# Certificate for mdm.iamworkin.lan.
#
# Preflight gate: FlowerCore.DNS / pfSense must contain an explicit A record:
#   mdm.iamworkin.lan -> 10.0.56.200
# before this Certificate is synced. step-ca ACME cannot see the CoreDNS
# wildcard, so missing pfSense DNS produces cert-manager HTTP-01 backoff.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: fc-apple-mdm-tls
  namespace: fc-apple-mdm
  labels:
    app.kubernetes.io/name: fc-apple-mdm
    app.kubernetes.io/component: mdm
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
  annotations:
    flowercore.io/dns-preflight: "mdm.iamworkin.lan must resolve to 10.0.56.200 before ACME sync"
spec:
  secretName: fc-apple-mdm-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - mdm.iamworkin.lan
  duration: 720h
  renewBefore: 240h