---
# Staging ClusterIssuer for testing (higher rate limits, not browser-trusted)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-staging
spec:
  acme:
    # Let's Encrypt staging server
    server: https://acme-staging-v02.api.letsencrypt.org/directory
    email: danijels@gmail.com
    privateKeySecretRef:
      name: letsencrypt-staging-key
    solvers:
    - dns01:
        azureDNS:
          subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
          resourceGroupName: forteapps-domain
          hostedZoneName: forteapps.net
          environment: AzurePublicCloud
          tenantID: 063afd9e-5fcb-48d2-a769-ca31b0f5b443
          clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
          clientSecretSecretRef:
            name: azuredns-config
            key: client-secret
      selector:
        dnsNames:
        - '*.forteapps.net'
        - 'forteapps.net'
    # HTTP-01 fallback for non-wildcard certificates
    - http01:
        ingress:
          class: traefik
---
# Production ClusterIssuer for browser-trusted certificates
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    # Let's Encrypt production server
    server: https://acme-v02.api.letsencrypt.org/directory
    email: danijels@gmail.com
    privateKeySecretRef:
      name: letsencrypt-prod-key
    solvers:
    # DNS-01 solver for wildcard certificates (*.forteapps.net)
    - dns01:
        azureDNS:
          subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
          resourceGroupName: forteapps-domain
          hostedZoneName: forteapps.net
          environment: AzurePublicCloud
          tenantID: 063afd9e-5fcb-48d2-a769-ca31b0f5b443
          clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
          clientSecretSecretRef:
            name: azuredns-config
            key: client-secret
      selector:
        dnsNames:
        - '*.forteapps.net'
        - 'forteapps.net'
    # HTTP-01 fallback for non-wildcard certificates
    - http01:
        ingress:
          class: traefik

# =============================================================================
# CONFIGURATION INSTRUCTIONS FOR AZURE DNS WITH WILDCARD CERTIFICATES
# =============================================================================
#
# PREREQUISITES IN AZURE DNS PORTAL:
# ----------------------------------
# 1. Ensure you have an Azure DNS Zone for "forteapps.net" created in your
#    Azure subscription. If not, create it in Azure Portal:
#    - Search for "DNS zones" → Create → Zone name: forteapps.net
#    - Note the Resource Group where you create it (e.g., "dns-zones-rg")
#
# 2. Configure NS records at your domain registrar to point to Azure DNS:
#    - In Azure Portal → DNS zones → forteapps.net
#    - Note the 4 NS records shown (e.g., ns1-04.azure-dns.com, etc.)
#    - Go to your domain registrar and update the NS records to these values
#
# AUTHENTICATION (Service Principal - Required for UpCloud/non-Azure clusters):
# ----------------------------------------------------------------------------
# Since your cluster runs on UpCloud (not AKS), you must use Service Principal
# authentication. Managed Identity only works with Azure-hosted resources.
#
# =============================================================================
# SETUP: Service Principal for UpCloud Clusters
# =============================================================================
#
# 1. Create Azure AD App Registration:
#    az ad sp create-for-rbac --name cert-manager-dns --sdk-auth
#    # Save the JSON output - you'll need appId (clientID) and password (clientSecret)
#
# 2. Assign DNS Zone Contributor role:
#    az role assignment create \
#      --role "DNS Zone Contributor" \
#      --assignee <SERVICE_PRINCIPAL_CLIENT_ID> \
#      --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<DNS_RESOURCE_GROUP>/providers/Microsoft.Network/dnszones/forteapps.net
#
# 3. Create Kubernetes secret for the service principal:
#    kubectl create secret generic azuredns-config \
#      --namespace cert-manager \
#      --from-literal=client-secret=YOUR_CLIENT_SECRET
#
# 4. Update the ClusterIssuer above with:
#    - subscriptionID: Your Azure subscription ID
#    - resourceGroupName: The resource group containing your DNS zone
#    - clientID: The Service Principal appId/clientID
#    - clientSecretSecretRef: References the secret created in step 3
#
# =============================================================================
# ALTERNATIVE DNS PROVIDERS (for reference):
# =============================================================================

# -----------------------------------------------------------------------------
# Cloudflare (original configuration)
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
#   --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
#
# dns01:
#   cloudflare:
#     email: your-cloudflare-email@example.com
#     apiTokenSecretRef:
#       name: cloudflare-api-token-secret
#       key: api-token

# -----------------------------------------------------------------------------
# AWS Route53
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic route53-credentials \
#   --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
#
# dns01:
#   route53:
#     region: us-east-1
#     hostedZoneID: ZXXXXXXXXXXXXX
#     accessKeyID: YOUR_ACCESS_KEY_ID
#     secretAccessKeySecretRef:
#       name: route53-credentials
#       key: secret-access-key

# -----------------------------------------------------------------------------
# Google Cloud DNS
# -----------------------------------------------------------------------------
# Create secret with service account JSON key:
# kubectl create secret generic clouddns-service-account \
#   --from-file=service-account.json=path/to/key.json -n cert-manager
#
# dns01:
#   cloudDNS:
#     project: YOUR_GCP_PROJECT_ID
#     hostedZoneName: example-com
#     serviceAccountSecretRef:
#       name: clouddns-service-account
#       key: service-account.json

# -----------------------------------------------------------------------------
# GoDaddy
# -----------------------------------------------------------------------------
# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
#
# dns01:
#   webhook:
#     groupName: acme.yourcompany.com
#     solverName: godaddy
#     config:
#       apiKeySecretRef:
#         name: godaddy-api-credentials
#         key: api-key
#       apiSecretSecretRef:
#         name: godaddy-api-credentials
#         key: api-secret

# -----------------------------------------------------------------------------
# Manual/Dynamic DNS (for homelab)
# -----------------------------------------------------------------------------
# Requires RFC2136 provider or external webhook
#
# dns01:
#   rfc2136:
#     nameserver: your-dns-server.example.com
#     tsigKeyName: cert-manager-key
#     tsigAlgorithm: HMACSHA256
#     tsigSecretSecretRef:
#       name: tsig-secret
#       key: secret