hearth/kubernetes/cert-manager/cluster-issuers.yaml

# cert-manager ClusterIssuers
# RFC 0039: ADR-Compliant Foundation Infrastructure
#
# Provides:
# - Let's Encrypt production issuer
# - Let's Encrypt staging issuer (for testing)
# - Self-signed issuer (for internal services)
---
# Self-signed ClusterIssuer for internal certificates
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned
spec:
  selfSigned: {}
---
# Internal CA for cluster services
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: alignment-ca
  namespace: cert-manager
spec:
  isCA: true
  commonName: alignment-internal-ca
  secretName: alignment-ca-secret
  duration: 87600h  # 10 years
  renewBefore: 8760h  # 1 year
  privateKey:
    algorithm: ECDSA
    size: 256
  issuerRef:
    name: selfsigned
    kind: ClusterIssuer
    group: cert-manager.io
---
# Internal CA ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: alignment-ca
spec:
  ca:
    secretName: alignment-ca-secret
---
# Let's Encrypt Staging (for testing)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Staging server URL
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ${ACME_EMAIL}
    privateKeySecretRef:
      name: letsencrypt-staging-account-key
    solvers:
      # HTTP-01 challenge solver using ingress
      - http01:
          ingress:
            ingressClassName: nginx
      # DNS-01 challenge solver using Route53
      - dns01:
          route53:
            region: us-east-1
            # Use IRSA for authentication
            # Requires IAM role with Route53 permissions
        selector:
          dnsZones:
            - "${DOMAIN}"
---
# Let's Encrypt Production
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-production
spec:
  acme:
    # Production server URL
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ${ACME_EMAIL}
    privateKeySecretRef:
      name: letsencrypt-production-account-key
    solvers:
      # HTTP-01 challenge solver using ingress
      - http01:
          ingress:
            ingressClassName: nginx
      # DNS-01 challenge solver using Route53
      - dns01:
          route53:
            region: us-east-1
        selector:
          dnsZones:
            - "${DOMAIN}"
---
# ConfigMap for cert-manager configuration
apiVersion: v1
kind: ConfigMap
metadata:
  name: cert-manager-config
  namespace: cert-manager
data:
  # Replace these values during deployment
  ACME_EMAIL: "admin@example.com"
  DOMAIN: "example.com"