{{- if .Values.tenant.wildcardHost }}
# tenants-wildcard Certificate — issued ONCE per cluster, referenced
# by every tenant instance's IngressRoute. Avoids Let's Encrypt's
# 50-cert/week per-domain rate limit as the cluster scales to many
# instances under one tenant.
#
# DNS-01 takes 30–90 s in normal Cloudflare conditions; cert-manager
# retries forever on transient failures. The Argo Application that
# deploys this chart is "Healthy" only when the Certificate's Ready
# condition flips to True — Tower's UI uses that as the
# "Provisioning → Ready" transition for the Server card.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: tenants-wildcard
  namespace: tenants
  labels:
    app.kubernetes.io/managed-by: cluster-platform-v3
spec:
  secretName: tenants-wildcard-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  commonName: {{ .Values.tenant.wildcardHost | quote }}
  dnsNames:
    - {{ .Values.tenant.wildcardHost | quote }}
  # Renew 30 days before expiry — Let's Encrypt certs are 90-day, so
  # this gives cert-manager a 30-day window to retry if Cloudflare
  # has a bad day during renewal.
  renewBefore: 720h
{{- end }}