# fleet/cert-manager — TLS for the cluster

cert-manager + ACME ClusterIssuers. Installs via the **k3s built-in Helm
controller** (no Helm CLI needed), then defines `letsencrypt-staging` and
`letsencrypt-prod` (HTTP-01 through the bundled Traefik).

## Apply order (matters — issuers need the CRDs first)

```bash
# 1) Install cert-manager
kubectl apply -f cert-manager.yaml

# 2) Wait until it's up (CRDs + webhook ready)
kubectl -n cert-manager rollout status deploy/cert-manager-webhook --timeout=180s
kubectl -n cert-manager get pods

# 3) Create the issuers
kubectl apply -f cluster-issuer.yaml
kubectl get clusterissuer            # both should report READY=True
```

## Notes
- ACME email is `info@dezky.eu` — change in `cluster-issuer.yaml` if needed.
- **Test with `letsencrypt-staging` first** (set an Ingress annotation
  `cert-manager.io/cluster-issuer: letsencrypt-staging`) to avoid burning the
  strict prod rate limits, then switch the apps to `letsencrypt-prod`.
- HTTP-01 requires each hostname's DNS A record → `46.4.78.187` and port 80
  open (already true). A cert won't issue until DNS resolves.
- The app Ingresses (`fleet/apps/`) already reference `letsencrypt-prod`.