From a76c330d3282350b1e3f949429cd436640995f38 Mon Sep 17 00:00:00 2001
From: dvirlabs <dvirlabs@gmail.com>
Date: Sun, 22 Mar 2026 00:00:59 +0200
Subject: [PATCH] fix: Switch Harbor to Let's Encrypt staging to bypass rate
 limit

Rate limit error: 429 too many certificates (5) issued for harbor.dvirlabs.com
Must wait until March 23, 2026 07:00:21 UTC before using production again.

Changes:
- Created letsencrypt-staging ClusterIssuer
- Updated Harbor to use staging issuer temporarily
- Deleted failed certificate resources

After March 23, change cert-manager.io/cluster-issuer back to 'letsencrypt'
---
 letsencrypt-staging-issuer.yaml | 17 +++++++++++++++++
 manifests/harbor/values.yaml    |  4 ++--
 2 files changed, 19 insertions(+), 2 deletions(-)
 create mode 100644 letsencrypt-staging-issuer.yaml

diff --git a/letsencrypt-staging-issuer.yaml b/letsencrypt-staging-issuer.yaml
new file mode 100644
index 0000000..9d14da0
--- /dev/null
+++ b/letsencrypt-staging-issuer.yaml
@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # Let's Encrypt Staging server - no rate limits for testing
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: dvirlabs@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt-staging-account-key
+    solvers:
+    - dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            key: api-token
+            name: cloudflare-api-token
diff --git a/manifests/harbor/values.yaml b/manifests/harbor/values.yaml
index b084cbd..8fd42e6 100644
--- a/manifests/harbor/values.yaml
+++ b/manifests/harbor/values.yaml
@@ -12,8 +12,8 @@ expose:
   ingress:
     className: traefik
     annotations:
-      # cert-manager annotation - will create the certificate automatically
-      cert-manager.io/cluster-issuer: letsencrypt
+      # TEMPORARY: Using staging to avoid rate limits (switch back to 'letsencrypt' after March 23, 2026)
+      cert-manager.io/cluster-issuer: letsencrypt-staging
       # Traefik specific annotations for HTTPS routing
       traefik.ingress.kubernetes.io/router.entrypoints: websecure
       traefik.ingress.kubernetes.io/router.tls: "true"