From 54451af200187d103d51ecf204e2e97d32e4b5ff Mon Sep 17 00:00:00 2001
From: Mic Szillat <mic@freifunk-duesseldorf.de>
Date: Fri, 3 May 2024 10:53:50 +0200
Subject: [PATCH] feat: Configure cluster issuer for DNS

This configures the Let's Encrypt cluster issuer to follow CNAME records
in order to determine the right zone for DNS challenges.

With this, we can issue certificates for the zone
'freifunk-duesseldorf.de' for certain hostnames without giving
cert-manager permission to edit this zone.
---
 base/cert-manager/cluster-issuer-letsencrypt-prod.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/base/cert-manager/cluster-issuer-letsencrypt-prod.yaml b/base/cert-manager/cluster-issuer-letsencrypt-prod.yaml
index 0c2f2a4..18a3e9b 100644
--- a/base/cert-manager/cluster-issuer-letsencrypt-prod.yaml
+++ b/base/cert-manager/cluster-issuer-letsencrypt-prod.yaml
@@ -13,6 +13,7 @@ spec:
     - http01:
         ingress: {}
     - dns01:
+        cnameStrategy: follow
         cloudflare:
           email: support@freifunk-duesseldorf.de
           apiTokenSecretRef:
@@ -21,3 +22,4 @@ spec:
       selector:
         dnsZones:
         - ffddorf.net
+        - freifunk-duesseldorf.de