From d5e1a6652c3ba068f90d325ce0e7d9e8c41fbf9a Mon Sep 17 00:00:00 2001
From: "A. F. Dudley" <a.frederick.dudley@gmail.com>
Date: Sat, 24 Jan 2026 18:57:55 -0500
Subject: [PATCH] fix(k8s): persist Caddy TLS certificates with PVC

Caddy ingress was using emptyDir for /data storage, causing TLS
certificates to be lost on pod restarts or cluster recreations.
This led to Let's Encrypt rate limit issues from repeatedly
requesting new certificates.

Add a PersistentVolumeClaim for Caddy's data directory to persist
ACME certificates across redeployments.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
---
 .../ingress/ingress-caddy-kind-deploy.yaml     | 18 +++++++++++++++++-
 1 file changed, 17 insertions(+), 1 deletion(-)

diff --git a/stack_orchestrator/data/k8s/components/ingress/ingress-caddy-kind-deploy.yaml b/stack_orchestrator/data/k8s/components/ingress/ingress-caddy-kind-deploy.yaml
index 632dcc05..d681b3e8 100644
--- a/stack_orchestrator/data/k8s/components/ingress/ingress-caddy-kind-deploy.yaml
+++ b/stack_orchestrator/data/k8s/components/ingress/ingress-caddy-kind-deploy.yaml
@@ -243,10 +243,26 @@ spec:
               mountPath: /config
       volumes:
         - name: caddy-data
-          emptyDir: {}
+          persistentVolumeClaim:
+            claimName: caddy-data-pvc
         - name: caddy-config
           emptyDir: {}
 ---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: caddy-data-pvc
+  namespace: caddy-system
+  labels:
+    app.kubernetes.io/name: caddy-ingress-controller
+    app.kubernetes.io/instance: caddy-ingress
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
 apiVersion: networking.k8s.io/v1
 kind: IngressClass
 metadata: