chart 0.7.3 — slug-suffix per-tenant ClusterIssuer (qsoft2 SSL fix)

cluster-issuer.yaml: name → letsencrypt-prod-{{ tenant.slug }}, hard-pin
apiTokenSecretRef.name to cloudflare-api-token-{{ tenant.slug }} so it
matches the ESO-created Secret. ACME account key also slug-suffixed
for tenant isolation. Pre-0.7.3 the unsuffixed letsencrypt-prod
mismatched what instance.go:504 stamps into per-instance Certificates
(letsencrypt-prod-<slug>), so cert-manager logged 'Referenced
ClusterIssuer not found' and erp2 served Traefik default cert forever.

tenants-wildcard-cert.yaml: issuerRef.name → letsencrypt-prod-{{ $.Values.tenant.slug }}
to match the renamed ClusterIssuer.

values.yaml: secrets.cloudflareTokenSecret block deprecated (the chart
no longer reads it; kept for back-compat with external overrides).

Diagnosed in the qsoft2 migrate test 2026-05-09.

values.yaml

@@ -143,14 +143,19 @@ traefik:
         port: websecure
         priority: 10
 
-# secrets — Tower applies these out-of-band via the registered
-# kubeconfig at Connect time (B2). The chart references them by
-# name only; values never enter Git.
+# secrets — DEPRECATED for cloudflareTokenSecret as of chart 0.7.3.
+# The cluster-issuer.yaml template now hard-references
+# `cloudflare-api-token-<tenant.slug>` (matches the ESO-created Secret
+# in cloudflare-api-token-externalsecret.yaml) and ignores this block.
+# Kept here as no-op back-compat for any external chart consumer that
+# overrides these values; chart templates no longer read
+# secrets.cloudflareTokenSecret. s3CredentialsSecret is still consumed
+# by the per-instance backup CronJob path and remains live.
 secrets:
   cloudflareTokenSecret:
     namespace: odoosky-system
-    name: cloudflare-api-token
-    key: api-token
+    name: cloudflare-api-token  # unused since 0.7.3; chart computes from tenant.slug
+    key: api-token              # unused since 0.7.3
   s3CredentialsSecret:
     namespace: tenants
     name: s3-backup-creds