Add Helm subchart for cert-manager to manage TLS certificates

[maneeshaxyz]

📌 Description

Implemented automated TLS certificate management with cert-manager and Let’s Encrypt in the existing Silver Helm deployment flow. Certificates are generated per configured domain, renewed automatically, and stored as Kubernetes Secrets for downstream services.

• Closes [TASK] Create Helm Sub chart for Certificates #321

---

🔍 Changes Made

1. Certificate templating in Helm

• Added dynamic Certificate rendering based on chart values.
• Generates one Certificate per configured domain.
• Includes both apex and wildcard SANs for each domain.
• Supports configurable renewal window through values.

2. Issuer integration

• Certificate resources reference a configurable ClusterIssuer.
• Supports staging and production issuer usage through configuration.

3. ACME + DNS challenge bootstrap

• Added cluster bootstrap automation to create:

1. Cloudflare API token Secret (for DNS-01)
2. Let’s Encrypt staging ClusterIssuer
3. Let’s Encrypt production ClusterIssuer

• ACME account keys are managed via cert-manager private key references.

4. Operational documentation

• Documented cert-manager prerequisite installation.
• Documented issuer bootstrap and validation steps.
• Documented staging-to-production promotion guidance.
• Documented certificate verification commands and expected readiness state.

Design Decisions

• Implemented within the existing umbrella chart, not as a standalone tls-certificates subchart.
• Issuer resources are provisioned through infrastructure bootstrap, not Helm templates.
• DNS-01 flow currently targets Cloudflare bootstrap path.
• Generic multi-provider DNS-01 and HTTP-01 solver templating are not yet fully chart-driven.

---

✅ Checklist (Email System)

• Core services tested (SMTP, IMAP, mail storage, end-to-end delivery)
• Security & compliance verified (auth via Thunder IDP, TLS, DKIM/SPF/DMARC, spam/virus filtering)
• Configuration & deployment checked (configs generated, Docker/Compose updated)
• Reliability confirmed (error handling, logging, monitoring)
• Documentation & usage notes updated (README, deployment, API)

---

🧪 Testing Instructions

1. Documented in README.md

---

[maneeshaxyz]

/gemini review

[gemini-code-assist]

Code Review

This pull request implements TLS support for Silver services via cert-manager and Let's Encrypt, adding a bootstrap script for Cloudflare DNS-01 challenges and updating Helm templates to manage Certificate resources. Review feedback suggests removing restrictive domain selectors in the ClusterIssuers to support multiple domains, utilizing the provided Helm helper for issuer references, and replacing a hardcoded sleep with a kubectl wait command for better reliability.

[gemini-code-assist]

Code Review

This pull request introduces TLS support for the Silver services using cert-manager and Let's Encrypt. Key additions include a bootstrap script for cluster infrastructure setup, comprehensive documentation in the README, and Helm templates for automated certificate generation. The review feedback suggests enhancing the bootstrap script's idempotency for namespace creation and improving the sanitization logic for Kubernetes resource names to handle a wider range of domain characters.