apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod namespace: cert-manager spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: name@yourname.xzy privateKeySecretRef: name: letsencrypt-prod solvers: - dns01: cloudflare: email: <cloudflare account email> apiTokenSecretRef: name: cloudflare-api-token-secret key: apiKey

In the Pulumi Python SDK, Kubernetes resources can be created using the pulumi_kubernetes package. Your YAML configuration can be implemented in Python using pulumi_kubernetes.certificates.v1.ClusterIssuer. Note that you have to replace placeholder values like <cloudflare account email> with actual values or references to existing secrets within your environment.

Below you'll find the Pulumi program that creates a ClusterIssuer for Let's Encrypt with the ACME DNS01 solver using Cloudflare for DNS challenges:

import pulumi
import pulumi_kubernetes as k8s

# Define the ClusterIssuer for Let's Encrypt using the ACME DNS01 solver with Cloudflare
letsencrypt_prod_cluster_issuer = k8s.certificates.v1.ClusterIssuer(
    "letsencrypt-prod",
    metadata=k8s.meta.v1.ObjectMetaArgs(
        name="letsencrypt-prod",
        namespace="cert-manager",
    ),
    spec=k8s.certificates.v1.ClusterIssuerSpecArgs(
        acme=k8s.certificates.v1.ClusterIssuerSpecAcmeArgs(
            server="https://acme-v02.api.letsencrypt.org/directory",
            email="name@yourname.xzy",
            private_key_secret_ref=k8s.core.v1.SecretKeySelectorArgs(
                name="letsencrypt-prod",
            ),
            solvers=[
                k8s.certificates.v1.ClusterIssuerSpecAcmeSolversArgs(
                    dns01=k8s.certificates.v1.ClusterIssuerSpecAcmeSolversDns01Args(
                        cloudflare=k8s.certificates.v1.ClusterIssuerSpecAcmeSolversDns01CloudflareArgs(
                            email="cloudflare_account_email@example.com",
                            api_token_secret_ref=k8s.core.v1.SecretKeySelectorArgs(
                                name="cloudflare-api-token-secret",
                                key="apiKey",
                            ),
                        ),
                    ),
                ),
            ],
        ),
    ),
)

# For documentation on ClusterIssuer using Pulumi, refer to the Kubernetes provider:
# https://www.pulumi.com/registry/packages/kubernetes/api-docs/certificates/v1/clusterissuer/

Replace "cloudflare_account_email@example.com" with your actual Cloudflare account email or a Pulumi config reference if the email should be kept secret. Ensure that the secret cloudflare-api-token-secret with the key apiKey exists in your Kubernetes cluster, as it's being referenced by the ClusterIssuer.

The Pulumi program will provision the ClusterIssuer resource in your Kubernetes cluster when run with the appropriate credentials configured in your environment.