From 8024015b9efc33e8d5114a92b38c9e73677bad5f Mon Sep 17 00:00:00 2001
From: Claude <claude@havari.me>
Date: Thu, 30 Apr 2026 17:31:44 +0300
Subject: [PATCH] =?UTF-8?q?tower=200.61.21=20=E2=80=94=20migrate=20+=20tem?=
 =?UTF-8?q?plate-deploy=20use=20tenant=20CF=20resolver?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Phase C made instance-create tenant-aware for Cloudflare DNS, but
migrate.go and templates_deploy.go kept using the legacy global
*cloudflareClient (zone=odoosky.org). Result: a tenant migrate to
4th.online silently created the A record under odoosky.org as a
literal subdomain ('odoo16v2.tenants.4th.online.odoosky.org' →
right IP) — Tower logged 'DNS A record set' successfully because
the API accepted the call, but the actual hostname the user
browses to was never published to the right zone.

Both flows now use cfResolver.clientFor(tenantID, fqdn) to find
the tenant's CF token + correct zone. If no token covers the
domain, the op fails with a clear 'configure tenant CF token'
message instead of silently writing to the wrong zone.
---
 values.yaml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/values.yaml b/values.yaml
index 0016117..060d598 100644
--- a/values.yaml
+++ b/values.yaml
@@ -9,7 +9,7 @@ backend:
     # so every cluster that runs Tower needs the same imagePullSecret
     # provisioned out-of-band (until cluster-platform-v3 owns it).
     repository: registry.odoosky.cloud/odoosky/docker-mirror/tower
-    tag: "0.61.19"
+    tag: "0.61.21"
     pullPolicy: IfNotPresent
   imagePullSecrets:
     - name: docker-mirror-pull