{{- if .Values.tenant.wildcardHost }}
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tenants-wildcard
  namespace: tenants
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
  annotations:
    # See cluster-issuer.yaml for sync-wave rationale. Certificate
    # also references the cert-manager.io CRD that lands via the
    # subchart; without a wave bump Argo discovery fails on first sync.
    argocd.argoproj.io/sync-wave: "5"
spec:
  secretName: tenants-wildcard-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: {{ .Values.tenant.wildcardHost | quote }}
  dnsNames:
    - {{ .Values.tenant.wildcardHost | quote }}
    {{- if .Values.cluster.name }}
    # Per-cluster differentiator. Same Registered Domain, but a unique
    # SAN-list per cluster so Let's Encrypt's "Duplicate Certificate"
    # rate limit (5 per identical SAN list per Registered Domain per
    # week) doesn't trip when a tenant runs multiple clusters. The
    # wildcard SAN above stays in every cert, so customer-facing
    # routing (`<instance>.tenants.<domain>`) is unchanged. Only the
    # per-domain rate limit (50/week) bounds tenant capacity now.
    - {{ printf "%s.platform.%s" .Values.cluster.name .Values.tenant.domain | quote }}
    {{- end }}
  renewBefore: 720h
{{- end }}