sync-wave 5 on ClusterIssuer + Certificate (CRD ordering)

Chart.yaml

@@ -23,8 +23,8 @@ description: |
       Git).
 
 type: application
-version: 0.2.0
+version: 0.2.1
-appVersion: "0.2.0"
+appVersion: "0.2.1"
 
 dependencies:
   - name: cert-manager

templates/cluster-issuer.yaml

@@ -1,24 +1,19 @@
 {{- if .Values.tenant.domain }}
-# letsencrypt-prod ClusterIssuer — DNS-01 challenge via Cloudflare.
-# Scoped to the tenant's Cloudflare zone (.Values.tenant.domain) so
-# cert-manager only attempts records in zones the supplied token can
-# touch — wrong-zone tokens fail loudly at issue time rather than
-# silently re-trying forever.
-#
-# The cloudflare-api-token Secret is NOT in this chart. Tower
-# kubectl-applies it into cert-manager ns at Connect time using the
-# tenant's per-tenant Vault credential (v3/tenants/<id>/cloudflare-token).
-# The chart references it by name only.
-#
-# Sync wave: needs to land AFTER cert-manager's CRDs are installed
-# (cert-manager dep installs first); Argo's default ordering by
-# kind handles this.
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
   name: letsencrypt-prod
   labels:
     app.kubernetes.io/managed-by: cluster-platform-v3
+  annotations:
+    # Argo applies resources in ascending sync-wave order. cert-manager
+    # subchart resources land in the default wave (0); we push CR
+    # consumers to wave 5 so the CRDs (Certificate, ClusterIssuer) the
+    # cert-manager Helm subchart installs are present by the time
+    # Argo apply hits these. Without this, Argo discovery fails on
+    # the first sync with "no matches for kind" because Argo applies
+    # the bundle in one pass and CRD discovery is cached.
+    argocd.argoproj.io/sync-wave: "5"
 spec:
   acme:
     email: {{ required "acme.email is required" .Values.acme.email | quote }}

templates/tenants-wildcard-cert.yaml

@@ -1,14 +1,4 @@
 {{- if .Values.tenant.wildcardHost }}
-# tenants-wildcard Certificate — issued ONCE per cluster, referenced
-# by every tenant instance's IngressRoute. Avoids Let's Encrypt's
-# 50-cert/week per-domain rate limit as the cluster scales to many
-# instances under one tenant.
-#
-# DNS-01 takes 30–90 s in normal Cloudflare conditions; cert-manager
-# retries forever on transient failures. The Argo Application that
-# deploys this chart is "Healthy" only when the Certificate's Ready
-# condition flips to True — Tower's UI uses that as the
-# "Provisioning → Ready" transition for the Server card.
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -16,6 +6,11 @@ metadata:
   namespace: tenants
   labels:
     app.kubernetes.io/managed-by: cluster-platform-v3
+  annotations:
+    # See cluster-issuer.yaml for sync-wave rationale. Certificate
+    # also references the cert-manager.io CRD that lands via the
+    # subchart; without a wave bump Argo discovery fails on first sync.
+    argocd.argoproj.io/sync-wave: "5"
 spec:
   secretName: tenants-wildcard-tls
   issuerRef:
@@ -24,8 +19,5 @@ spec:
   commonName: {{ .Values.tenant.wildcardHost | quote }}
   dnsNames:
     - {{ .Values.tenant.wildcardHost | quote }}
-  # Renew 30 days before expiry — Let's Encrypt certs are 90-day, so
-  # this gives cert-manager a 30-day window to retry if Cloudflare
-  # has a bad day during renewal.
   renewBefore: 720h
 {{- end }}