feat: use cert manager not static files

k8s/base/ceramic-one/README.md

@@ -9,7 +9,7 @@ Comands assume this directory as the current working directory.
 ### Create a namespace for the nodes.
 
 ```
-export CERAMIC_NAMESPACE=ceramic-one-0-17-0
+export CERAMIC_NAMESPACE=ceramic-one
 kubectl create namespace ${CERAMIC_NAMESPACE}
 ```
 

k8s/base/ceramic-one/kustomization.yaml

@@ -1,4 +1,4 @@
-namespace: ceramic-one-0-17-0
+namespace: ceramic-one
 
 images:
   - name: ceramicnetwork/composedb-cli

k8s/base/composedb/daemon-config.json

@@ -17,12 +17,15 @@
         "log-to-files": false
     },
     "metrics": {
-        "metrics-exporter-enabled": false
+        "metrics-exporter-enabled": false,
+        "metrics-publisher-enabled": true
     },
     "network": {
         "name": "${CERAMIC_NETWORK}"
     },
-    "node": {},
+    "node": {
+        "privateSeedUrl": "inplace:ed25519#fe7728465b2dec4878912851013e17ca7ea903bdb630ea08518fc8b801167e57"
+    },
     "state-store": {
         "mode": "fs",
         "local-directory": "${CERAMIC_STATE_STORE_PATH}"
@@ -31,4 +34,4 @@
         "db": "postgres://${CERAMIC_INDEXING_DB_USERNAME}:${CERAMIC_INDEXING_DB_PASSWORD}@postgres/ceramic",
         "allow-queries-before-historical-sync": true
     }
-}
+}

k8s/cert-ingress/README.md

@@ -1,43 +1,61 @@
-## Configuring domain name and SSL cert for your composedb node
+# Configuring Domain Name and Automatic SSL Cert for Your ComposeDB Node
 
-### Remove the default load balancer
+## Prerequisites
+- A Kubernetes cluster (e.g., on DigitalOcean)
+- `kubectl` configured to interact with your cluster
+- A domain name pointed to your cluster's IP address
 
-We are going to replace the load balancer that was installed with an ingress controller and related services
-
-`kubectl delete -f k8s/base/composedb/do-lb.yaml`
+## Setup Steps
 
-### Install an ingress controller
+### 1. Remove the default load balancer
 
-If you have not already done so, install the ingress controller to your cluster
 
-`kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.0.0/deploy/static/provider/do/deploy.yaml`
+We are going to replace the load balancer that was installed with an ingress controller and related services
+This is assuming a starting point from the `ceramic-one` manifests applied.
 
-### Apply the ingress and related services
+`kubectl delete -f k8s/base/ceramic-one/manifests/js-ceramic-lb.yaml`
 
-The resources in this deployment may be deployed from the repository root like so
+### 2. Install the NGINX Ingress Controller
+If not already installed, add the NGINX ingress controller to your cluster.  This example uses the digital ocean manifests
 
+ ```bash
+kubectl apply -f https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.8.2/deploy/static/provider/do/deploy.yaml
 ```
-kubectl apply -k k8s/cert-ingress/
-```
-
-This will spin up the ingress and the static file server.  You may remove the static file server if it is not needed for your configuration.
 
-### If you need to get a cert
+### 3. Install cert-manager
+cert-manager will automatically manage and renew SSL certificates:
 
-You may need to return a challenge file.  In this case you will use the static server
-that is included in this deployment, and configure its files like so
-
-```
-mkdir -p .well-known/acme-challenge
-# place the challenge file in this directory, then
-kubectl create configmap acme-challenge --from-file=.well-known/acme-challenge/ --namespace=ceramic
+```bash
+kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.12.0/cert-manager.yaml
 ```
-Follow the instructions from your cert provider to get your TLS certificate and private key.
 
-Place them in files such as `fullchain.pem` and `privkey.pem`
+### 4. Update Configuration Files
+1. Edit `ingress.yaml`:
+   - Replace `your-domain.com` with your actual domain name.
+2. Edit `letsencrypt-issuer.yaml`:
+   - Replace `your-email@example.com` with your actual email address.
 
-Then run
+### 5. Apply the Ingress and Related Services
+From the repository root, run:
 
+```bash
+kubectl apply -k k8s/cert-ingress/
 ```
-kubectl create secret tls ceramic-tls-secret --cert=fullchain.pem --key=privkey.pem
-```
+
+This will set up the ingress, ClusterIP service, and cert-manager configurations.
+
+### 6. Verify the Setup
+1. Check that the ingress has been created:
+   ```bash
+   kubectl get ingress -n ceramic-one
+   ```
+2. Verify that cert-manager has issued a certificate:
+   ```bash
+   kubectl get certificates -n ceramic-one
+   ```
+3. Once the certificate is ready, you should be able to access your ComposeDB node securely via HTTPS at your domain.
+
+## Notes
+- SSL certificates will be automatically obtained and renewed by cert-manager.
+- If you need to make changes, modify the relevant files in the `k8s/cert-ingress/` directory and reapply using `kubectl apply -k k8s/cert-ingress/`.
+- Ensure your domain's DNS is properly configured to point to your cluster's IP address.

k8s/cert-ingress/cluster-ip.yaml

@@ -2,7 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
   name: composedb
-  namespace: ceramic
+  namespace: ceramic-one
   labels:
     app: composedb
 spec: