overlays/production/cert-manager.yaml

# cert-manager resources for production TLS.
#
# Prerequisites:
#   cert-manager must be installed in the cluster before applying this overlay:
#   kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml
#
# DOMAIN_SUFFIX and ACME_EMAIL are substituted by sed at deploy time.
# See overlays/production/kustomization.yaml for the deploy command.
---
# ClusterIssuer: Let's Encrypt production via HTTP-01 challenge.
#
# cert-manager creates one Ingress per challenged domain.  The pingora proxy
# watches these Ingresses and routes /.well-known/acme-challenge/<token>
# requests to the per-domain solver Service, so multi-SAN certificates are
# issued correctly even when all domain challenges run in parallel.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ACME_EMAIL
    privateKeySecretRef:
      name: letsencrypt-production-account-key
    solvers:
      - http01:
          ingress:
            # ingressClassName is intentionally blank: cert-manager still creates
            # the Ingress object (which the proxy watches), but no ingress
            # controller needs to act on it — the proxy handles routing itself.
            ingressClassName: ""
---
# Certificate: single multi-SAN cert covering all proxy subdomains.
# cert-manager issues it via HTTP-01, stores it in pingora-tls Secret, and
# renews it automatically ~30 days before expiry.  The watcher in sunbeam-proxy
# detects the Secret update and triggers a graceful upgrade so the new cert is
# loaded without dropping any connections.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pingora-tls
  namespace: ingress
spec:
  secretName: pingora-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  dnsNames:
    - docs.DOMAIN_SUFFIX
    - meet.DOMAIN_SUFFIX
    - drive.DOMAIN_SUFFIX
    - mail.DOMAIN_SUFFIX
    - chat.DOMAIN_SUFFIX
    - people.DOMAIN_SUFFIX
    - src.DOMAIN_SUFFIX
    - auth.DOMAIN_SUFFIX
    - s3.DOMAIN_SUFFIX
feat: replace nginx placeholder with custom Pingora proxy; add Postfix MTA Ingress: - Deploy custom sunbeam-proxy (Pingora/Rust) replacing nginx placeholder - HTTPS termination with mkcert (local) / rustls-acme (production) - Host-prefix routing with path-based sub-routing for auth virtual host: /oauth2 + /.well-known + /userinfo → Hydra, /kratos → Kratos (prefix stripped), default → login-ui - HTTP→HTTPS redirect, WebSocket passthrough, JSON audit logging, OTEL stub - cert-manager HTTP-01 ACME challenge routing via Ingress watcher - RBAC for Ingress watcher (pingora-watcher ClusterRole) - local overlay: hostPorts 80/443, LiveKit TURN demoted to ClusterIP to avoid klipper conflict Infrastructure: - socket_vmnet shared network for host↔VM reachability (192.168.105.2) - local-up.sh: cert-manager installation, eth1-based LIMA_IP detection, correct DOMAIN_SUFFIX sed substitution - Postfix MTA in lasuite namespace: outbound relay via Scaleway TEM, accepts SMTP from cluster pods - Kratos SMTP courier pointed at postfix.lasuite.svc.cluster.local:25 - Production overlay: cert-manager ClusterIssuer, ACME-enabled Pingora values 2026-03-01 16:25:11 +00:00			`# cert-manager resources for production TLS.`
			`#`
			`# Prerequisites:`
			`# cert-manager must be installed in the cluster before applying this overlay:`
			`# kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml`
			`#`
			`# DOMAIN_SUFFIX and ACME_EMAIL are substituted by sed at deploy time.`
			`# See overlays/production/kustomization.yaml for the deploy command.`
			`---`
			`# ClusterIssuer: Let's Encrypt production via HTTP-01 challenge.`
			`#`
			`# cert-manager creates one Ingress per challenged domain. The pingora proxy`
			`# watches these Ingresses and routes /.well-known/acme-challenge/<token>`
			`# requests to the per-domain solver Service, so multi-SAN certificates are`
			`# issued correctly even when all domain challenges run in parallel.`
			`apiVersion: cert-manager.io/v1`
			`kind: ClusterIssuer`
			`metadata:`
			`name: letsencrypt-production`
			`spec:`
			`acme:`
			`server: https://acme-v02.api.letsencrypt.org/directory`
			`email: ACME_EMAIL`
			`privateKeySecretRef:`
			`name: letsencrypt-production-account-key`
			`solvers:`
			`- http01:`
			`ingress:`
			`# ingressClassName is intentionally blank: cert-manager still creates`
			`# the Ingress object (which the proxy watches), but no ingress`
			`# controller needs to act on it — the proxy handles routing itself.`
			`ingressClassName: ""`
			`---`
			`# Certificate: single multi-SAN cert covering all proxy subdomains.`
			`# cert-manager issues it via HTTP-01, stores it in pingora-tls Secret, and`
			`# renews it automatically ~30 days before expiry. The watcher in sunbeam-proxy`
			`# detects the Secret update and triggers a graceful upgrade so the new cert is`
			`# loaded without dropping any connections.`
			`apiVersion: cert-manager.io/v1`
			`kind: Certificate`
			`metadata:`
			`name: pingora-tls`
			`namespace: ingress`
			`spec:`
			`secretName: pingora-tls`
			`issuerRef:`
			`name: letsencrypt-production`
			`kind: ClusterIssuer`
			`dnsNames:`
			`- docs.DOMAIN_SUFFIX`
			`- meet.DOMAIN_SUFFIX`
			`- drive.DOMAIN_SUFFIX`
			`- mail.DOMAIN_SUFFIX`
			`- chat.DOMAIN_SUFFIX`
			`- people.DOMAIN_SUFFIX`
			`- src.DOMAIN_SUFFIX`
			`- auth.DOMAIN_SUFFIX`
			`- s3.DOMAIN_SUFFIX`