# ACME ClusterIssuers (HTTP-01 via the k3s-bundled Traefik ingress).
#
# Apply ONLY after cert-manager is Running:
#   kubectl -n cert-manager rollout status deploy/cert-manager-webhook
#
# Two issuers:
#   - letsencrypt-staging : use while testing (high rate limits, UNTRUSTED
#     certs). Point an Ingress at this first to prove the HTTP-01 flow works.
#   - letsencrypt-prod    : the real one the app Ingresses reference. Switch to
#     it once staging issues cleanly, to avoid burning Let's Encrypt's strict
#     prod rate limits on misconfigurations.
#
# HTTP-01 needs the hostname to resolve to this box (DNS A record -> 46.4.78.187)
# and port 80 reachable — both are already true (firewall opens 80 to the world).
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: info@dezky.eu
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
      - http01:
          ingress:
            class: traefik
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: info@dezky.eu
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - http01:
          ingress:
            class: traefik