---
# Wildcard Certificate for *.forteapps.net
# This creates a certificate that covers ALL subdomains of forteapps.net
# Once created, you can use it for any app like:
#   - myapp.forteapps.net
#   - api.forteapps.net
#   - git.forteapps.net
#   - vaultwarden.forteapps.net
#   - etc.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-forteapps-net
  namespace: cert-manager # Can be in any namespace, cert-manager namespace is common
spec:
  # The secret where the TLS certificate will be stored
  # This secret can be referenced by IngressRoutes in any namespace
  secretName: wildcard-forteapps-net-tls

  # Use the production issuer (use letsencrypt-staging for testing)
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer

  # DNS names this certificate will cover
  # Both wildcard AND apex domain are recommended
  dnsNames:
  - '*.forteapps.net' # Covers: myapp.forteapps.net, api.forteapps.net, etc.
  - 'forteapps.net' # Also include apex domain explicitly
  # Optional: Configure certificate duration and renewal
  duration: 2160h0m0s # 90 days (Let's Encrypt default)
  renewBefore: 720h0m0s # Renew 30 days before expiry

  # Optional: Private key settings
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 4096