From 1a301cd3db1fe337f30fa69336057a39c3c85ff4 Mon Sep 17 00:00:00 2001 From: ops Date: Wed, 29 Apr 2026 21:36:44 +0200 Subject: [PATCH] sync-wave 5 on ClusterIssuer + Certificate (CRD ordering) --- Chart.yaml | 4 ++-- templates/cluster-issuer.yaml | 23 +++++++++-------------- templates/tenants-wildcard-cert.yaml | 18 +++++------------- 3 files changed, 16 insertions(+), 29 deletions(-) diff --git a/Chart.yaml b/Chart.yaml index 4ce8a84..e630cac 100644 --- a/Chart.yaml +++ b/Chart.yaml @@ -23,8 +23,8 @@ description: | Git). type: application -version: 0.2.0 -appVersion: "0.2.0" +version: 0.2.1 +appVersion: "0.2.1" dependencies: - name: cert-manager diff --git a/templates/cluster-issuer.yaml b/templates/cluster-issuer.yaml index aae7284..be58fa2 100644 --- a/templates/cluster-issuer.yaml +++ b/templates/cluster-issuer.yaml @@ -1,24 +1,19 @@ {{- if .Values.tenant.domain }} -# letsencrypt-prod ClusterIssuer — DNS-01 challenge via Cloudflare. -# Scoped to the tenant's Cloudflare zone (.Values.tenant.domain) so -# cert-manager only attempts records in zones the supplied token can -# touch — wrong-zone tokens fail loudly at issue time rather than -# silently re-trying forever. -# -# The cloudflare-api-token Secret is NOT in this chart. Tower -# kubectl-applies it into cert-manager ns at Connect time using the -# tenant's per-tenant Vault credential (v3/tenants//cloudflare-token). -# The chart references it by name only. -# -# Sync wave: needs to land AFTER cert-manager's CRDs are installed -# (cert-manager dep installs first); Argo's default ordering by -# kind handles this. apiVersion: cert-manager.io/v1 kind: ClusterIssuer metadata: name: letsencrypt-prod labels: app.kubernetes.io/managed-by: cluster-platform-v3 + annotations: + # Argo applies resources in ascending sync-wave order. cert-manager + # subchart resources land in the default wave (0); we push CR + # consumers to wave 5 so the CRDs (Certificate, ClusterIssuer) the + # cert-manager Helm subchart installs are present by the time + # Argo apply hits these. Without this, Argo discovery fails on + # the first sync with "no matches for kind" because Argo applies + # the bundle in one pass and CRD discovery is cached. + argocd.argoproj.io/sync-wave: "5" spec: acme: email: {{ required "acme.email is required" .Values.acme.email | quote }} diff --git a/templates/tenants-wildcard-cert.yaml b/templates/tenants-wildcard-cert.yaml index 0130ce1..63284c6 100644 --- a/templates/tenants-wildcard-cert.yaml +++ b/templates/tenants-wildcard-cert.yaml @@ -1,14 +1,4 @@ {{- if .Values.tenant.wildcardHost }} -# tenants-wildcard Certificate — issued ONCE per cluster, referenced -# by every tenant instance's IngressRoute. Avoids Let's Encrypt's -# 50-cert/week per-domain rate limit as the cluster scales to many -# instances under one tenant. -# -# DNS-01 takes 30–90 s in normal Cloudflare conditions; cert-manager -# retries forever on transient failures. The Argo Application that -# deploys this chart is "Healthy" only when the Certificate's Ready -# condition flips to True — Tower's UI uses that as the -# "Provisioning → Ready" transition for the Server card. apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -16,6 +6,11 @@ metadata: namespace: tenants labels: app.kubernetes.io/managed-by: cluster-platform-v3 + annotations: + # See cluster-issuer.yaml for sync-wave rationale. Certificate + # also references the cert-manager.io CRD that lands via the + # subchart; without a wave bump Argo discovery fails on first sync. + argocd.argoproj.io/sync-wave: "5" spec: secretName: tenants-wildcard-tls issuerRef: @@ -24,8 +19,5 @@ spec: commonName: {{ .Values.tenant.wildcardHost | quote }} dnsNames: - {{ .Values.tenant.wildcardHost | quote }} - # Renew 30 days before expiry — Let's Encrypt certs are 90-day, so - # this gives cert-manager a 30-day window to retry if Cloudflare - # has a bad day during renewal. renewBefore: 720h {{- end }}