fix k8s certificate management and add docs (#829)

* use manually created secrets for all dns names, do not use cert-manager ingress-shim

* add docs

Author: maxmwang

docs/src/SUMMARY.md

@@ -26,6 +26,7 @@
 - [Infrastructure](./core/infrastructure/README.md)
   - [Onboarding](./core/infrastructure/onboarding.md)
   - [CI/CD Workflow](./core/infrastructure/cicd-workflow.md)
+  - [DNS & Certificates](./core/infrastructure/dns-certificates.md)
   - [Runbooks](./core/infrastructure/runbooks.md)
 
 ---

docs/src/core/infrastructure/dns-certificates.md

@@ -0,0 +1,92 @@
+# DNS & TLS Certificates
+
+<!-- toc -->
+
+## Introduction
+### What is the Domain Name System (DNS)?
+
+The DNS is a system used across to internet to associate domains, such as `berkeleytime.com`, with IP addresses, such as `123.123.123.123`. Internet browsers use the DNS protocol to translate common domains to IP addresses to know where to route packets.
+
+UC Berkeley classes that cover how a DNS work include:
+- [CS 168 (Internet Architecture)](https://www2.eecs.berkeley.edu/Courses/CS168/)
+- [CS 161 (Computer Security)](https://www2.eecs.berkeley.edu/Courses/CS161/)
+
+Learn more about DNSs:
+- [CS 168 Textbook - DNS](https://textbook.cs168.io/applications/dns.html)
+- [What is DNS? | How DNS works](https://www.cloudflare.com/learning/dns/what-is-dns/)
+
+### What are TLS Certificates?
+
+A TLS Certificate secures connections between internet browsers and web servers by authenticating web servers, exchanging keys to encrypt data packets, and providing integrity guarantees over the connection. Connections to websites secured with TLS certificates typically use HTTPS instead of HTTP.
+
+UC Berkeley classes that cover how TLS Certificates work include:
+- [CS 161 (Computer Security)](https://www2.eecs.berkeley.edu/Courses/CS161/)
+- [CS 168 (Internet Architecture)](https://www2.eecs.berkeley.edu/Courses/CS168/)
+
+Learn more about SSL/TLS (SSL is the predecessor to TLS):
+- [What is an SSL Certificate?](https://www.cloudflare.com/learning/ssl/what-is-an-ssl-certificate/)
+- [What is SSL? | SSL definition](https://www.cloudflare.com/learning/ssl/what-is-ssl/)
+
+## Our Cloudflare DNS Setup
+
+For the most relevant setup documentation, refer to [Cloudflare's DNS Setup Docs](https://developers.cloudflare.com/dns/).
+
+We pay for the domains `berkeleytime.com` and `stanfurdtime.com`, both registered with [Cloudflare Registrar](https://www.cloudflare.com/products/registrar/). In addition, our authoritative DNS is also Cloudlfare, and its configuration (what domains map to what IPs) can be changed on [the Cloudflare Developer Dashboard](https://dash.cloudflare.com/).
+
+## Our Kubernetes Cluster Setup
+
+There are two relevant Kubernetes components when discussing DNS and Certificates: our reverse proxy `ingress-nginx` and `cert-manager`.
+
+### Ingress Nginx
+
+Recall from [An HTTP Request's Life](./onboarding.md#an-http-requests-life), `ingress-nginx` is our reverse proxy responsible for routing between our application services. Its input is effectively a mapping from a path to a service. This is down through the [Ingress Resource](https://kubernetes.io/docs/concepts/services-networking/ingress/):
+
+```yaml
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    # ...
+spec:
+  ingressClassName: nginx
+  tls:
+    # ...
+  rules:
+    - host: berkeleytime.com
+      http:
+        paths:
+          - path: /
+            backend:
+              service:
+                name: bt-frontend-svc
+          - path: /api
+            backend:
+              service:
+                name: bt-backend-svc
+```
+
+This example `Ingress` resource maps packets routed to `berkeleytime.com/` to the frontend service and maps packets routed to `berkeleytime.com/api` to the backend service.
+
+The `ingressClassName` instructs `ingress-nginx` to manage this `Ingress` resource as one of its reverse proxy destinations.
+
+
+### Certificate Manager
+
+`cert-manager` is a service that can automatically issue and renew certificates. We only use it to renew certificates. We hardcode a certificate with all domains needed instead of automatic issuing.
+
+```yaml
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bt-cert
+spec:
+  secretName: bt-cert
+  dnsNames:
+    - berkeleytime.com
+    - "*.berkeleytime.com"
+    - "*.dev.berkeleytime.com"
+    - stanfurdtime.com
+    - "*.stanfurdtime.com"
+    - "*.dev.stanfurdtime.com"
+```
+
+Here is a snippet of the hardcoded certificate deployed as of August 2025. This is linked in the `Ingress` resource earlier under `spec.tls`.

infra/app/templates/ingress.yaml

@@ -4,14 +4,12 @@ metadata:
   name: {{ .Release.Name }}-ingress
   labels:
     {{- include "bt-app.labels" . | nindent 4 }}
-  annotations:
-    cert-manager.io/issuer: {{ .Values.issuer }}
 spec:
   ingressClassName: nginx
   tls:
     - hosts:
         - {{ .Values.host }}
-      secretName: {{ .Release.Name }}-cert
+      secretName: bt-cert
   rules:
     - host: {{ .Values.host }}
       http:

infra/base/templates/certificate.yaml

@@ -0,0 +1,16 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bt-cert
+spec:
+  secretName: bt-cert
+  issuerRef:
+    name: {{ .Values.issuerName }}
+    kind: Issuer
+  dnsNames:
+    - berkeleytime.com
+    - "*.berkeleytime.com"
+    - "*.dev.berkeleytime.com"
+    - stanfurdtime.com
+    - "*.stanfurdtime.com"
+    - "*.dev.stanfurdtime.com"

infra/base/templates/cloudflare-api-token-sealed-secret.yaml

@@ -0,0 +1,12 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: {{ .Values.acme.cloudflareApiTokenSecretName }}
+  namespace: bt
+spec:
+  encryptedData:
+    api-token: AgCFa3QC416PcdI2BAodEnnX5Vm05Hl8WE7rKkf0F9zP/OAWYnuFfJqhAtCDbOPz3iyREyTHepBflawZspaIj+XOXg3ZL2A4vMEvpr5BGupc94NTIQyzF3K6OwrTHTU7U/1ZhFo4Y2/daNANzyhbOuqSSou1nRplslRz4Ejg0Tc3X3uRJYqUHHuri95AcbA9hcKPDLEeEgmliYNC8FPn5HtSX/7pp5kod6/da0vI0h3eRjGt6JNwaAxCX8lWQDPBGizcx3xyEMuxleOcKEiSijos2/VMY9NVK2JY4FKSQZz/2Z29cdoRxwN1H+B9ySnvSJoIb3+J/AZ22P1JMo56IZa2GcaE/ooV8x0yySWua4s2kUhngpFWlirOTJCRbU5JaZ9uM7gKdBFZ4/zgxKNdMZCUZLqef6RHZVEjEn5HvklBIMmC5RWe+wtJ7i6uqBK5R2r92ZQ0XE/dWGKT69nIaz5rHVGT26e3edpKJKZV21EXJGAADB80EbyV9Tmbik1s7w/zUQ328bpgvQkIgbDUyrybooF/x/nQfGPXm47OD1daS4PVzwngTCy748TRM0MeHqCjSYRkkiXJzIjDHLYAQtqpKuwZkbRK3q/lKk/z3tABfswMZyKgrpv0GQ7cTn5OIC4FvraT9CU78aGX+N//vWkPx3e2O36oPaU2AJpiiwWolNuhtHGpsAmJMRK9/ykKLzesVqJdoQMVqzjif/C/iufQIWgqtkwway3KXHniwIQFeyen9CV26M7l
+  template:
+    metadata:
+      name: {{ .Values.acme.cloudflareApiTokenSecretName }}
+      namespace: bt

infra/base/templates/cloudflare-stanfurdtime-sealed-secret.yaml

@@ -15,5 +15,5 @@ spec:
       - dns01:
           cloudflare:
             apiTokenSecretRef:
-              name: {{ .Values.acme.cfApiTokenSecretName }}
+              name: {{ .Values.acme.cloudflareApiTokenSecretName}}
               key: api-token

infra/base/templates/issuer.yaml

@@ -2,5 +2,5 @@ issuerName: letsencrypt-prod
 acme:
   email: [email protected]
   server: https://acme-v02.api.letsencrypt.org/directory
-  cfApiTokenSecretName: cloudflare-api-token-stanfurdtime-secret
+  cloudflareApiTokenSecretName: cloudflare-api-token-secret
 ipAddressRange: 169.229.226.51-169.229.226.51

infra/base/values.yaml

@@ -4,14 +4,12 @@ metadata:
   name: {{ .Release.Name }}-ingress
   labels:
     {{- include "bt-docs.labels" . | nindent 4 }}
-  annotations:
-    cert-manager.io/issuer: {{ .Values.issuer }}
 spec:
   ingressClassName: nginx
   tls:
     - hosts:
         - {{ .Values.host }}
-      secretName: {{ .Release.Name }}-cert
+      secretName: bt-cert
   rules:
     - host: {{ .Values.host }}
       http: