From 7ee9856e254d2985f3954727f98a0c4e156d6b5e Mon Sep 17 00:00:00 2001
From: ops <ops@odoosky.cloud>
Date: Wed, 29 Apr 2026 22:27:02 +0200
Subject: [PATCH] per-cluster differentiator SAN on tenants-wildcard cert
 (avoid LE Duplicate Cert rate limit)

---
 Chart.yaml                           |  4 ++--
 templates/tenants-wildcard-cert.yaml | 10 ++++++++++
 values.yaml                          |  9 +++++++++
 3 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/Chart.yaml b/Chart.yaml
index 15baf49..3501f07 100644
--- a/Chart.yaml
+++ b/Chart.yaml
@@ -23,8 +23,8 @@ description: |
       Git).
 
 type: application
-version: 0.2.5
-appVersion: "0.2.5"
+version: 0.2.6
+appVersion: "0.2.6"
 
 dependencies:
   - name: cert-manager
diff --git a/templates/tenants-wildcard-cert.yaml b/templates/tenants-wildcard-cert.yaml
index 63284c6..f1cd5bc 100644
--- a/templates/tenants-wildcard-cert.yaml
+++ b/templates/tenants-wildcard-cert.yaml
@@ -19,5 +19,15 @@ spec:
   commonName: {{ .Values.tenant.wildcardHost | quote }}
   dnsNames:
     - {{ .Values.tenant.wildcardHost | quote }}
+    {{- if .Values.cluster.name }}
+    # Per-cluster differentiator. Same Registered Domain, but a unique
+    # SAN-list per cluster so Let's Encrypt's "Duplicate Certificate"
+    # rate limit (5 per identical SAN list per Registered Domain per
+    # week) doesn't trip when a tenant runs multiple clusters. The
+    # wildcard SAN above stays in every cert, so customer-facing
+    # routing (`<instance>.tenants.<domain>`) is unchanged. Only the
+    # per-domain rate limit (50/week) bounds tenant capacity now.
+    - {{ printf "%s.platform.%s" .Values.cluster.name .Values.tenant.domain | quote }}
+    {{- end }}
   renewBefore: 720h
 {{- end }}
diff --git a/values.yaml b/values.yaml
index b97c95a..add0e07 100644
--- a/values.yaml
+++ b/values.yaml
@@ -5,6 +5,15 @@
 
 namespace: odoosky-system
 
+
+# cluster — per-cluster identity passed by Tower as helm.values on each
+# per-cluster Application. The chart uses cluster.name to add a
+# differentiator SAN to the tenants-wildcard Certificate so Lets
+# Encrypts duplicate-cert rate limit doesnt collide across one
+# tenants multiple clusters.
+cluster:
+  name: ""
+
 # tenant — per-tenant identity injected by Tower as helm.values on
 # the per-cluster Argo Application. Empty defaults are safe to lint
 # but a real deploy MUST set domain + wildcardHost (the Certificate