Phase 1: Configure Harbor with Cloudflare Origin Certificate

- Remove cert-manager annotation (manual TLS secret)
- Reference harbor-ingress secret (Cloudflare Origin CA)
- Keep stable resource names for clean March 23 switchover
- Cloudflare-trusted certificate enables proxy mode

Phase 2 (March 23): Add cert-manager annotation back for Let's Encrypt

manifests/harbor/values.yaml

@@ -1,19 +1,19 @@
 expose:
   type: ingress
   tls:
-    # Enable TLS - cert-manager will manage the certificate
+    # Enable TLS with external secret (Cloudflare Origin Certificate for now)
     enabled: true
-    # Use "secret" to reference an existing/external secret managed by cert-manager
-    # DO NOT use "auto" (Harbor's self-signed CA conflicts with cert-manager)
+    # Use "secret" to reference pre-created TLS secret
     certSource: secret
     secret:
-      # This secret will be created and managed by cert-manager via the ingress annotation
+      # Secret created manually with Cloudflare Origin Certificate
+      # Will be managed by cert-manager after March 23
       secretName: "harbor-ingress"
   ingress:
     className: traefik
     annotations:
-      # TEMPORARY: Using staging to avoid rate limits (switch back to 'letsencrypt' after March 23, 2026)
-      cert-manager.io/cluster-issuer: letsencrypt-staging
+      # NO cert-manager annotation during Phase 1 (manual certificate)
+      # Add back on March 23 for automatic Let's Encrypt management
       # Traefik specific annotations for HTTPS routing
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.tls: "true"