc3e48c9f8635 Mon Sep 17 00:00:00 2001 From: justgithubaccount Date: Sat, 6 Dec 2025 11:44:01 +0300 Subject: [PATCH 1/4] feat(external-dns): add Cloudflare SealedSecret with Reflector MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Add new SealedSecret for Cloudflare API token with Reflector annotations to automatically replicate to cert-manager namespace. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .../external-dns/base/cloudflare-secrets.yaml | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/platform/infrastructure/networking/external-dns/base/cloudflare-secrets.yaml b/platform/infrastructure/networking/external-dns/base/cloudflare-secrets.yaml index 91c4bea..bc2e000 100644 --- a/platform/infrastructure/networking/external-dns/base/cloudflare-secrets.yaml +++ b/platform/infrastructure/networking/external-dns/base/cloudflare-secrets.yaml @@ -2,14 +2,19 @@ apiVersion: bitnami.com/v1alpha1 kind: SealedSecret metadata: - name: external-dns-secret + name: cloudflare-token namespace: external-dns annotations: argocd.argoproj.io/sync-wave: "50" spec: encryptedData: - CLOUDFLARE_TOKEN: AgC0Fgidl3N2GuW/ZzytAv40fdOXlE4Qoo7t0D6DJjI5ljXsZSLUhOAT5kXOpSR4I9Hx4z0zWqiLIuEO7d0wnpjutkWLdjr2qJ0JNIzeQLzZe453XOcXVO15pArS3Mz/YVu+zcCxrjqAcjk265F8SgfaJHHqYzRysP6NzeQXIe2NQ1LtS9XsjjKnDeRtDCTT9/uL8azA9EwbLY3fqfiZAKdI7i+YSY0U2xSUdEwcxHTf6f/3rTQgOk7soELmZWtBEMtGtmrf2lJut3DK6Craz8HIwlO6pLJ6oUeX4rkXRdpRa0oLad8+b5K+hP2sK1XjOqE13YbJr6U+S4mpY6O4NHTeiw5IW1QRGqZDNQRT0lThSFU3cH3NBIcl5TfsmQdcmR+U3wra970t31wk6h16/MUbgI8Fzla7z4568HUyMd7wTer6lSqJp7ZVVAUHRRMCTQ4rdS2y+7OT4Oyn8AKNEc6X9HP1XfiIho5b8e9vDhNz7KrNaKh4xQmb+Q5wMfwsBUT3NPq2ILoyj/nkD8jsIKEiIctRKGYCoTaokHtxBrLlG9/YRYllKwWMcJ7r9/9HzYhhDizfo589A6WtpQ2HC5b36sb7dZbaWkvQE0oJhIClvUCx4baXq3rA9DiSkc7DqgME0ZpS02b2qyANlbuXDWSl9BClkNCJO+yWenYTlmNlaZhPOXqje1k1ZJ2K3zq4P/omiHzSIS1OA7+pmBqVcGLMZyI/i6cDuk7PefoYJE3dj8Ad+hXUggMM + CLOUDFLARE_TOKEN: AgAvuNAmxH11Sz1UtDXv4iEOp6TwjWwnUGdrbkYJvGRVvZaJzfLCgHYQu41f7rS0iYZD5OxZBbugbaZLbyvZURTC9YWZhkZdizdcluYQZA0J5PNrvjdAhteV/sg5GhXL0XRQYC8mya98UtYXUU4w+LcIuOCLwgYCZ0DA0xuGu0Z3cgn8Ka4m3W3NKNikPjkUtlWdYxTSBRwrfzahy+WIfx8TQoQvyXcwcSG85+CIl+WauxHCSHdcMTSdDzYIpbKvBHnO9bQ358H+e2UODUG+aQ1t2xRKjS03UBgkcTSZ9dJTzX17lOoFgavdHdQn+TmngiIahn8AYsexSNyguVilYj5QLUPMhreeuqmg9S8wr7W+borZVhTOGMb6iF7cw9UZH8sm8P4F3hVGS0HKEtLxu2WJqiSI52fDNyw6e7DIe/DGfw+e/S9l5kY7aVNQMNPt3ERm/M1hPjw8MSudO/HSlM7sW/qDzXyfU/DhVZQRB9x8pxgKheb7JfO011PJcdqcdZ64sAEqzjHHGHB3l6cNRqa67XXupRcz/kuKpzSZI901U9xCrkEbjXfrTiWFwTKPOPSNzByWgaGEyiqvloiEF4uHBS7kev2aGq+tilIP6J/OhP7RqRwLUAJVvxOU7p1UZKzE+pQ3DQDX/LsqJA0OPOa/hL9sJiIZsywV4o3VX+7rGUEzrN51uxpDh7FilDiVFt3YkPYCnyqh/9iF82VbOr7PQaVo5WYqA4cR7Kilz/jnp4JbGNd09owh template: metadata: - name: external-dns-secret + name: cloudflare-token namespace: external-dns + annotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "cert-manager" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "cert-manager" From 44c8d6527523bf44fdbafca11c294aac6977914a Mon Sep 17 00:00:00 2001 From: justgithubaccount Date: Sat, 6 Dec 2025 11:44:24 +0300 Subject: [PATCH 2/4] refactor(external-dns): use cloudflare-token secret name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change secret reference from external-dns-secret to cloudflare-token for unified secret naming across services. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .../networking/external-dns/base/application.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/infrastructure/networking/external-dns/base/application.yaml b/platform/infrastructure/networking/external-dns/base/application.yaml index 4f4a60e..aab308f 100644 --- a/platform/infrastructure/networking/external-dns/base/application.yaml +++ b/platform/infrastructure/networking/external-dns/base/application.yaml @@ -27,7 +27,7 @@ spec: - name: CF_API_TOKEN valueFrom: secretKeyRef: - name: external-dns-secret + name: cloudflare-token key: CLOUDFLARE_TOKEN syncPolicy: automated: From 375557f34518d81f86a5986c39ab2481069060f3 Mon Sep 17 00:00:00 2001 From: justgithubaccount Date: Sat, 6 Dec 2025 11:44:41 +0300 Subject: [PATCH 3/4] refactor(cert-manager): use cloudflare-token secret name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change ClusterIssuer to use cloudflare-token secret (replicated by Reflector from external-dns namespace) instead of cert-manager-secret. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .../networking/cert-manager/base/issuer-cluster.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/platform/infrastructure/networking/cert-manager/base/issuer-cluster.yaml b/platform/infrastructure/networking/cert-manager/base/issuer-cluster.yaml index eec6d67..81857f3 100644 --- a/platform/infrastructure/networking/cert-manager/base/issuer-cluster.yaml +++ b/platform/infrastructure/networking/cert-manager/base/issuer-cluster.yaml @@ -14,5 +14,5 @@ spec: - dns01: cloudflare: apiTokenSecretRef: - name: cert-manager-secret + name: cloudflare-token key: CLOUDFLARE_TOKEN From 3b63cbd9c89e1dca22c6455af1ceb63715405eaa Mon Sep 17 00:00:00 2001 From: justgithubaccount Date: Sat, 6 Dec 2025 11:44:57 +0300 Subject: [PATCH 4/4] refactor(cert-manager): remove duplicate Cloudflare secret MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Remove cloudflare-secrets.yaml - secret is now replicated from external-dns namespace via Reflector. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 --- .../cert-manager/base/cloudflare-secrets.yaml | 15 --------------- .../cert-manager/base/kustomization.yaml | 4 ++-- 2 files changed, 2 insertions(+), 17 deletions(-) delete mode 100644 platform/infrastructure/networking/cert-manager/base/cloudflare-secrets.yaml diff --git a/platform/infrastructure/networking/cert-manager/base/cloudflare-secrets.yaml b/platform/infrastructure/networking/cert-manager/base/cloudflare-secrets.yaml deleted file mode 100644 index bf7bb82..0000000 --- a/platform/infrastructure/networking/cert-manager/base/cloudflare-secrets.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: bitnami.com/v1alpha1 -kind: SealedSecret -metadata: - name: cert-manager-secret - namespace: cert-manager - annotations: - argocd.argoproj.io/sync-wave: "50" -spec: - encryptedData: - CLOUDFLARE_TOKEN: AgCQWY2b+JEVJ7uF6XRtwnYbPSHjiu4XHuI7t6vB4fy/ZopjnyYYgLLaYueU9a+qFmHzpZT0A1PgSzR9lYRioD7NT3j4ONyu4xTSurq1XtBk9kESSMBPXfVBgga/UjOJTDhmfJpsmDeVPy1ZFdQbr3ByDxqjydLJJlZ0exkJ9VAtflBBMqoIRhgLZe+Ui0NT4LAJxX+pnmfepI4C/TpVkvlts1RbafzXfmMP3ecmtAcaAj0UpMYD7qzBm0cxCyvG5eZbO8M+WfNX8Qss3VkHlY9rGeS4GuY8gKIf5qEcmehdqkNolMbsjAVr1Q8C+lhETFhOgvKr8U1ycHT5Vi1Sek0PJO+mL5RoAhn87YixH4eP8n4swXr1EiDRNQoETOv66WnORb7Ilg/tCxE9YQcty7BHkTfOCCuc0rknLAWFWNombJ9DlJEUfBrgUeRTGSvmK0yN4I0qAJqwkINmiTK9l1CVbOWXoXAFnk1om3ZzB5yr4TWSXu/eBeSZ0MsFkx7gkzwoxeDEyVhShERgd39d43E3elrOlEiICwXSIGWpzOtIXCLzlF5kOv/fUp0qRM6oguvqNpelMXNp7q5r4jYUpJ2poniIAp9VSjSNmcnqz+uuAy634TNrklU7YxkANIzaSP1uc7pamO1HjyDE1IufmGhk+9x05fN0za7WPWWYNjMfkR0fDOOPsIFvXMXE+hUD8WxuqZciwJnfkWEodXiaJraOivRrW47Whzb7ludWE1Gi44Tv+oKuyYKh - template: - metadata: - name: cert-manager-secret - namespace: cert-manager diff --git a/platform/infrastructure/networking/cert-manager/base/kustomization.yaml b/platform/infrastructure/networking/cert-manager/base/kustomization.yaml index 71ba4ce..58d2eec 100644 --- a/platform/infrastructure/networking/cert-manager/base/kustomization.yaml +++ b/platform/infrastructure/networking/cert-manager/base/kustomization.yaml @@ -1,5 +1,5 @@ resources: - application.yaml - - cloudflare-secrets.yaml - cert-cluster.yaml - - issuer-cluster.yaml \ No newline at end of file + - issuer-cluster.yaml +# cloudflare-secrets.yaml removed - using Reflector from external-dns namespace \ No newline at end of file