---
# ClusterIssuer for Let's Encrypt Production
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  labels:
    app: gravl
    component: tls
spec:
  acme:
    # Let's Encrypt production server
    server: https://acme-v02.api.letsencrypt.org/directory
    email: admin@gravl.io
    privateKeySecretRef:
      name: letsencrypt-prod
    
    # HTTP-01 solver
    solvers:
    - http01:
        ingress:
          class: nginx

---
# ClusterIssuer for Let's Encrypt Staging (for testing)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  labels:
    app: gravl
    component: tls
spec:
  acme:
    # Let's Encrypt staging server
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: admin@gravl.io
    privateKeySecretRef:
      name: letsencrypt-staging
    
    # HTTP-01 solver
    solvers:
    - http01:
        ingress:
          class: nginx

---
# ClusterIssuer for self-signed certificates (internal use)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: selfsigned-issuer
  labels:
    app: gravl
    component: tls
spec:
  selfSigned: {}

---
# CA Issuer for internal PKI
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: internal-ca-issuer
  labels:
    app: gravl
    component: tls
spec:
  ca:
    secretName: internal-ca-key-pair