# cert-manager issuers and wildcard certificate for production TLS.
#
# Uses DNS-01 via Scaleway DNS webhook for wildcard support.
# No more per-subdomain SANs — *.DOMAIN_SUFFIX covers everything.
#
# ACME_EMAIL is substituted by sunbeam apply.
---
# Let's Encrypt staging — untrusted cert but no rate limits. Use for initial setup.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ACME_EMAIL
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
      - dns01:
          webhook:
            groupName: acme.scaleway.com
            solverName: scaleway
            config:
              accessKeySecretRef:
                key: SCW_ACCESS_KEY
                name: scaleway-secret
              secretKeySecretRef:
                key: SCW_SECRET_KEY
                name: scaleway-secret
---
# Let's Encrypt production — trusted cert, strict rate limits.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ACME_EMAIL
    privateKeySecretRef:
      name: letsencrypt-production-account-key
    solvers:
      - dns01:
          webhook:
            groupName: acme.scaleway.com
            solverName: scaleway
            config:
              accessKeySecretRef:
                key: SCW_ACCESS_KEY
                name: scaleway-secret
              secretKeySecretRef:
                key: SCW_SECRET_KEY
                name: scaleway-secret
---
# Wildcard certificate covering all subdomains.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: pingora-tls
  namespace: ingress
spec:
  secretName: pingora-tls
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
  dnsNames:
    - DOMAIN_SUFFIX
    - "*.DOMAIN_SUFFIX"