From dffcda80635783e3f197f381e23b299e469e316b Mon Sep 17 00:00:00 2001
From: Haitao Pan <manbuzhe2009@qq.com>
Date: Sat, 4 Apr 2026 10:38:10 +0800
Subject: [PATCH] feat(gitops): switch postgresql tls to acme issuers

---
 .../database/postgresql-tls/certificate.yaml  |  2 +-
 services/database/postgresql/README.md        |  8 +++--
 .../platform/cert-manager/clusterissuer.yaml  | 32 +++++++++++++++++++
 .../platform/postgresql-tls/certificate.yaml  |  2 +-
 4 files changed, 40 insertions(+), 4 deletions(-)

diff --git a/services/database/postgresql-tls/certificate.yaml b/services/database/postgresql-tls/certificate.yaml
index 243b83a..15f6cc9 100644
--- a/services/database/postgresql-tls/certificate.yaml
+++ b/services/database/postgresql-tls/certificate.yaml
@@ -9,6 +9,6 @@ spec:
   dnsNames:
     - postgresql-prod.svc.plus
   issuerRef:
-    name: svc-plus-selfsigned
+    name: svc-plus-acme-http01
     kind: ClusterIssuer
     group: cert-manager.io
diff --git a/services/database/postgresql/README.md b/services/database/postgresql/README.md
index a95992f..59ca561 100644
--- a/services/database/postgresql/README.md
+++ b/services/database/postgresql/README.md
@@ -24,5 +24,9 @@ expected Vault keys from local environment variables or existing K8s Secrets.
 The ingress domain is `postgresql-prod.svc.plus` for this prod cluster. TLS for
 `postgresql-tls` is now owned directly by cert-manager in both the `platform`
 and `database` namespaces, so `stunnel-server` can mount the database-local
-Secret without any cross-namespace sync job. Do not commit the secret values to
-Git.
+Secret without any cross-namespace sync job.
+
+Default certificate issuance uses ACME HTTP-01 through the `caddy` ingress
+class. A DNS-01 Cloudflare issuer is predeclared for future wildcard and
+additional subdomain certificates, and `selfSigned` remains available for
+internal temporary or fallback use.
diff --git a/services/platform/cert-manager/clusterissuer.yaml b/services/platform/cert-manager/clusterissuer.yaml
index 3935b5d..e19c5a9 100644
--- a/services/platform/cert-manager/clusterissuer.yaml
+++ b/services/platform/cert-manager/clusterissuer.yaml
@@ -4,3 +4,35 @@ metadata:
   name: svc-plus-selfsigned
 spec:
   selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: svc-plus-acme-http01
+spec:
+  acme:
+    email: manbuzhe2009@qq.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: svc-plus-acme-http01-account-key
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: caddy
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: svc-plus-acme-dns01-cloudflare
+spec:
+  acme:
+    email: manbuzhe2009@qq.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: svc-plus-acme-dns01-cloudflare-account-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
diff --git a/services/platform/postgresql-tls/certificate.yaml b/services/platform/postgresql-tls/certificate.yaml
index 334b6fd..1286f1b 100644
--- a/services/platform/postgresql-tls/certificate.yaml
+++ b/services/platform/postgresql-tls/certificate.yaml
@@ -9,6 +9,6 @@ spec:
   dnsNames:
     - postgresql-prod.svc.plus
   issuerRef:
-    name: svc-plus-selfsigned
+    name: svc-plus-acme-http01
     kind: ClusterIssuer
     group: cert-manager.io