From 6746e691990c22feca80a156fe27669d7c429648 Mon Sep 17 00:00:00 2001
From: Max Kadel <max@notch8.com>
Date: Wed, 27 May 2026 15:56:07 +0200
Subject: [PATCH] Use dns cert-manager for friends

---
 ops/friends-deploy.tmpl.yaml | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/ops/friends-deploy.tmpl.yaml b/ops/friends-deploy.tmpl.yaml
index ffe0099f..d65a3cda 100644
--- a/ops/friends-deploy.tmpl.yaml
+++ b/ops/friends-deploy.tmpl.yaml
@@ -38,10 +38,12 @@ ingress:
   ingressClassName: "nginx-ingress"
   hosts:
     - viva-friends.notch8.cloud
-  annotations: {
-    nginx.org/client-max-body-size: "0",
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
-  }
+  annotations:
+    nginx.org/client-max-body-size: "0"
+    # DNS01 instead of letsencrypt-prod because r2-friends cert-manager CRDs are at
+    # v1.8.0 while the controller is v1.17.1 — ingressClassName is not in the schema,
+    # so HTTP01 via nginx-ingress fails. Switch to letsencrypt-prod once the CRDs are upgraded.
+    cert-manager.io/cluster-issuer: "letsencrypt-production-dns"
   tlsSecretName: viva-friends-tls
 
 env: