From 8ba3088cbfe4408ca2cd7d8d08f936cf6351121a Mon Sep 17 00:00:00 2001
From: Kochetkov S <kochetkov.s@sarex.io>
Date: Fri, 5 Jun 2026 15:49:34 +0300
Subject: [PATCH] Use Istio HTTP solver for Zitadel certificates

---
 .../clusterissuer-letsencrypt.yaml            | 20 +++++++++++++++++++
 .../infrastructure/kustomization.yaml         |  1 +
 .../clusterissuer-letsencrypt.yaml            | 20 +++++++++++++++++++
 .../infrastructure/kustomization.yaml         |  1 +
 4 files changed, 42 insertions(+)
 create mode 100644 clusters/brusnika-prod/infrastructure/clusterissuer-letsencrypt.yaml
 create mode 100644 clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml

diff --git a/clusters/brusnika-prod/infrastructure/clusterissuer-letsencrypt.yaml b/clusters/brusnika-prod/infrastructure/clusterissuer-letsencrypt.yaml
new file mode 100644
index 0000000..82b34bb
--- /dev/null
+++ b/clusters/brusnika-prod/infrastructure/clusterissuer-letsencrypt.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: emelin.d@sarex.io
+    privateKeySecretRef:
+      name: letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - selector:
+          dnsNames:
+            - zitadel.brusnika.onprem.sarex.io
+        http01:
+          ingress:
+            class: istio
+      - http01:
+          ingress:
+            class: nginx
diff --git a/clusters/brusnika-prod/infrastructure/kustomization.yaml b/clusters/brusnika-prod/infrastructure/kustomization.yaml
index 494c6e1..78aa2c0 100644
--- a/clusters/brusnika-prod/infrastructure/kustomization.yaml
+++ b/clusters/brusnika-prod/infrastructure/kustomization.yaml
@@ -8,6 +8,7 @@ resources:
   - ../../../infrastructure/vault
   - ../../../infrastructure/zitadel
   - ./vault-ingress.yaml
+  - ./clusterissuer-letsencrypt.yaml
 patches:
   - path: ./patches/istio-gateway.yaml
     target:
diff --git a/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml b/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml
new file mode 100644
index 0000000..91712f5
--- /dev/null
+++ b/clusters/brusnika-stage/infrastructure/clusterissuer-letsencrypt.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    email: emelin.d@sarex.io
+    privateKeySecretRef:
+      name: letsencrypt
+    server: https://acme-v02.api.letsencrypt.org/directory
+    solvers:
+      - selector:
+          dnsNames:
+            - zitadel.test.sarex.brusnika.tech
+        http01:
+          ingress:
+            class: istio
+      - http01:
+          ingress:
+            class: nginx
diff --git a/clusters/brusnika-stage/infrastructure/kustomization.yaml b/clusters/brusnika-stage/infrastructure/kustomization.yaml
index a8a4131..a8be92d 100644
--- a/clusters/brusnika-stage/infrastructure/kustomization.yaml
+++ b/clusters/brusnika-stage/infrastructure/kustomization.yaml
@@ -9,6 +9,7 @@ resources:
   - ../../../infrastructure/zitadel
   - ./lb-service-override.yaml
   - ./vault-ingress.yaml
+  - ./clusterissuer-letsencrypt.yaml
 patches:
   - path: ./patches/istio-gateway.yaml
     target: