# ============================================================================ # Let's Encrypt ClusterIssuers — PUBLIC TLS substrate (Cl-infra-2, deep-regroup 2026-06-13) # ============================================================================ # GATED. This file lives OUTSIDE apps/ on purpose, so the bluejay-infra # ApplicationSet does NOT auto-apply it. Applying a cert-manager ACME # ClusterIssuer registers an ACME account immediately, so we keep these inert # until the operator opens the web-hosting public-exposure gate (R-1; the §6 # go/no-go checklist in docs/standards/web-hosting-production-readiness-plan.md # is currently 14/14 red). # # Pairs with Codex Wh-C1 (FlowerCore.PHP/MySQL/DNS hybrid public TLS) and # Wh-C2 (isolation). Internal *.iamworkin.lan certs STAY on step-ca # (apps/fc-dns/fc-dns.yaml: ClusterIssuer step-ca-dns01) — these LE issuers are # ONLY for public tenant domains. # # TO ACTIVATE (operator public-go): # 1. Confirm a public DNS-01 solver is wired (Cloudflare/Namecheap webhook) OR # that public tenant domains route HTTP-01 to the cluster's public ingress. # 2. Move this file to apps/cluster-issuers/ (the ApplicationSet will create # infra-cluster-issuers and apply it), staging FIRST. # 3. Issue ONE staging cert for a throwaway public domain, verify the chain, # THEN switch that tenant's Certificate issuerRef to letsencrypt-prod. # 4. Mind LE prod rate limits (50 certs/registered-domain/week, 5 dupes/week). # # Registration email is for expiry notices only — adjust to a role address if # desired (astoltz@iamwork.in is the current operator contact). # ---------------------------------------------------------------------------- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-staging labels: app.kubernetes.io/part-of: flowercore flowercore.io/created-by: bluejay-infra flowercore.io/gate: public-tls spec: acme: # LE STAGING — untrusted certs, generous limits. Use this first, always. server: https://acme-staging-v02.api.letsencrypt.org/directory email: astoltz@iamwork.in privateKeySecretRef: name: letsencrypt-staging-account-key solvers: # HTTP-01 via Traefik. Requires the public tenant domain's :80 traffic to # reach the cluster ingress. For wildcard / apex without inbound :80, swap # to the dns01 solver block below (needs a public DNS provider webhook). - http01: ingress: class: traefik # --- DNS-01 alternative for wildcards (uncomment + wire a public DNS webhook) --- # - dns01: # webhook: # groupName: acme.flowercore.io # or the cloudflare/namecheap solver # solverName: --- apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod labels: app.kubernetes.io/part-of: flowercore flowercore.io/created-by: bluejay-infra flowercore.io/gate: public-tls spec: acme: # LE PRODUCTION — trusted certs, strict rate limits. Only after staging proves out. server: https://acme-v02.api.letsencrypt.org/directory email: astoltz@iamwork.in privateKeySecretRef: name: letsencrypt-prod-account-key solvers: - http01: ingress: class: traefik # - dns01: # webhook: # groupName: acme.flowercore.io # solverName: