Add new infra architecture

infrastructure/platform/cert-manager/ca-root-certificate.yaml

@@ -0,0 +1,27 @@
+# Create a root CA certificate for local development
+# NOTE: This certificate must be ready before the local-ca-issuer can be used
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: local-ca-cert
+  namespace: cert-manager  # This ensures the secret is created in the cert-manager namespace
+spec:
+  isCA: true
+  commonName: bakery-ia-local-ca
+  subject:
+    organizationalUnits:
+      - "Bakery IA Local CA"
+    organizations:
+      - "Bakery IA"
+    countries:
+      - "US"
+  secretName: local-ca-key-pair
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: ClusterIssuer
+    group: cert-manager.io
+  duration: 8760h # 1 year
+  renewBefore: 720h # 30 days

infrastructure/platform/cert-manager/cert-manager.yaml

@@ -0,0 +1,23 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+---
+# NOTE: Do NOT define cert-manager ServiceAccounts here!
+# The ServiceAccounts (cert-manager, cert-manager-cainjector, cert-manager-webhook)
+# are created by the upstream cert-manager installation (kubernetes_restart.sh).
+# Redefining them here would strip their RBAC bindings and break authentication.
+---
+# Self-signed ClusterIssuer for bootstrapping the CA certificate chain
+# This issuer is used to create the root CA certificate which then
+# becomes the issuer for all other certificates in the cluster
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+# Cert-manager installation using Helm repository
+# This will be installed via kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.13.2/cert-manager.yaml
+# The actual installation will be done via command line, this file documents the resources

infrastructure/platform/cert-manager/cluster-issuer-production.yaml

@@ -0,0 +1,23 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+  namespace: cert-manager
+spec:
+  acme:
+    # The ACME server URL (Let's Encrypt production)
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: admin@bakewise.ai
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-production
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+          podTemplate:
+            spec:
+              nodeSelector:
+                "kubernetes.io/os": linux

infrastructure/platform/cert-manager/cluster-issuer-staging.yaml

@@ -0,0 +1,24 @@
+# Let's Encrypt Staging ClusterIssuer
+# Use this for testing before switching to production
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL (Let's Encrypt staging)
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: admin@bakery-ia.local  # Change this to your email
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+    - http01:
+        ingress:
+          class: nginx
+          podTemplate:
+            spec:
+              nodeSelector:
+                "kubernetes.io/os": linux

infrastructure/platform/cert-manager/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - cert-manager.yaml
+  - ca-root-certificate.yaml
+  - local-ca-issuer.yaml
+  - cluster-issuer-staging.yaml
+  - cluster-issuer-production.yaml

infrastructure/platform/cert-manager/local-ca-issuer.yaml

@@ -0,0 +1,7 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: local-ca-issuer
+spec:
+  ca:
+    secretName: local-ca-key-pair