Set up cert-manager
In #1 we are moving to using Ingress resources. For each ingress, we should have cert-manager automatically create the certificates for https.
There are three deployment contexts for certs for the website:
- production on k8s cluster
- staging on k8s cluster
- local dev on minikube
To support local dev, we likely want to have the operator not creating the Issuer for the certificates. The idea then would be to create a ClusterIssuer for each cluster, using a selfsigned issuer in local dev, and then LetsEncrypt staging and prod issuers in the staging and prod clusters.
A great example of this can be found here: https://cert-manager.io/docs/tutorials/acme/nginx-ingress/. Likely all we will need is the ingress annotation, and it will take care of the tls for us! If for some reason the TLS files need to live in the civicrm image, we can mount them as seen in: https://github.com/knative-extensions/eventing-kafka-broker/blob/dc8e819f5eb6cdb9163673da52d450beaae36c00/data-plane/config/broker/500-receiver.yaml#L188-L191, and cert-manager would still handle the setup of the secret for us
We also need to set up tls within the staging and prod k8s clusters. Those should be created by cert-manager as self-signed.