From c5ff556e483fa6d16c2f508b0296d13e245db462 Mon Sep 17 00:00:00 2001 From: Haitao Pan Date: Sat, 4 Apr 2026 11:25:22 +0800 Subject: [PATCH] docs(gitops): clarify cert-manager ownership --- services/database/postgresql/README.md | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/services/database/postgresql/README.md b/services/database/postgresql/README.md index 59ca561..36e550c 100644 --- a/services/database/postgresql/README.md +++ b/services/database/postgresql/README.md @@ -30,3 +30,10 @@ Default certificate issuance uses ACME HTTP-01 through the `caddy` ingress class. A DNS-01 Cloudflare issuer is predeclared for future wildcard and additional subdomain certificates, and `selfSigned` remains available for internal temporary or fallback use. + +The boundary is intentionally narrow: + +- `cert-manager` owns the TLS Secret lifecycle +- `Caddy` provides ingress routing and HTTP-01 challenge reachability +- `external-dns` only reconciles DNS records +- `external-secrets` continues to manage Vault-backed runtime secrets