feat: unified Cloudflare secret with Reflector replication (#8)

justgithubaccount · claude · web-flow · commit e084269a33ff · 2025-12-06T12:45:59.000+04:00
* feat(external-dns): add Cloudflare SealedSecret with Reflector Add new SealedSecret for Cloudflare API token with Reflector annotations to automatically replicate to cert-manager namespace. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(external-dns): use cloudflare-token secret name Change secret reference from external-dns-secret to cloudflare-token for unified secret naming across services. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(cert-manager): use cloudflare-token secret name Change ClusterIssuer to use cloudflare-token secret (replicated by Reflector from external-dns namespace) instead of cert-manager-secret. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> * refactor(cert-manager): remove duplicate Cloudflare secret Remove cloudflare-secrets.yaml - secret is now replicated from external-dns namespace via Reflector. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com> --------- Co-authored-by: Claude Opus 4.5 <noreply@anthropic.com>
diff --git a/platform/infrastructure/networking/cert-manager/base/cloudflare-secrets.yaml b/platform/infrastructure/networking/cert-manager/base/cloudflare-secrets.yaml
diff --git a/platform/infrastructure/networking/cert-manager/base/issuer-cluster.yaml b/platform/infrastructure/networking/cert-manager/base/issuer-cluster.yaml
@@ -14,5 +14,5 @@ spec:
       - dns01:
           cloudflare:
             apiTokenSecretRef:
-              name: cert-manager-secret
+              name: cloudflare-token
               key: CLOUDFLARE_TOKEN
diff --git a/platform/infrastructure/networking/cert-manager/base/kustomization.yaml b/platform/infrastructure/networking/cert-manager/base/kustomization.yaml
@@ -1,5 +1,5 @@
 resources:
   - application.yaml
-  - cloudflare-secrets.yaml
   - cert-cluster.yaml
-  - issuer-cluster.yaml
+  - issuer-cluster.yaml
+# cloudflare-secrets.yaml removed - using Reflector from external-dns namespace
diff --git a/platform/infrastructure/networking/external-dns/base/application.yaml b/platform/infrastructure/networking/external-dns/base/application.yaml
@@ -27,7 +27,7 @@ spec:
           - name: CF_API_TOKEN
             valueFrom:
               secretKeyRef:
-                name: external-dns-secret
+                name: cloudflare-token
                 key: CLOUDFLARE_TOKEN
   syncPolicy:
     automated:
diff --git a/platform/infrastructure/networking/external-dns/base/cloudflare-secrets.yaml b/platform/infrastructure/networking/external-dns/base/cloudflare-secrets.yaml
@@ -2,14 +2,19 @@
 apiVersion: bitnami.com/v1alpha1
 kind: SealedSecret
 metadata:
-  name: external-dns-secret
+  name: cloudflare-token
   namespace: external-dns
   annotations:
     argocd.argoproj.io/sync-wave: "50"
 spec:
   encryptedData:
-    CLOUDFLARE_TOKEN: AgC0Fgidl3N2GuW/ZzytAv40fdOXlE4Qoo7t0D6DJjI5ljXsZSLUhOAT5kXOpSR4I9Hx4z0zWqiLIuEO7d0wnpjutkWLdjr2qJ0JNIzeQLzZe453XOcXVO15pArS3Mz/YVu+zcCxrjqAcjk265F8SgfaJHHqYzRysP6NzeQXIe2NQ1LtS9XsjjKnDeRtDCTT9/uL8azA9EwbLY3fqfiZAKdI7i+YSY0U2xSUdEwcxHTf6f/3rTQgOk7soELmZWtBEMtGtmrf2lJut3DK6Craz8HIwlO6pLJ6oUeX4rkXRdpRa0oLad8+b5K+hP2sK1XjOqE13YbJr6U+S4mpY6O4NHTeiw5IW1QRGqZDNQRT0lThSFU3cH3NBIcl5TfsmQdcmR+U3wra970t31wk6h16/MUbgI8Fzla7z4568HUyMd7wTer6lSqJp7ZVVAUHRRMCTQ4rdS2y+7OT4Oyn8AKNEc6X9HP1XfiIho5b8e9vDhNz7KrNaKh4xQmb+Q5wMfwsBUT3NPq2ILoyj/nkD8jsIKEiIctRKGYCoTaokHtxBrLlG9/YRYllKwWMcJ7r9/9HzYhhDizfo589A6WtpQ2HC5b36sb7dZbaWkvQE0oJhIClvUCx4baXq3rA9DiSkc7DqgME0ZpS02b2qyANlbuXDWSl9BClkNCJO+yWenYTlmNlaZhPOXqje1k1ZJ2K3zq4P/omiHzSIS1OA7+pmBqVcGLMZyI/i6cDuk7PefoYJE3dj8Ad+hXUggMM
+    CLOUDFLARE_TOKEN: AgAvuNAmxH11Sz1UtDXv4iEOp6TwjWwnUGdrbkYJvGRVvZaJzfLCgHYQu41f7rS0iYZD5OxZBbugbaZLbyvZURTC9YWZhkZdizdcluYQZA0J5PNrvjdAhteV/sg5GhXL0XRQYC8mya98UtYXUU4w+LcIuOCLwgYCZ0DA0xuGu0Z3cgn8Ka4m3W3NKNikPjkUtlWdYxTSBRwrfzahy+WIfx8TQoQvyXcwcSG85+CIl+WauxHCSHdcMTSdDzYIpbKvBHnO9bQ358H+e2UODUG+aQ1t2xRKjS03UBgkcTSZ9dJTzX17lOoFgavdHdQn+TmngiIahn8AYsexSNyguVilYj5QLUPMhreeuqmg9S8wr7W+borZVhTOGMb6iF7cw9UZH8sm8P4F3hVGS0HKEtLxu2WJqiSI52fDNyw6e7DIe/DGfw+e/S9l5kY7aVNQMNPt3ERm/M1hPjw8MSudO/HSlM7sW/qDzXyfU/DhVZQRB9x8pxgKheb7JfO011PJcdqcdZ64sAEqzjHHGHB3l6cNRqa67XXupRcz/kuKpzSZI901U9xCrkEbjXfrTiWFwTKPOPSNzByWgaGEyiqvloiEF4uHBS7kev2aGq+tilIP6J/OhP7RqRwLUAJVvxOU7p1UZKzE+pQ3DQDX/LsqJA0OPOa/hL9sJiIZsywV4o3VX+7rGUEzrN51uxpDh7FilDiVFt3YkPYCnyqh/9iF82VbOr7PQaVo5WYqA4cR7Kilz/jnp4JbGNd09owh
   template:
     metadata:
-      name: external-dns-secret
+      name: cloudflare-token
       namespace: external-dns
+      annotations:
+        reflector.v1.k8s.emberstack.com/reflection-allowed: "true"
+        reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "cert-manager"
+        reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
+        reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "cert-manager"
