feat: loop tenant.domains[] for N wildcard certs (#320.C)

values.yaml

@@ -20,12 +20,27 @@ cluster:
 # template fails with `required` on an empty value).
 tenant:
   # Domain the Cloudflare zone covers, e.g. "acme-erp.com".
+  # Mirror of domains[primary].root — kept for legacy chart consumers.
   domain: ""
   # Wildcard hostname the cluster-wide tenants-wildcard cert covers,
-  # e.g. "*.tenants.acme-erp.com". Every tenant instance Ingress
-  # references the resulting Secret (`tenants-wildcard-tls` in the
-  # `tenants` namespace) by name.
+  # e.g. "*.tenants.acme-erp.com". Mirror of domains[primary].wildcardHost.
+  # Every tenant instance Ingress references the resulting Secret
+  # (`tenants-wildcard-tls` in the `tenants` namespace) by name.
   wildcardHost: ""
+  # domains — full multi-domain list (#320.C). Tower passes one entry
+  # per domain the tenant has registered; the chart issues one
+  # wildcard Certificate per VERIFIED entry. The primary entry
+  # produces the canonical `tenants-wildcard-tls` Secret; non-primary
+  # entries get `tenants-wildcard-<root-with-dots-as-dashes>-tls`.
+  # Empty list = legacy single-domain mode (chart synthesizes one
+  # entry from domain + wildcardHost above).
+  #
+  # Each entry shape:
+  #   - root:         "acme.com"
+  #   - wildcardHost: "*.tenants.acme.com"
+  #   - primary:      true   # exactly one entry should be primary
+  #   - verified:     true   # chart skips entries with verified=false
+  domains: []
 
 # acme — Let's Encrypt registration. Operator email is per-platform,
 # not per-tenant.