Add the chart-side machinery that lets Tower bypass the cert-manager
Certificate path on Reconnect by injecting a Vault-stashed wildcard
cert directly as a kubernetes.io/tls Secret.
values.yaml:
certManager.injectedWildcards: []
Each entry: { root, primary, crt, key }. Empty list = legacy ACME-only.
templates/tenants-wildcard-cert.yaml:
Build $injectedRoots index from injectedWildcards[]; per-domain
Certificate is skipped when its root has an injected entry.
templates/tenants-wildcard-secret.yaml (NEW):
Per injected entry, render kubernetes.io/tls Secret using the same
name the cert path would have produced (tenants-wildcard-tls primary,
tenants-wildcard-<root-as-dashes>-tls non-primary). Sync-wave 2 to
match the cert path's timing. Label odoosky.io/wildcard-source=
vault-injected so harvester can skip them.
Verified via helm template + self-signed dummy cert:
- Pure injection: 0 Certificate, 1 Secret (correct name + base64)
- Pure ACME: 1 Certificate, 0 Secret (status quo)
- Mixed (2 domains, 1 injected): 1 Certificate + 1 Secret
Inert without Tower wiring — existing clusters render identically to
0.5.6 because injectedWildcards defaults to []. Pushed first as the
foundation layer for the upcoming Tower restore + harvester slices.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
7e3280aa26