sync-wave 5 on ClusterIssuer + Certificate (CRD ordering)

templates/tenants-wildcard-cert.yaml

@@ -1,14 +1,4 @@
 {{- if .Values.tenant.wildcardHost }}
-# tenants-wildcard Certificate — issued ONCE per cluster, referenced
-# by every tenant instance's IngressRoute. Avoids Let's Encrypt's
-# 50-cert/week per-domain rate limit as the cluster scales to many
-# instances under one tenant.
-#
-# DNS-01 takes 30–90 s in normal Cloudflare conditions; cert-manager
-# retries forever on transient failures. The Argo Application that
-# deploys this chart is "Healthy" only when the Certificate's Ready
-# condition flips to True — Tower's UI uses that as the
-# "Provisioning → Ready" transition for the Server card.
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -16,6 +6,11 @@ metadata:
   namespace: tenants
   labels:
     app.kubernetes.io/managed-by: cluster-platform-v3
+  annotations:
+    # See cluster-issuer.yaml for sync-wave rationale. Certificate
+    # also references the cert-manager.io CRD that lands via the
+    # subchart; without a wave bump Argo discovery fails on first sync.
+    argocd.argoproj.io/sync-wave: "5"
 spec:
   secretName: tenants-wildcard-tls
   issuerRef:
@@ -24,8 +19,5 @@ spec:
   commonName: {{ .Values.tenant.wildcardHost | quote }}
   dnsNames:
     - {{ .Values.tenant.wildcardHost | quote }}
-  # Renew 30 days before expiry — Let's Encrypt certs are 90-day, so
-  # this gives cert-manager a 30-day window to retry if Cloudflare
-  # has a bad day during renewal.
   renewBefore: 720h
 {{- end }}