# cert-manager resources for production TLS. # # Prerequisites: # cert-manager must be installed in the cluster before applying this overlay: # kubectl apply -f https://github.com/cert-manager/cert-manager/releases/latest/download/cert-manager.yaml # # DOMAIN_SUFFIX and ACME_EMAIL are substituted by sed at deploy time. # See overlays/production/kustomization.yaml for the deploy command. --- # ClusterIssuer: Let's Encrypt production via HTTP-01 challenge. # # cert-manager creates one Ingress per challenged domain. The pingora proxy # watches these Ingresses and routes /.well-known/acme-challenge/ # requests to the per-domain solver Service, so multi-SAN certificates are # issued correctly even when all domain challenges run in parallel. apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-production spec: acme: server: https://acme-v02.api.letsencrypt.org/directory email: ACME_EMAIL privateKeySecretRef: name: letsencrypt-production-account-key solvers: - http01: ingress: # ingressClassName is intentionally blank: cert-manager still creates # the Ingress object (which the proxy watches), but no ingress # controller needs to act on it — the proxy handles routing itself. ingressClassName: "" --- # Certificate: single multi-SAN cert covering all proxy subdomains. # cert-manager issues it via HTTP-01, stores it in pingora-tls Secret, and # renews it automatically ~30 days before expiry. The watcher in sunbeam-proxy # detects the Secret update and triggers a graceful upgrade so the new cert is # loaded without dropping any connections. apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: pingora-tls namespace: ingress spec: secretName: pingora-tls issuerRef: name: letsencrypt-production kind: ClusterIssuer dnsNames: - docs.DOMAIN_SUFFIX - meet.DOMAIN_SUFFIX - drive.DOMAIN_SUFFIX - mail.DOMAIN_SUFFIX - chat.DOMAIN_SUFFIX - people.DOMAIN_SUFFIX - src.DOMAIN_SUFFIX - auth.DOMAIN_SUFFIX - s3.DOMAIN_SUFFIX