per-cluster differentiator SAN on tenants-wildcard cert (avoid LE Duplicate Cert rate limit)

templates/tenants-wildcard-cert.yaml

@@ -19,5 +19,15 @@ spec:
   commonName: {{ .Values.tenant.wildcardHost | quote }}
   dnsNames:
     - {{ .Values.tenant.wildcardHost | quote }}
+    {{- if .Values.cluster.name }}
+    # Per-cluster differentiator. Same Registered Domain, but a unique
+    # SAN-list per cluster so Let's Encrypt's "Duplicate Certificate"
+    # rate limit (5 per identical SAN list per Registered Domain per
+    # week) doesn't trip when a tenant runs multiple clusters. The
+    # wildcard SAN above stays in every cert, so customer-facing
+    # routing (`<instance>.tenants.<domain>`) is unchanged. Only the
+    # per-domain rate limit (50/week) bounds tenant capacity now.
+    - {{ printf "%s.platform.%s" .Values.cluster.name .Values.tenant.domain | quote }}
+    {{- end }}
   renewBefore: 720h
 {{- end }}