# cert-manager issuers and certificate for production TLS.
#
# WORKFLOW: start with letsencrypt-staging to verify the HTTP-01 challenge
# flow works without burning production rate limits. Once the staging cert
# is issued successfully, flip the Certificate issuerRef to letsencrypt-production
# and delete the old Secret so cert-manager re-issues with a trusted cert.
#
# ACME_EMAIL is substituted by sunbeam apply.
---
# Let's Encrypt staging — untrusted cert but no rate limits. Use for initial setup.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ACME_EMAIL
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
      - http01:
          ingress:
            serviceType: ClusterIP
---
# Let's Encrypt production — trusted cert, strict rate limits.
# Switch to this once staging confirms challenges resolve correctly.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ACME_EMAIL
    privateKeySecretRef:
      name: letsencrypt-production-account-key
    solvers:
      - http01:
          ingress:
            serviceType: ClusterIP
---
# Certificate covering all proxy subdomains.
# Start with letsencrypt-staging. Once verified, change issuerRef.name to
# letsencrypt-production and delete the pingora-tls Secret to force re-issue.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pingora-tls
  namespace: ingress
spec:
  secretName: pingora-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  dnsNames:
    - docs.DOMAIN_SUFFIX
    - meet.DOMAIN_SUFFIX
    - drive.DOMAIN_SUFFIX
    - mail.DOMAIN_SUFFIX
    - messages.DOMAIN_SUFFIX
    - people.DOMAIN_SUFFIX
    - src.DOMAIN_SUFFIX
    - auth.DOMAIN_SUFFIX
    - s3.DOMAIN_SUFFIX
    - metrics.DOMAIN_SUFFIX
    - systemmetrics.DOMAIN_SUFFIX
    - systemlogs.DOMAIN_SUFFIX
    - systemtracing.DOMAIN_SUFFIX
    - admin.DOMAIN_SUFFIX
    - integration.DOMAIN_SUFFIX
    - livekit.DOMAIN_SUFFIX
    - cal.DOMAIN_SUFFIX
    - projects.DOMAIN_SUFFIX
    - id.DOMAIN_SUFFIX
    - hydra.DOMAIN_SUFFIX
    - search.DOMAIN_SUFFIX
    - vault.DOMAIN_SUFFIX
    - find.DOMAIN_SUFFIX