387097485e
Cl-infra-2 (deep-regroup 2026-06-13). LE staging+prod ClusterIssuers (HTTP-01 via Traefik, DNS-01 stub) + a per-tenant default-deny NetworkPolicy template, under gated/public-tls/ OUTSIDE apps/ so the ApplicationSet does NOT auto-apply them (an applied ACME ClusterIssuer registers an account immediately). Internal *.iamworkin.lan TLS stays on step-ca. Inert until the operator opens the web-hosting public-exposure gate (R-1; 14/14 blockers red). Pairs with Codex Wh-C1 (hybrid public TLS) + Wh-C2 (isolation). Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
79 lines
3.4 KiB
YAML
79 lines
3.4 KiB
YAML
# ============================================================================
|
|
# Let's Encrypt ClusterIssuers — PUBLIC TLS substrate (Cl-infra-2, deep-regroup 2026-06-13)
|
|
# ============================================================================
|
|
# GATED. This file lives OUTSIDE apps/ on purpose, so the bluejay-infra
|
|
# ApplicationSet does NOT auto-apply it. Applying a cert-manager ACME
|
|
# ClusterIssuer registers an ACME account immediately, so we keep these inert
|
|
# until the operator opens the web-hosting public-exposure gate (R-1; the §6
|
|
# go/no-go checklist in docs/standards/web-hosting-production-readiness-plan.md
|
|
# is currently 14/14 red).
|
|
#
|
|
# Pairs with Codex Wh-C1 (FlowerCore.PHP/MySQL/DNS hybrid public TLS) and
|
|
# Wh-C2 (isolation). Internal *.iamworkin.lan certs STAY on step-ca
|
|
# (apps/fc-dns/fc-dns.yaml: ClusterIssuer step-ca-dns01) — these LE issuers are
|
|
# ONLY for public tenant domains.
|
|
#
|
|
# TO ACTIVATE (operator public-go):
|
|
# 1. Confirm a public DNS-01 solver is wired (Cloudflare/Namecheap webhook) OR
|
|
# that public tenant domains route HTTP-01 to the cluster's public ingress.
|
|
# 2. Move this file to apps/cluster-issuers/ (the ApplicationSet will create
|
|
# infra-cluster-issuers and apply it), staging FIRST.
|
|
# 3. Issue ONE staging cert for a throwaway public domain, verify the chain,
|
|
# THEN switch that tenant's Certificate issuerRef to letsencrypt-prod.
|
|
# 4. Mind LE prod rate limits (50 certs/registered-domain/week, 5 dupes/week).
|
|
#
|
|
# Registration email is for expiry notices only — adjust to a role address if
|
|
# desired (astoltz@iamwork.in is the current operator contact).
|
|
# ----------------------------------------------------------------------------
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
name: letsencrypt-staging
|
|
labels:
|
|
app.kubernetes.io/part-of: flowercore
|
|
flowercore.io/created-by: bluejay-infra
|
|
flowercore.io/gate: public-tls
|
|
spec:
|
|
acme:
|
|
# LE STAGING — untrusted certs, generous limits. Use this first, always.
|
|
server: https://acme-staging-v02.api.letsencrypt.org/directory
|
|
email: astoltz@iamwork.in
|
|
privateKeySecretRef:
|
|
name: letsencrypt-staging-account-key
|
|
solvers:
|
|
# HTTP-01 via Traefik. Requires the public tenant domain's :80 traffic to
|
|
# reach the cluster ingress. For wildcard / apex without inbound :80, swap
|
|
# to the dns01 solver block below (needs a public DNS provider webhook).
|
|
- http01:
|
|
ingress:
|
|
class: traefik
|
|
# --- DNS-01 alternative for wildcards (uncomment + wire a public DNS webhook) ---
|
|
# - dns01:
|
|
# webhook:
|
|
# groupName: acme.flowercore.io # or the cloudflare/namecheap solver
|
|
# solverName: <public-dns-solver>
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: ClusterIssuer
|
|
metadata:
|
|
name: letsencrypt-prod
|
|
labels:
|
|
app.kubernetes.io/part-of: flowercore
|
|
flowercore.io/created-by: bluejay-infra
|
|
flowercore.io/gate: public-tls
|
|
spec:
|
|
acme:
|
|
# LE PRODUCTION — trusted certs, strict rate limits. Only after staging proves out.
|
|
server: https://acme-v02.api.letsencrypt.org/directory
|
|
email: astoltz@iamwork.in
|
|
privateKeySecretRef:
|
|
name: letsencrypt-prod-account-key
|
|
solvers:
|
|
- http01:
|
|
ingress:
|
|
class: traefik
|
|
# - dns01:
|
|
# webhook:
|
|
# groupName: acme.flowercore.io
|
|
# solverName: <public-dns-solver>
|