sync-wave 5 on ClusterIssuer + Certificate (CRD ordering)
This commit is contained in:
ops
@@ -1,24 +1,19 @@
|
||||
{{- if .Values.tenant.domain }}
|
||||
# letsencrypt-prod ClusterIssuer — DNS-01 challenge via Cloudflare.
|
||||
# Scoped to the tenant's Cloudflare zone (.Values.tenant.domain) so
|
||||
# cert-manager only attempts records in zones the supplied token can
|
||||
# touch — wrong-zone tokens fail loudly at issue time rather than
|
||||
# silently re-trying forever.
|
||||
#
|
||||
# The cloudflare-api-token Secret is NOT in this chart. Tower
|
||||
# kubectl-applies it into cert-manager ns at Connect time using the
|
||||
# tenant's per-tenant Vault credential (v3/tenants/<id>/cloudflare-token).
|
||||
# The chart references it by name only.
|
||||
#
|
||||
# Sync wave: needs to land AFTER cert-manager's CRDs are installed
|
||||
# (cert-manager dep installs first); Argo's default ordering by
|
||||
# kind handles this.
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: ClusterIssuer
|
||||
metadata:
|
||||
name: letsencrypt-prod
|
||||
labels:
|
||||
app.kubernetes.io/managed-by: cluster-platform-v3
|
||||
annotations:
|
||||
# Argo applies resources in ascending sync-wave order. cert-manager
|
||||
# subchart resources land in the default wave (0); we push CR
|
||||
# consumers to wave 5 so the CRDs (Certificate, ClusterIssuer) the
|
||||
# cert-manager Helm subchart installs are present by the time
|
||||
# Argo apply hits these. Without this, Argo discovery fails on
|
||||
# the first sync with "no matches for kind" because Argo applies
|
||||
# the bundle in one pass and CRD discovery is cached.
|
||||
argocd.argoproj.io/sync-wave: "5"
|
||||
spec:
|
||||
acme:
|
||||
email: {{ required "acme.email is required" .Values.acme.email | quote }}
|
||||
|
||||
@@ -1,14 +1,4 @@
|
||||
{{- if .Values.tenant.wildcardHost }}
|
||||
# tenants-wildcard Certificate — issued ONCE per cluster, referenced
|
||||
# by every tenant instance's IngressRoute. Avoids Let's Encrypt's
|
||||
# 50-cert/week per-domain rate limit as the cluster scales to many
|
||||
# instances under one tenant.
|
||||
#
|
||||
# DNS-01 takes 30–90 s in normal Cloudflare conditions; cert-manager
|
||||
# retries forever on transient failures. The Argo Application that
|
||||
# deploys this chart is "Healthy" only when the Certificate's Ready
|
||||
# condition flips to True — Tower's UI uses that as the
|
||||
# "Provisioning → Ready" transition for the Server card.
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
@@ -16,6 +6,11 @@ metadata:
|
||||
namespace: tenants
|
||||
labels:
|
||||
app.kubernetes.io/managed-by: cluster-platform-v3
|
||||
annotations:
|
||||
# See cluster-issuer.yaml for sync-wave rationale. Certificate
|
||||
# also references the cert-manager.io CRD that lands via the
|
||||
# subchart; without a wave bump Argo discovery fails on first sync.
|
||||
argocd.argoproj.io/sync-wave: "5"
|
||||
spec:
|
||||
secretName: tenants-wildcard-tls
|
||||
issuerRef:
|
||||
@@ -24,8 +19,5 @@ spec:
|
||||
commonName: {{ .Values.tenant.wildcardHost | quote }}
|
||||
dnsNames:
|
||||
- {{ .Values.tenant.wildcardHost | quote }}
|
||||
# Renew 30 days before expiry — Let's Encrypt certs are 90-day, so
|
||||
# this gives cert-manager a 30-day window to retry if Cloudflare
|
||||
# has a bad day during renewal.
|
||||
renewBefore: 720h
|
||||
{{- end }}
|
||||
|
||||
Reference in New Issue
Block a user