apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: bakery-ia-prod-tls-cert
  namespace: bakery-ia
spec:
  # Let's Encrypt certificate for production
  secretName: bakery-ia-prod-tls-cert

  # Certificate duration and renewal
  duration: 2160h # 90 days (Let's Encrypt default)
  renewBefore: 360h # 15 days before expiry

  # Subject configuration
  subject:
    organizations:
      - Bakery IA

  # Common name
  commonName: bakewise.ai

  # DNS names this certificate is valid for
  dnsNames:
    - bakewise.ai
    - www.bakewise.ai
    - mail.bakewise.ai
    - monitoring.bakewise.ai
    - gitea.bakewise.ai
    - api.bakewise.ai

  # Use Let's Encrypt production issuer
  issuerRef:
    name: letsencrypt-production
    kind: ClusterIssuer
    group: cert-manager.io

  # Private key configuration
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 2048

  # Usages
  usages:
    - server auth
    - client auth
    - digital signature
    - key encipherment