# =============================================================================
# Production values for cert-manager-stack
# This is the ONLY file you need to edit for your cert-manager deployment
# =============================================================================

# -----------------------------------------------------------------------------
# cert-manager Configuration (Upstream Chart)
# These values are passed directly to the embedded cert-manager subchart
# -----------------------------------------------------------------------------
cert-manager:
  # Enable the embedded cert-manager subchart
  enabled: true
  
  # Install CRDs as part of the Helm release
  crds:
    enabled: true
    keep: true
  
  # Disable Prometheus monitoring (enable if needed)
  prometheus:
    enabled: false
  
  # Global configuration
  global:
    leaderElection:
      namespace: cert-manager
  
  # Uncomment to configure resource limits
  # resources:
  #   requests:
  #     cpu: 10m
  #     memory: 32Mi
  #   limits:
  #     cpu: 100m
  #     memory: 128Mi
  
  # Uncomment to configure node selector
  # nodeSelector:
  #   kubernetes.io/os: linux
  
  # Additional cert-manager values can be added here
  # See: https://artifacthub.io/packages/helm/cert-manager/cert-manager

# -----------------------------------------------------------------------------
# Cloudflare DNS Provider Configuration
# -----------------------------------------------------------------------------
cloudflare:
  enabled: true
  
  # TODO: Replace with your actual Cloudflare API token
  # Get from: https://dash.cloudflare.com/profile/api-tokens
  # Required permissions: Zone:DNS:Edit for all zones
  apiToken: "cfat_yJtvwaY2oRNw8FI0Xd2F07Ai5fyeIO0n8dF2JYFWd7929bd6"
  
  # Secret configuration (usually no need to change these)
  secretName: cloudflare-api-token
  secretKey: api-token
  namespace: cert-manager

# -----------------------------------------------------------------------------
# ClusterIssuer Configuration (Let's Encrypt)
# -----------------------------------------------------------------------------
clusterIssuer:
  enabled: true
  
  # ClusterIssuer name - referenced in Certificate and Ingress resources
  name: letsencrypt
  
  # Email for Let's Encrypt account registration and notifications
  email: dvirlabs@gmail.com
  
  # ACME server URL
  # Production (rate-limited): https://acme-v02.api.letsencrypt.org/directory
  # Staging (for testing): https://acme-staging-v02.api.letsencrypt.org/directory
  server: https://acme-v02.api.letsencrypt.org/directory
  
  # Secret name for storing ACME account private key
  privateKeySecretRef:
    name: letsencrypt-account-key
  
  # DNS-01 solver configuration using Cloudflare
  dns01:
    cloudflare:
      apiTokenSecretRef:
        name: cloudflare-api-token
        key: api-token

# -----------------------------------------------------------------------------
# Migration Notes
# -----------------------------------------------------------------------------
# To migrate to External Secrets / Vault:
# 1. Create ExternalSecret resource in templates/
# 2. Set cloudflare.enabled: false
# 3. Keep cloudflare.secretName the same for ClusterIssuer reference