upgrade cert-manager and configure it to use dns instead of http

non_argo_values/gitea_values.yaml

@@ -23,7 +23,7 @@ ingress:
   annotations:
     # Restrict to LAN access (matching your existing pattern)
     traefik.ingress.kubernetes.io/whitelist.sourcerange: "192.168.0.0/16,10.0.0.0/8,172.16.0.0/12"
-    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    cert-manager.io/cluster-issuer: "letsencrypt-production"
   hosts:
     - host: gitea.gilgamezh.me
       paths:

resources/cluster-issuer-production.yaml

@@ -10,7 +10,11 @@ spec:
     privateKeySecretRef:
       name: letsencrypt-production
     solvers:
-    - selector: {}
-      http01:
-        ingress:
-          class: traefik
+    - selector:
+        dnsZones:
+          - gilgamezh.me
+      dns01:
+        cloudflare:
+          apiTokenSecretRef:
+            name: cloudflare-api-token-secret
+            key: api-token

resources/ingress.yaml

@@ -79,3 +79,30 @@ spec:
     - hosts:
         - sonarr.gilgamezh.me
       secretName: sonarr-gilgamezh-me
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+    kubernetes.io/ingress.class: traefik
+  labels:
+    app: lidarr
+  name: lidarr
+  namespace: default
+spec:
+  rules:
+    - host: lidarr.gilgamezh.me
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: lidarr
+                port:
+                  number: 8686
+  tls:
+    - hosts:
+        - lidarr.gilgamezh.me
+      secretName: lidarr-gilgamezh-me