{{- if .Values.tenant.domain }}
# letsencrypt-prod ClusterIssuer — DNS-01 challenge via Cloudflare.
# Scoped to the tenant's Cloudflare zone (.Values.tenant.domain) so
# cert-manager only attempts records in zones the supplied token can
# touch — wrong-zone tokens fail loudly at issue time rather than
# silently re-trying forever.
#
# The cloudflare-api-token Secret is NOT in this chart. Tower
# kubectl-applies it into cert-manager ns at Connect time using the
# tenant's per-tenant Vault credential (v3/tenants/<id>/cloudflare-token).
# The chart references it by name only.
#
# Sync wave: needs to land AFTER cert-manager's CRDs are installed
# (cert-manager dep installs first); Argo's default ordering by
# kind handles this.
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
  name: letsencrypt-prod
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
spec:
  acme:
    email: {{ required "acme.email is required" .Values.acme.email | quote }}
    server: {{ .Values.acme.server | quote }}
    privateKeySecretRef:
      name: letsencrypt-prod-account-key
    solvers:
      - dns01:
          cloudflare:
            apiTokenSecretRef:
              name: {{ .Values.secrets.cloudflareTokenSecret.name | quote }}
              key:  {{ .Values.secrets.cloudflareTokenSecret.key | quote }}
        selector:
          dnsZones:
            - {{ .Values.tenant.domain | quote }}
{{- end }}