# Self-signed TLS certificate secret for Mailu Front
# This is required by the Mailu Helm chart even when TLS is disabled (tls.flavor: notls)
# The Front pod mounts this secret for internal certificate handling
#
# For production, replace with proper certificates from cert-manager or Let's Encrypt
# This script generates a self-signed certificate valid for 365 days
#
# To regenerate manually:
#   openssl req -x509 -nodes -days 365 -newkey rsa:2048 \
#     -keyout tls.key -out tls.crt \
#     -subj "/CN=mail.bakery-ia.local/O=bakery-ia"
#   kubectl create secret tls mailu-certificates \
#     --cert=tls.crt --key=tls.key -n bakery-ia
apiVersion: v1
kind: Secret
metadata:
  name: mailu-certificates
  namespace: bakery-ia
  labels:
    app.kubernetes.io/name: mailu
    app.kubernetes.io/component: certificates
type: kubernetes.io/tls
data:
  # Placeholder - will be generated dynamically by the setup script
  tls.crt: ""
  tls.key: ""