---
# Example: Wildcard Certificate for *.example.com
# This creates a certificate that covers ALL subdomains of example.com
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-example-com
  namespace: default  # Change to your application's namespace
spec:
  # The secret where the TLS certificate will be stored
  secretName: wildcard-example-com-tls
  
  # Use the production issuer (use letsencrypt-staging for testing)
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
    
  # DNS names this certificate will cover
  # Both wildcard AND apex domain are recommended
  dnsNames:
    - '*.example.com'    # Covers: app.example.com, api.example.com, etc.
    - 'example.com'      # Also include apex domain explicitly
  
  # Optional: Configure certificate duration and renewal
  duration: 2160h0m0s    # 90 days (Let's Encrypt default)
  renewBefore: 720h0m0s  # Renew 30 days before expiry
  
  # Optional: Private key settings
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 4096

---
# Example: Using the wildcard certificate with a Traefik IngressRoute
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
  name: app-ingress
  namespace: default
spec:
  entryPoints:
    - websecure
  routes:
    # Match any subdomain - the wildcard cert covers all of them
    - match: Host(`app.example.com`) || Host(`api.example.com`) || Host(`www.example.com`)
      kind: Rule
      services:
        - name: my-service
          port: 80
  tls:
    # Reference the secret created by the Certificate
    secretName: wildcard-example-com-tls

---
# Example: Using wildcard certificate with standard Kubernetes Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: wildcard-ingress
  namespace: default
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  tls:
    - hosts:
        - '*.example.com'
        - 'example.com'
      secretName: wildcard-example-com-tls
  rules:
    - host: app.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: app-service
                port:
                  number: 80
    - host: api.example.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: api-service
                port:
                  number: 80