REFACTOR(cert-manager): move from platform repo

- Add cert-manager Application and helm values
- Add ClusterIssuer manifests
- Update kustomization references

cert-manager/argocd.yaml

@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: default
+  sources:
+  - repoURL: https://charts.jetstack.io
+    chart: cert-manager
+    targetRevision: v1.16.2
+    helm:
+      valueFiles:
+      - $values/cert-manager/helm-values.yaml
+  - repoURL: https://github.com/K3S-HOME/security.git
+    targetRevision: main
+    ref: values
+  - repoURL: https://github.com/K3S-HOME/security.git
+    targetRevision: main
+    path: cert-manager
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+      allowEmpty: false
+    syncOptions:
+    - CreateNamespace=true
+    - PrunePropagationPolicy=foreground
+    - PruneLast=true
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+    managedNamespaceMetadata:
+      labels:
+        goldilocks.fairwinds.com/enabled: 'true'
+  revisionHistoryLimit: 10

cert-manager/helm-values.yaml

@@ -0,0 +1,70 @@
+# Cert-Manager Helm Values
+# Chart: https://github.com/cert-manager/cert-manager/tree/master/deploy/charts/cert-manager
+
+# Install CRDs with Helm
+installCRDs: true
+
+replicaCount: 1
+
+resources:
+  requests:
+    cpu: 23m
+    memory: 115Mi
+  limits:
+    memory: 115Mi
+
+webhook:
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 23m
+      memory: 115Mi
+    limits:
+      memory: 115Mi
+  # Affinity - Soft Anti-Affinity to spread pods across nodes
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 100
+          podAffinityTerm:
+            labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: cert-manager-webhook
+            topologyKey: kubernetes.io/hostname
+
+cainjector:
+  replicaCount: 1
+  resources:
+    requests:
+      cpu: 23m
+      memory: 230Mi
+    limits:
+      memory: 230Mi
+  # Affinity - Soft Anti-Affinity to spread pods across nodes
+  affinity:
+    podAntiAffinity:
+      preferredDuringSchedulingIgnoredDuringExecution:
+        - weight: 100
+          podAffinityTerm:
+            labelSelector:
+              matchLabels:
+                app.kubernetes.io/name: cert-manager-cainjector
+            topologyKey: kubernetes.io/hostname
+
+# Affinity - Soft Anti-Affinity to spread pods across nodes
+affinity:
+  podAntiAffinity:
+    preferredDuringSchedulingIgnoredDuringExecution:
+      - weight: 100
+        podAffinityTerm:
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: cert-manager
+          topologyKey: kubernetes.io/hostname
+
+# Prometheus metrics
+prometheus:
+  enabled: true
+  servicemonitor:
+    enabled: false
+

cert-manager/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+- manifests/cluster-issuer.yaml

cert-manager/manifests/cluster-issuer.yaml

@@ -0,0 +1,41 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # Let's Encrypt Production 서버
+    # 실제 운영 환경에서 사용
+    # Rate limit: 50 certificates per registered domain per week
+    server: https://acme-v02.api.letsencrypt.org/directory
+
+    # 인증서 만료 알림을 받을 이메일 주소
+    email: bluemayne0213@icloud.com
+
+    # ACME 계정의 private key를 저장할 Secret 이름
+    privateKeySecretRef:
+      name: letsencrypt-prod
+
+    # HTTP-01 challenge를 사용하여 도메인 소유권 검증
+    # Traefik Ingress를 통해 /.well-known/acme-challenge/ 경로로 검증
+    solvers:
+    - http01:
+        ingress:
+          class: traefik
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # Let's Encrypt Staging 서버
+    # 테스트용 - 브라우저에서 신뢰하지 않지만 rate limit 없음
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: bluemayne0213@icloud.com
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - http01:
+        ingress:
+          class: traefik

kustomization.yaml

@@ -5,6 +5,7 @@ resources:
   # Self-reference for App of Apps pattern
   - application.yaml
 
+  - cert-manager/argocd.yaml
   - authelia/argocd.yaml
   - vault/argocd.yaml
   - external-secrets/argocd.yaml