---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
spec:
  acme:
    email: {{ .operator.email }}
    privateKeySecretRef:
      name: letsencrypt-prod
    server: https://acme-v02.api.letsencrypt.org/directory
    solvers:
    # DNS-01 solver for wildcard certificates
    - dns01:
        cloudflare:
          email: {{ .operator.email }}
          apiTokenSecretRef:
            name: cloudflare-api-token
            key: api-token
      selector:
        dnsZones:
        - "{{ .cluster.certManager.cloudflare.domain }}"
    # Keep the HTTP-01 solver for non-wildcard certificates
    - http01:
        ingress:
          class: traefik