{{- if .Values.tenant.domain }}
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
  annotations:
    # Argo applies resources in ascending sync-wave order. cert-manager
    # subchart resources land in the default wave (0); we push CR
    # consumers to wave 5 so the CRDs (Certificate, ClusterIssuer) the
    # cert-manager Helm subchart installs are present by the time
    # Argo apply hits these. Without this, Argo discovery fails on
    # the first sync with "no matches for kind" because Argo applies
    # the bundle in one pass and CRD discovery is cached.
    argocd.argoproj.io/sync-wave: "5"
spec:
  acme:
    email: {{ required "acme.email is required" .Values.acme.email | quote }}
    server: {{ .Values.acme.server | quote }}
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              name: {{ .Values.secrets.cloudflareTokenSecret.name | quote }}
              key:  {{ .Values.secrets.cloudflareTokenSecret.key | quote }}
        selector:
          dnsZones:
            - {{ .Values.tenant.domain | quote }}
{{- end }}