odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(slice 2B.3): chart Restore half — injectedWildcards conditional (0.5.7)

Browse Source 
Add the chart-side machinery that lets Tower bypass the cert-manager
Certificate path on Reconnect by injecting a Vault-stashed wildcard
cert directly as a kubernetes.io/tls Secret.

values.yaml:
  certManager.injectedWildcards: []
    Each entry: { root, primary, crt, key }. Empty list = legacy ACME-only.

templates/tenants-wildcard-cert.yaml:
  Build $injectedRoots index from injectedWildcards[]; per-domain
  Certificate is skipped when its root has an injected entry.

templates/tenants-wildcard-secret.yaml (NEW):
  Per injected entry, render kubernetes.io/tls Secret using the same
  name the cert path would have produced (tenants-wildcard-tls primary,
  tenants-wildcard-<root-as-dashes>-tls non-primary). Sync-wave 2 to
  match the cert path's timing. Label odoosky.io/wildcard-source=
  vault-injected so harvester can skip them.

Verified via helm template + self-signed dummy cert:
  - Pure injection: 0 Certificate, 1 Secret (correct name + base64)
  - Pure ACME: 1 Certificate, 0 Secret (status quo)
  - Mixed (2 domains, 1 injected): 1 Certificate + 1 Secret

Inert without Tower wiring — existing clusters render identically to
0.5.6 because injectedWildcards defaults to []. Pushed first as the
foundation layer for the upcoming Tower restore + harvester slices.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
pro-777
2026-05-04 14:27:30 +03:00
parent d52d335853
commit 7e3280aa26
4 changed files with 97 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
templates/tenants-wildcard-cert.yaml
View File

@@ -46,8 +46,19 @@
"primary" true
"verified" true) }}
{{- end }}
{{/* Slice 2B.3 — index of roots that have a Vault-stashed cert
injected via certManager.injectedWildcards[]. We skip the
Certificate resource entirely for those; the sibling
tenants-wildcard-secret.yaml renders the kubernetes.io/tls
Secret directly so no ACME order is placed. */}}
{{- $injectedRoots := dict }}
{{- range .Values.certManager.injectedWildcards | default (list) }}
{{- if and .root .crt .key }}
{{- $_ := set $injectedRoots .root true }}
{{- end }}
{{- end }}
{{- range $i, $d := $domains }}
{{- if and $d.verified $d.wildcardHost }}
{{- if and $d.verified $d.wildcardHost (not (hasKey $injectedRoots $d.root)) }}
{{- $suffix := "" }}
{{- if not $d.primary }}
{{- $suffix = printf "-%s" (replace "." "-" $d.root) }}