fix: drop ClusterIssuer dnsZones selector for multi-zone tenants
This commit is contained in:
Tower deploy
@@ -1,19 +1,32 @@
|
|||||||
{{- if .Values.tenant.domain }}
|
{{- if .Values.tenant.domain }}
|
||||||
|
# letsencrypt-prod ClusterIssuer — DNS-01 challenge via Cloudflare.
|
||||||
|
#
|
||||||
|
# Multi-zone: the solver has NO `selector.dnsZones` restriction. The
|
||||||
|
# tenant's Cloudflare token typically covers many zones (a tenant with
|
||||||
|
# 41 owned domains is normal); we let cert-manager pick whichever zone
|
||||||
|
# matches the requested host. The token's access is the natural
|
||||||
|
# boundary — if it can't write a zone, the challenge fails loudly.
|
||||||
|
#
|
||||||
|
# Earlier the solver was scoped to `.Values.tenant.domain` only, which
|
||||||
|
# made instances on ANY other tenant-owned domain unable to issue (the
|
||||||
|
# `app.havari.me` symptom on a tenant whose primary domain is
|
||||||
|
# `4th.online`). Dropping the selector unifies single-zone and
|
||||||
|
# multi-zone tenants under one issuer.
|
||||||
|
#
|
||||||
|
# The cloudflare-api-token Secret is NOT in this chart. Tower
|
||||||
|
# kubectl-applies it into cert-manager ns at Connect time using the
|
||||||
|
# tenant's per-tenant Vault credential (v3/tenants/<id>/cloudflare-token).
|
||||||
|
# The chart references it by name only.
|
||||||
|
#
|
||||||
|
# Sync wave: needs to land AFTER cert-manager's CRDs are installed
|
||||||
|
# (cert-manager dep installs first); Argo's default ordering by kind
|
||||||
|
# handles this.
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
metadata:
|
metadata:
|
||||||
name: letsencrypt-prod
|
name: letsencrypt-prod
|
||||||
labels:
|
labels:
|
||||||
app.kubernetes.io/managed-by: cluster-platform-v3
|
app.kubernetes.io/managed-by: cluster-platform-v3
|
||||||
annotations:
|
|
||||||
# Argo applies resources in ascending sync-wave order. cert-manager
|
|
||||||
# subchart resources land in the default wave (0); we push CR
|
|
||||||
# consumers to wave 5 so the CRDs (Certificate, ClusterIssuer) the
|
|
||||||
# cert-manager Helm subchart installs are present by the time
|
|
||||||
# Argo apply hits these. Without this, Argo discovery fails on
|
|
||||||
# the first sync with "no matches for kind" because Argo applies
|
|
||||||
# the bundle in one pass and CRD discovery is cached.
|
|
||||||
argocd.argoproj.io/sync-wave: "5"
|
|
||||||
spec:
|
spec:
|
||||||
acme:
|
acme:
|
||||||
email: {{ required "acme.email is required" .Values.acme.email | quote }}
|
email: {{ required "acme.email is required" .Values.acme.email | quote }}
|
||||||
@@ -26,7 +39,4 @@ spec:
|
|||||||
apiTokenSecretRef:
|
apiTokenSecretRef:
|
||||||
name: {{ .Values.secrets.cloudflareTokenSecret.name | quote }}
|
name: {{ .Values.secrets.cloudflareTokenSecret.name | quote }}
|
||||||
key: {{ .Values.secrets.cloudflareTokenSecret.key | quote }}
|
key: {{ .Values.secrets.cloudflareTokenSecret.key | quote }}
|
||||||
selector:
|
|
||||||
dnsZones:
|
|
||||||
- {{ .Values.tenant.domain | quote }}
|
|
||||||
{{- end }}
|
{{- end }}
|
||||||
|
|||||||
Reference in New Issue
Block a user