openova/clusters/_template/bootstrap-kit/02-cert-manager.yaml

# bp-cert-manager — Catalyst bootstrap-kit Blueprint. TLS for everything below — Lets Encrypt issuer with Dynadot DNS-01 (omani.works pool) or HTTP-01 (BYO domains).
#
# Wrapper chart: platform/cert-manager/chart/
# Catalyst-curated values: platform/cert-manager/chart/values.yaml
# Reconciled by: Flux on the new Sovereign's k3s control plane.

---
apiVersion: v1
kind: Namespace
metadata:
  name: cert-manager
  labels:
    catalyst.openova.io/sovereign: ${SOVEREIGN_FQDN}
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
  name: bp-cert-manager
  namespace: flux-system
spec:
  type: oci
  interval: 15m
  url: oci://ghcr.io/openova-io
  secretRef:
    name: ghcr-pull
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: bp-cert-manager
  namespace: flux-system
spec:
  interval: 15m
  releaseName: cert-manager
  targetNamespace: cert-manager
  dependsOn:
    - name: bp-cilium
  chart:
    spec:
      chart: bp-cert-manager
      version: 1.1.1
      sourceRef:
        kind: HelmRepository
        name: bp-cert-manager
        namespace: flux-system
  # Event-driven install: cert-manager installs CRDs + 3 deployments
  # (controller, webhook, cainjector). Webhook readiness depends on the
  # cainjector mutating the Secret — multi-minute path on cold start.
  # Helm install completes when manifests apply; subsequent dependsOn
  # checks Ready=True independently. Replaces PR #221 spec.timeout: 15m.
  install:
    disableWait: true
    remediation:
      retries: 3
  upgrade:
    disableWait: true
    remediation:
      retries: 3
  values:
    cert-manager:
      prometheus:
        enabled: false
        servicemonitor:
          enabled: false