From ca98dd2d916395b6ba9c2ffb20e54f727b81d084 Mon Sep 17 00:00:00 2001
From: Ryan Moon <moonryan2009@gmail.com>
Date: Thu, 2 Apr 2026 07:16:14 -0500
Subject: [PATCH] fix: use Cloudflare origin cert for TLS instead of
 cert-manager

---
 charts/lunarfront/templates/ingress.yaml | 5 +++--
 charts/lunarfront/values.yaml            | 5 +++++
 2 files changed, 8 insertions(+), 2 deletions(-)

diff --git a/charts/lunarfront/templates/ingress.yaml b/charts/lunarfront/templates/ingress.yaml
index 93edc68..ab130f5 100644
--- a/charts/lunarfront/templates/ingress.yaml
+++ b/charts/lunarfront/templates/ingress.yaml
@@ -4,13 +4,14 @@ metadata:
   name: lunarfront
   namespace: {{ .Values.customer.name }}
   annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
+    # Cloudflare proxies TLS to the browser — origin cert handles CF → cluster
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
 spec:
   ingressClassName: nginx
   tls:
     - hosts:
         - {{ .Values.customer.domain }}
-      secretName: lunarfront-tls
+      secretName: {{ .Values.cloudflare.originCertSecret }}
   rules:
     - host: {{ .Values.customer.domain }}
       http:
diff --git a/charts/lunarfront/values.yaml b/charts/lunarfront/values.yaml
index 3459ba6..44f4876 100644
--- a/charts/lunarfront/values.yaml
+++ b/charts/lunarfront/values.yaml
@@ -37,6 +37,11 @@ auth:
 storage:
   secretName: lunarfront-storage-secret
 
+# Cloudflare origin cert — installed once as a cluster-wide secret
+# See: https://developers.cloudflare.com/ssl/origin-configuration/origin-ca
+cloudflare:
+  originCertSecret: cloudflare-origin-cert
+
 replicaCount: 1
 
 resources: