From 02f6ab03bce00f693b0a7a9279d6b0a627552b44 Mon Sep 17 00:00:00 2001
From: Nikholas Pcenicni <82239765+nikpcenicni@users.noreply.github.com>
Date: Fri, 15 May 2026 01:20:07 -0400
Subject: [PATCH] Update cert-manager configurations for Let's Encrypt to
 include DNS-01 challenge support for both pcenicni.dev and nikflix.ca.
 Clarify Cloudflare API token requirements in comments and remove HTTP-01
 fallback references for cleaner configuration.

---
 .../cert-manager/clusterissuer-letsencrypt-prod.yaml     | 9 +++------
 .../cert-manager/clusterissuer-letsencrypt-staging.yaml  | 4 +---
 2 files changed, 4 insertions(+), 9 deletions(-)

diff --git a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
index fd22692..7acb80a 100644
--- a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
+++ b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-prod.yaml
@@ -11,7 +11,8 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-prod-account-key
     solvers:
-      # DNS-01 — Cloudflare token covers pcenicni.dev only. Requires Secret cloudflare-dns-api-token in cert-manager.
+      # DNS-01 — Cloudflare token must have Zone.Read + DNS.Edit for BOTH pcenicni.dev AND nikflix.ca.
+      # Edit the token in Cloudflare → My Profile → API Tokens to add nikflix.ca zone permissions.
       - dns01:
           cloudflare:
             apiTokenSecretRef:
@@ -20,8 +21,4 @@ spec:
         selector:
           dnsZones:
             - pcenicni.dev
-      # HTTP-01 fallback — used for all other zones (e.g. nikflix.ca via Pangolin → Newt → Traefik).
-      # Requires a Pangolin HTTP resource + target for each hostname before LE can reach /.well-known/acme-challenge/.
-      - http01:
-          ingress:
-            ingressClassName: traefik
+            - nikflix.ca
diff --git a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
index 317b4a7..b85c2a8 100644
--- a/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
+++ b/clusters/noble/bootstrap/cert-manager/clusterissuer-letsencrypt-staging.yaml
@@ -19,6 +19,4 @@ spec:
         selector:
           dnsZones:
             - pcenicni.dev
-      - http01:
-          ingress:
-            ingressClassName: traefik
+            - nikflix.ca