feat(gitops): switch postgresql tls to acme issuers

2026-04-04 10:38:10 +08:00 · 2026-04-04 10:38:10 +08:00 · dffcda8063
commit dffcda8063
parent e37a029c67
4 changed files with 40 additions and 4 deletions
--- a/services/database/postgresql-tls/certificate.yaml
+++ b/services/database/postgresql-tls/certificate.yaml
@ -9,6 +9,6 @@ spec:
  dnsNames:
    - postgresql-prod.svc.plus
  issuerRef:
-    name: svc-plus-selfsigned
+    name: svc-plus-acme-http01
    kind: ClusterIssuer
    group: cert-manager.io
--- a/services/database/postgresql/README.md
+++ b/services/database/postgresql/README.md
@ -24,5 +24,9 @@ expected Vault keys from local environment variables or existing K8s Secrets.
 The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. TLS for
 `postgresql-tls` is now owned directly by cert-manager in both the `platform`
 and `database` namespaces, so `stunnel-server` can mount the database-local
-Secret without any cross-namespace sync job. Do not commit the secret values to
-Git.
+Secret without any cross-namespace sync job.
+
+Default certificate issuance uses ACME HTTP-01 through the `caddy` ingress
+class. A DNS-01 Cloudflare issuer is predeclared for future wildcard and
+additional subdomain certificates, and `selfSigned` remains available for
+internal temporary or fallback use.
--- a/services/platform/cert-manager/clusterissuer.yaml
+++ b/services/platform/cert-manager/clusterissuer.yaml
@ -4,3 +4,35 @@ metadata:
  name: svc-plus-selfsigned
 spec:
  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: svc-plus-acme-http01
+spec:
+  acme:
+    email: manbuzhe2009@qq.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: svc-plus-acme-http01-account-key
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: caddy
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: svc-plus-acme-dns01-cloudflare
+spec:
+  acme:
+    email: manbuzhe2009@qq.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: svc-plus-acme-dns01-cloudflare-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
--- a/services/platform/postgresql-tls/certificate.yaml
+++ b/services/platform/postgresql-tls/certificate.yaml
@ -9,6 +9,6 @@ spec:
  dnsNames:
    - postgresql-prod.svc.plus
  issuerRef:
-    name: svc-plus-selfsigned
+    name: svc-plus-acme-http01
    kind: ClusterIssuer
    group: cert-manager.io