gravl/k8s/production/cert-manager-setup.yaml

# cert-manager Installation & Configuration
# Phase 10-07, Task 5: Production TLS Gate
# Status: READY FOR IMPLEMENTATION

---
# 1. Install cert-manager (version 1.14.x for K8s 1.26+)
# Execution: kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.14.0/cert-manager.yaml

apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
---

# 2. Let's Encrypt ClusterIssuer (Production)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  namespace: cert-manager
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: ops@gravl.app
    privateKeySecretRef:
      name: letsencrypt-prod
    solvers:
    - http01:
        ingress:
          class: nginx
    - dns01:
        cloudflare:
          email: ops@gravl.app
          apiTokenSecretRef:
            name: cloudflare-api-token
            key: api-token

---
# 3. Let's Encrypt ClusterIssuer (Staging - for testing)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
  namespace: cert-manager
spec:
  acme:
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: ops@gravl.app
    privateKeySecretRef:
      name: letsencrypt-staging
    solvers:
    - http01:
        ingress:
          class: nginx

---
# 4. Self-Signed Issuer (Fallback for internal testing)
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
  name: selfsigned-issuer
  namespace: gravl-prod
spec:
  selfSigned: {}

---
# 5. Updated Ingress with cert-manager annotations
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gravl-ingress
  namespace: gravl-prod
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
spec:
  tls:
  - hosts:
    - gravl.app
    - api.gravl.app
    secretName: gravl-tls-prod
  rules:
  - host: gravl.app
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: frontend
            port:
              number: 80
  - host: api.gravl.app
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: backend
            port:
              number: 3000

---
# 6. Secret for Cloudflare API token (for DNS-01 challenges)
# MANUAL STEP: Create this secret with your Cloudflare API token
apiVersion: v1
kind: Secret
metadata:
  name: cloudflare-api-token
  namespace: cert-manager
type: Opaque
stringData:
  api-token: "PLACEHOLDER_REPLACE_WITH_ACTUAL_TOKEN"