odoo-tower/cluster-platform-v3
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat(slice 2B.3): chart Restore half — injectedWildcards conditional (0.5.7)

Browse Source 
Add the chart-side machinery that lets Tower bypass the cert-manager
Certificate path on Reconnect by injecting a Vault-stashed wildcard
cert directly as a kubernetes.io/tls Secret.

values.yaml:
  certManager.injectedWildcards: []
    Each entry: { root, primary, crt, key }. Empty list = legacy ACME-only.

templates/tenants-wildcard-cert.yaml:
  Build $injectedRoots index from injectedWildcards[]; per-domain
  Certificate is skipped when its root has an injected entry.

templates/tenants-wildcard-secret.yaml (NEW):
  Per injected entry, render kubernetes.io/tls Secret using the same
  name the cert path would have produced (tenants-wildcard-tls primary,
  tenants-wildcard-<root-as-dashes>-tls non-primary). Sync-wave 2 to
  match the cert path's timing. Label odoosky.io/wildcard-source=
  vault-injected so harvester can skip them.

Verified via helm template + self-signed dummy cert:
  - Pure injection: 0 Certificate, 1 Secret (correct name + base64)
  - Pure ACME: 1 Certificate, 0 Secret (status quo)
  - Mixed (2 domains, 1 injected): 1 Certificate + 1 Secret

Inert without Tower wiring — existing clusters render identically to
0.5.6 because injectedWildcards defaults to []. Pushed first as the
foundation layer for the upcoming Tower restore + harvester slices.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
pro-777
2026-05-04 14:27:30 +03:00
parent d52d335853
commit 7e3280aa26
4 changed files with 97 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
values.yaml
View File

@@ -53,6 +53,27 @@ acme:
# the actual subchart values live below under the dep name `cert-manager`.
certManager:
enabled: true
# injectedWildcards — Slice 2B.3 (2026-05-04). Tower's per-tenant
# Vault-stash flow harvests successfully-issued wildcard cert
# Secrets and re-injects them on Reconnect to bypass Let's Encrypts
# 5-cert/identifier/168h rate limit. When an entry is present
# for a tenant.domains[].root, the chart:
# - SKIPS the cert-manager Certificate resource for that root
# (so no ACME order is placed)
# - Renders a kubernetes.io/tls Secret with the injected crt/key
# under the SAME name the cert-manager path would have used
# (`tenants-wildcard-tls` for primary, `tenants-wildcard-<root-
# with-dots-as-dashes>-tls` otherwise) so existing
# IngressRoutes don't need to change.
# Empty list = legacy ACME-only path. Per-domain — a tenant can
# mix injected + ACME-issued certs across multiple roots.
#
# Each entry shape:
# - root: "acme.com"
# - primary: true # mirrors tenant.domains[i].primary
# - crt: "<PEM cert chain>"
# - key: "<PEM private key>"
injectedWildcards: []
# cert-manager — values passed THROUGH to the upstream jetstack subchart
# (Chart.yaml dependency name = "cert-manager"). Subchart values must