feat(cert-manager): switch to algorithm P-384 (#18098)

ops/argo-cd/applications/production-hm/airbyte/kubernetes-manifests/hm-airbyte-ingress.yaml

@@ -10,7 +10,11 @@ metadata:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/akhq/kubernetes-manifests/hm-akhq-ingress.yaml

@@ -12,7 +12,11 @@ metadata:
     # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
     external-dns.alpha.kubernetes.io/hostname: hm-akhq.internal.hongbomiao.com
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/argo-cd/kubernetes-manifests/hm-argo-cd-ingress.yaml

@@ -12,7 +12,11 @@ metadata:
     # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
     external-dns.alpha.kubernetes.io/hostname: hm-argo-cd.internal.hongbomiao.com
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
   labels:
     app.kubernetes.io/name: hm-argo-cd-ingress
     app.kubernetes.io/part-of: production-hm-argo-cd

ops/argo-cd/applications/production-hm/kafbat-ui/kubernetes-manifests/hm-kafbat-ui-ingress.yaml

@@ -12,7 +12,11 @@ metadata:
     # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
     external-dns.alpha.kubernetes.io/hostname: hm-kafbat-ui.internal.hongbomiao.com
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/mlflow/kubernetes-manifests/hm-mlflow-ingress.yaml

@@ -12,7 +12,11 @@ metadata:
     # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
     external-dns.alpha.kubernetes.io/hostname: hm-mlflow.internal.hongbomiao.com
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/netdata/kubernetes-manifests/hm-netdata-ingress.yaml

@@ -12,7 +12,11 @@ metadata:
     # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
     external-dns.alpha.kubernetes.io/hostname: hm-netdata.internal.hongbomiao.com
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/opencost/kubernetes-manifests/hm-opencost-ingress.yaml

@@ -10,7 +10,11 @@ metadata:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/prometheus/kubernetes-manifests/hm-grafana-ingress.yaml

@@ -10,7 +10,11 @@ metadata:
     traefik.ingress.kubernetes.io/router.entrypoints: websecure
     traefik.ingress.kubernetes.io/router.tls: "true"
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/ray-cluster/kubernetes-manifests/hm-ray-ingress.yaml

@@ -12,7 +12,11 @@ metadata:
     # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
     external-dns.alpha.kubernetes.io/hostname: hm-ray.internal.hongbomiao.com
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels:

ops/argo-cd/applications/production-hm/redpanda-console/kubernetes-manifests/hm-redpanda-console-ingress.yaml

@@ -12,7 +12,11 @@ metadata:
     # https://kubernetes-sigs.github.io/external-dns/latest/annotations/annotations
     external-dns.alpha.kubernetes.io/hostname: hm-redpanda-console.internal.hongbomiao.com
     # https://cert-manager.io/docs/usage/ingress/#supported-annotations
+    # https://letsencrypt.org/certificates
     cert-manager.io/cluster-issuer: production-lets-encrypt-cluster-issuer
+    cert-manager.io/private-key-algorithm: ECDSA
+    cert-manager.io/private-key-size: "384"
+    cert-manager.io/private-key-rotation-policy: Always
     # https://argo-cd.readthedocs.io/en/stable/user-guide/resource_hooks
     argocd.argoproj.io/hook: PostSync
   labels: