apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt
spec:
  acme:
    server: https://acme-v02.api.letsencrypt.org/directory
    email: postmaster@netflux.io
    privateKeySecretRef:
      name: prod-letsencrypt
    solvers:
    - http01:
        ingress:
          class: prod-nginx
    - dns01:
        route53:
          region: eu-west-1
          hostedZoneID: Z1OSEC2E6M9VER
          accessKeyID: AKIARZPRT6YGHAENBEEX
          secretAccessKeySecretRef:
            # Using name reference transformers to manage this didn't work,
            # possibly because ClusterIssuer is a cluster-scoped resource.
            #
            # For now, this secret should be provisioned manually in the
            # cert-manager namespace:
            name: prod-aws-credentials
            key: secret