chart 0.7.3 — slug-suffix per-tenant ClusterIssuer (qsoft2 SSL fix)

cluster-issuer.yaml: name → letsencrypt-prod-{{ tenant.slug }}, hard-pin
apiTokenSecretRef.name to cloudflare-api-token-{{ tenant.slug }} so it
matches the ESO-created Secret. ACME account key also slug-suffixed
for tenant isolation. Pre-0.7.3 the unsuffixed letsencrypt-prod
mismatched what instance.go:504 stamps into per-instance Certificates
(letsencrypt-prod-<slug>), so cert-manager logged 'Referenced
ClusterIssuer not found' and erp2 served Traefik default cert forever.

tenants-wildcard-cert.yaml: issuerRef.name → letsencrypt-prod-{{ $.Values.tenant.slug }}
to match the renamed ClusterIssuer.

values.yaml: secrets.cloudflareTokenSecret block deprecated (the chart
no longer reads it; kept for back-compat with external overrides).

Diagnosed in the qsoft2 migrate test 2026-05-09.

templates/tenants-wildcard-cert.yaml

@@ -96,7 +96,11 @@ metadata:
 spec:
   secretName: {{ printf "tenants-wildcard%s-tls" $suffix | quote }}
   issuerRef:
-    name: letsencrypt-prod
+    # Slug-suffixed since chart 0.7.3 — matches the ClusterIssuer
+    # name rendered by cluster-issuer.yaml. Pre-0.7.3 this was the
+    # unsuffixed `letsencrypt-prod`. See cluster-issuer.yaml's
+    # docstring for the why.
+    name: letsencrypt-prod-{{ $.Values.tenant.slug }}
     kind: ClusterIssuer
   commonName: {{ $d.wildcardHost | quote }}
   dnsNames: