per-cluster differentiator SAN on tenants-wildcard cert (avoid LE Duplicate Cert rate limit)

Chart.yaml

@@ -23,8 +23,8 @@ description: |
       Git).
 
 type: application
-version: 0.2.5
-appVersion: "0.2.5"
+version: 0.2.6
+appVersion: "0.2.6"
 
 dependencies:
   - name: cert-manager

templates/tenants-wildcard-cert.yaml

@@ -19,5 +19,15 @@ spec:
   commonName: {{ .Values.tenant.wildcardHost | quote }}
   dnsNames:
     - {{ .Values.tenant.wildcardHost | quote }}
+    {{- if .Values.cluster.name }}
+    # Per-cluster differentiator. Same Registered Domain, but a unique
+    # SAN-list per cluster so Let's Encrypt's "Duplicate Certificate"
+    # rate limit (5 per identical SAN list per Registered Domain per
+    # week) doesn't trip when a tenant runs multiple clusters. The
+    # wildcard SAN above stays in every cert, so customer-facing
+    # routing (`<instance>.tenants.<domain>`) is unchanged. Only the
+    # per-domain rate limit (50/week) bounds tenant capacity now.
+    - {{ printf "%s.platform.%s" .Values.cluster.name .Values.tenant.domain | quote }}
+    {{- end }}
   renewBefore: 720h
 {{- end }}

values.yaml

@@ -5,6 +5,15 @@
 
 namespace: odoosky-system
 
+
+# cluster — per-cluster identity passed by Tower as helm.values on each
+# per-cluster Application. The chart uses cluster.name to add a
+# differentiator SAN to the tenants-wildcard Certificate so Lets
+# Encrypts duplicate-cert rate limit doesnt collide across one
+# tenants multiple clusters.
+cluster:
+  name: ""
+
 # tenant — per-tenant identity injected by Tower as helm.values on
 # the per-cluster Argo Application. Empty defaults are safe to lint
 # but a real deploy MUST set domain + wildcardHost (the Certificate