infra(public-tls): add gated Let's Encrypt issuers + tenant NetworkPolicy substrate

Cl-infra-2 (deep-regroup 2026-06-13). LE staging+prod ClusterIssuers (HTTP-01
via Traefik, DNS-01 stub) + a per-tenant default-deny NetworkPolicy template,
under gated/public-tls/ OUTSIDE apps/ so the ApplicationSet does NOT auto-apply
them (an applied ACME ClusterIssuer registers an account immediately). Internal
*.iamworkin.lan TLS stays on step-ca. Inert until the operator opens the
web-hosting public-exposure gate (R-1; 14/14 blockers red). Pairs with Codex
Wh-C1 (hybrid public TLS) + Wh-C2 (isolation).

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

gated/public-tls/letsencrypt-issuers.yaml

@@ -0,0 +1,78 @@
+# ============================================================================
+# Let's Encrypt ClusterIssuers — PUBLIC TLS substrate (Cl-infra-2, deep-regroup 2026-06-13)
+# ============================================================================
+# GATED. This file lives OUTSIDE apps/ on purpose, so the bluejay-infra
+# ApplicationSet does NOT auto-apply it. Applying a cert-manager ACME
+# ClusterIssuer registers an ACME account immediately, so we keep these inert
+# until the operator opens the web-hosting public-exposure gate (R-1; the §6
+# go/no-go checklist in docs/standards/web-hosting-production-readiness-plan.md
+# is currently 14/14 red).
+#
+# Pairs with Codex Wh-C1 (FlowerCore.PHP/MySQL/DNS hybrid public TLS) and
+# Wh-C2 (isolation). Internal *.iamworkin.lan certs STAY on step-ca
+# (apps/fc-dns/fc-dns.yaml: ClusterIssuer step-ca-dns01) — these LE issuers are
+# ONLY for public tenant domains.
+#
+# TO ACTIVATE (operator public-go):
+#   1. Confirm a public DNS-01 solver is wired (Cloudflare/Namecheap webhook) OR
+#      that public tenant domains route HTTP-01 to the cluster's public ingress.
+#   2. Move this file to apps/cluster-issuers/ (the ApplicationSet will create
+#      infra-cluster-issuers and apply it), staging FIRST.
+#   3. Issue ONE staging cert for a throwaway public domain, verify the chain,
+#      THEN switch that tenant's Certificate issuerRef to letsencrypt-prod.
+#   4. Mind LE prod rate limits (50 certs/registered-domain/week, 5 dupes/week).
+#
+# Registration email is for expiry notices only — adjust to a role address if
+# desired (astoltz@iamwork.in is the current operator contact).
+# ----------------------------------------------------------------------------
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+  labels:
+    app.kubernetes.io/part-of: flowercore
+    flowercore.io/created-by: bluejay-infra
+    flowercore.io/gate: public-tls
+spec:
+  acme:
+    # LE STAGING — untrusted certs, generous limits. Use this first, always.
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: astoltz@iamwork.in
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+      # HTTP-01 via Traefik. Requires the public tenant domain's :80 traffic to
+      # reach the cluster ingress. For wildcard / apex without inbound :80, swap
+      # to the dns01 solver block below (needs a public DNS provider webhook).
+      - http01:
+          ingress:
+            class: traefik
+      # --- DNS-01 alternative for wildcards (uncomment + wire a public DNS webhook) ---
+      # - dns01:
+      #     webhook:
+      #       groupName: acme.flowercore.io   # or the cloudflare/namecheap solver
+      #       solverName: <public-dns-solver>
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+  labels:
+    app.kubernetes.io/part-of: flowercore
+    flowercore.io/created-by: bluejay-infra
+    flowercore.io/gate: public-tls
+spec:
+  acme:
+    # LE PRODUCTION — trusted certs, strict rate limits. Only after staging proves out.
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: astoltz@iamwork.in
+    privateKeySecretRef:
+      name: letsencrypt-prod-account-key
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
+      # - dns01:
+      #     webhook:
+      #       groupName: acme.flowercore.io
+      #       solverName: <public-dns-solver>