# infrastructure/cert-manager/clusterissuers.yaml
# Let's Encrypt ClusterIssuers for TLS certificates
# Usage: Add annotation to Ingress:
#   cert-manager.io/cluster-issuer: letsencrypt-prod
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Staging endpoint for testing (higher rate limits, fake certs)
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: admin@example.com  # TODO: Update with your email
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
      # HTTP-01 challenge via Ingress
      - http01:
          ingress:
            ingressClassName: istio
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # Production endpoint (rate limited, real certs)
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@example.com  # TODO: Update with your email
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      # HTTP-01 challenge via Ingress
      - http01:
          ingress:
            ingressClassName: istio
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
# Internal CA for service-to-service mTLS
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: internal-ca
spec:
  ca:
    secretName: internal-ca-key-pair