cert-manager subchart: use dep-name alias + crds.enabled (v1.16 install fix)

Chart.yaml

@@ -23,8 +23,8 @@ description: |
       Git).
 
 type: application
-version: 0.2.1
+version: 0.2.2
-appVersion: "0.2.1"
+appVersion: "0.2.2"
 
 dependencies:
   - name: cert-manager

values.yaml

@@ -24,13 +24,27 @@ acme:
   email: m@havari.me
   server: https://acme-v02.api.letsencrypt.org/directory
 
-# certManager — the upstream jetstack chart, pinned at v1.16.1 by
+# certManager — gate for the conditional in Chart.yaml dependencies.
-# Chart.yaml's dependency. We turn on CRDs + force the namespace so
+# Helm reads this for the `condition: certManager.enabled` flag only;
-# the ClusterIssuer template below can reference solver Secrets in
+# the actual subchart values live below under the dep name `cert-manager`.
-# `cert-manager` ns.
 certManager:
   enabled: true
-  installCRDs: true
+
+# cert-manager — values passed THROUGH to the upstream jetstack subchart
+# (Chart.yaml dependency name = "cert-manager"). Subchart values must
+# nest under the dep name, not under our top-level `certManager` alias —
+# putting them under `certManager:` does nothing.
+#
+# crds.enabled — install the cert-manager CRDs in the same release. The
+# v1.14+ jetstack chart renamed `installCRDs` to `crds.enabled`; the
+# old key is silently ignored, leaving the CRDs absent and any
+# Certificate / ClusterIssuer manifest failing with "no matches for kind".
+# crds.keep — leave CRDs in place if the chart is uninstalled. Safer for
+# disconnect flows where the customer might re-add the cluster later.
+cert-manager:
+  crds:
+    enabled: true
+    keep: true
 
 # traefik — upstream chart. LoadBalancer Service so the customer's
 # k3s servicelb maps :80/:443 to the host. Tower currently doesn't