# cert-manager issuers for net-kingdom SSO/MFA
#
# Two issuers are defined:
#   1. selfsigned-issuer    — self-signed CA for internal/test use
#   2. letsencrypt-prod     — ACME (Let's Encrypt) for public-facing ingresses
#
# Apply order:
#   kubectl apply -f issuers.yaml
#   kubectl apply -f test-certificate.yaml   # verify selfsigned-issuer works
#
# Prerequisites: cert-manager must be installed and its CRDs registered.
# On K3s: cert-manager is NOT installed by default — install via Helm:
#   helm repo add jetstack https://charts.jetstack.io
#   helm install cert-manager jetstack/cert-manager \
#     --namespace cert-manager --create-namespace \
#     --set crds.enabled=true

# ── Self-signed ClusterIssuer (test / internal CA) ───────────────────────────
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
spec:
  selfSigned: {}
---
# ── Let's Encrypt production ClusterIssuer ───────────────────────────────────
# Requires: public DNS pointing to the cluster, port 80 reachable by ACME.
# Traefik handles the HTTP-01 challenge automatically.
#
# Replace ACME_EMAIL with your address before applying.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: bernd.worsch+netkingdom@gmail.com
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - http01:
          ingress:
            ingressClassName: traefik