### ClusterIssuer for Let's Encrypt with Cloudflare DNS01 Source: https://github.com/nce/oci-free-cloud-k8s/blob/main/_autodocs/api-reference/kubernetes-custom-resources.md Configures a ClusterIssuer for Cert-Manager to obtain TLS certificates from Let's Encrypt using the DNS01 challenge with Cloudflare. It requires a Kubernetes Secret containing a Cloudflare API token. ```yaml apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: 770135+nce@users.noreply.github.com privateKeySecretRef: name: letsencrypt solvers: - dns01: cloudflare: apiTokenSecretRef: name: cloudflare-api-token key: api-token ``` -------------------------------- ### SecretStore and ClusterSecretStore Source: https://github.com/nce/oci-free-cloud-k8s/blob/main/_autodocs/api-reference/kubernetes-custom-resources.md Configures External Secrets to sync secrets from OCI Vault into Kubernetes. SecretStore is namespace-scoped, while ClusterSecretStore is cluster-wide. ```APIDOC ## SecretStore & ClusterSecretStore ### Description Configures External Secrets to sync secrets from OCI Vault into Kubernetes. SecretStore is namespace-scoped, while ClusterSecretStore is cluster-wide. ### API Version `external-secrets.io/v1` ### Kind `SecretStore` (namespace-scoped) | `ClusterSecretStore` (cluster-wide) ### Configuration | Field | Value | Purpose | |---|---|---| | `provider.oracle.vault` | Vault OCID | OCI Vault ID | | `provider.oracle.region` | `eu-frankfurt-1` | OCI region | | `auth.user` | User OCID | IAM user for authentication | | `auth.principalType` | `UserPrincipal` | Authenticate as IAM user | | `secretRef.privatekey` | K8s secret | API private key location | | `secretRef.fingerprint` | K8s secret | API key fingerprint | ### Kubernetes Secret for Auth ```yaml apiVersion: v1 kind: Secret metadata: name: oracle-vault namespace: external-secrets type: Opaque data: privateKey: fingerprint: ``` ``` -------------------------------- ### ExternalSecret for Syncing OCI Vault Secrets Source: https://github.com/nce/oci-free-cloud-k8s/blob/main/_autodocs/api-reference/kubernetes-custom-resources.md Defines an ExternalSecret resource to synchronize specific secrets from OCI Vault into a Kubernetes Secret. It specifies the refresh interval, the SecretStore to use, and the mapping between remote and local secret keys. ```yaml apiVersion: external-secrets.io/v1 kind: ExternalSecret metadata: name: myapp-secrets namespace: myapp spec: refreshInterval: 1h secretStoreRef: name: oracle-vault kind: ClusterSecretStore target: name: myapp-secret creationPolicy: Owner data: - secretKey: database-password remoteRef: key: myapp/db-password - secretKey: api-token remoteRef: key: myapp/api-token ``` -------------------------------- ### ExternalSecret Source: https://github.com/nce/oci-free-cloud-k8s/blob/main/_autodocs/api-reference/kubernetes-custom-resources.md Defines a Kubernetes secret that should be populated with data from a remote store, such as OCI Vault. It specifies how and when to sync the secrets. ```APIDOC ## ExternalSecret ### Description Defines a Kubernetes secret that should be populated with data from a remote store, such as OCI Vault. It specifies how and when to sync the secrets. ### API Version `external-secrets.io/v1` ### Kind `ExternalSecret` ### Configuration | Field | Value | Purpose | |---|---|---| | `refreshInterval` | `1h` | Sync frequency | | `secretStoreRef.name` | `oracle-vault` | SecretStore to use | | `target.name` | `myapp-secret` | Kubernetes secret name | | `target.creationPolicy` | `Owner` | Allow ExternalSecret to manage it | | `data[].secretKey` | Key in K8s secret | Target key | | `data[].remoteRef.key` | Key in OCI Vault | Source key | ### Workflow 1. ExternalSecret references OCI Vault secret 2. Operator periodically fetches from Vault 3. Creates/updates Kubernetes Secret with fetched data 4. Applications read from Kubernetes Secret ``` -------------------------------- ### ClusterSecretStore for OCI Vault Source: https://github.com/nce/oci-free-cloud-k8s/blob/main/_autodocs/api-reference/kubernetes-custom-resources.md Configures a ClusterSecretStore to authenticate with Oracle Cloud Infrastructure (OCI) Vault. This allows External Secrets Operator to fetch secrets from OCI Vault. ```yaml apiVersion: external-secrets.io/v1 kind: ClusterSecretStore metadata: name: oracle-vault spec: provider: oracle: vault: ocid1.vault.oc1.eu-frankfurt-1.xxx region: eu-frankfurt-1 auth: user: ocid1.user.oc1.xxx tenancy: ocid1.tenancy.oc1.xxx principalType: UserPrincipal secretRef: privatekey: name: oracle-vault key: privateKey namespace: external-secrets fingerprint: name: oracle-vault key: fingerprint namespace: external-secrets ``` -------------------------------- ### ClusterIssuer Source: https://github.com/nce/oci-free-cloud-k8s/blob/main/_autodocs/api-reference/kubernetes-custom-resources.md Defines a cluster-wide certificate authority configuration for issuing certificates, typically used with cert-manager. It can be configured for various ACME servers and DNS providers. ```APIDOC ## ClusterIssuer ### Description Defines a cluster-wide certificate authority configuration for issuing certificates, typically used with cert-manager. It can be configured for various ACME servers and DNS providers. ### API Version `cert-manager.io/v1` ### Kind `ClusterIssuer` (cluster-wide) | `Issuer` (namespace-scoped) ### Configuration | Field | Value | Purpose | |---|---|---| | `acme.server` | Let's Encrypt ACME | Certificate authority | | `acme.email` | Email | Contact for certificate issues | | `acme.privateKeySecretRef` | Secret name | ACME account key storage | | `solvers[0].dns01.cloudflare` | DNS provider | DNS challenge handler | ### Challenge Type - **DNS01:** Proves domain ownership by adding a DNS TXT record - **HTTP01:** Alternative using HTTP `.well-known/acme-challenge/` (not used here) ### Cloudflare Configuration - **API Token:** Stored in Secret `cloudflare-api-token` - **Scope:** Can read/write Cloudflare DNS zones ``` -------------------------------- ### Kubernetes Secret for OCI Vault Authentication Source: https://github.com/nce/oci-free-cloud-k8s/blob/main/_autodocs/api-reference/kubernetes-custom-resources.md A Kubernetes Secret containing the base64-encoded private key and fingerprint required for OCI Vault authentication by the External Secrets Operator. ```yaml apiVersion: v1 kind: Secret metadata: name: oracle-vault namespace: external-secrets type: Opaque data: privateKey: fingerprint: ``` === COMPLETE CONTENT === This response contains all available snippets from this library. No additional content exists. Do not make further requests.