7e3280aa26
Add the chart-side machinery that lets Tower bypass the cert-manager
Certificate path on Reconnect by injecting a Vault-stashed wildcard
cert directly as a kubernetes.io/tls Secret.
values.yaml:
certManager.injectedWildcards: []
Each entry: { root, primary, crt, key }. Empty list = legacy ACME-only.
templates/tenants-wildcard-cert.yaml:
Build $injectedRoots index from injectedWildcards[]; per-domain
Certificate is skipped when its root has an injected entry.
templates/tenants-wildcard-secret.yaml (NEW):
Per injected entry, render kubernetes.io/tls Secret using the same
name the cert path would have produced (tenants-wildcard-tls primary,
tenants-wildcard-<root-as-dashes>-tls non-primary). Sync-wave 2 to
match the cert path's timing. Label odoosky.io/wildcard-source=
vault-injected so harvester can skip them.
Verified via helm template + self-signed dummy cert:
- Pure injection: 0 Certificate, 1 Secret (correct name + base64)
- Pure ACME: 1 Certificate, 0 Secret (status quo)
- Mixed (2 domains, 1 injected): 1 Certificate + 1 Secret
Inert without Tower wiring — existing clusters render identically to
0.5.6 because injectedWildcards defaults to []. Pushed first as the
foundation layer for the upcoming Tower restore + harvester slices.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
63 lines
2.4 KiB
YAML
63 lines
2.4 KiB
YAML
# tenants-wildcard injected Secret(s) — Slice 2B.3 (2026-05-04).
|
|
#
|
|
# This template is the "Restore" half of the Vault Stash/Restore
|
|
# flow. Tower harvests successfully-issued wildcard cert Secrets
|
|
# into per-tenant Vault paths (`v3/tenants/<id>/certificates/<root>`).
|
|
# On Reconnect for the same tenant + root, Tower reads the stash back
|
|
# and passes it as helm values:
|
|
#
|
|
# certManager.injectedWildcards:
|
|
# - root: "acme.com"
|
|
# primary: true # mirrors tenant.domains[i].primary
|
|
# crt: "<PEM cert chain>"
|
|
# key: "<PEM private key>"
|
|
#
|
|
# When an entry is present, this file emits a kubernetes.io/tls
|
|
# Secret with the SAME name the cert-manager Certificate path would
|
|
# have produced — so existing IngressRoutes and per-instance
|
|
# references don't have to change to use the injected variant.
|
|
#
|
|
# tenants-wildcard-cert.yaml's matching skip-condition keeps the
|
|
# Certificate resource from rendering for the same root, so no
|
|
# ACME order is placed and the Let's Encrypt rate-limit budget is
|
|
# preserved across reconnect churn.
|
|
#
|
|
# Naming contract (must mirror tenants-wildcard-cert.yaml exactly):
|
|
# primary → `tenants-wildcard-tls`
|
|
# non-primary → `tenants-wildcard-<root-with-dots-as-dashes>-tls`
|
|
#
|
|
# Empty / missing fields on an entry → silently skip that entry.
|
|
# Tower is responsible for populating crt + key + root before passing
|
|
# the entry through; a half-formed entry shouldn't render a broken
|
|
# Secret that would mask the real ACME path.
|
|
{{- range .Values.certManager.injectedWildcards | default (list) }}
|
|
{{- if and .root .crt .key }}
|
|
{{- $suffix := "" }}
|
|
{{- if not .primary }}
|
|
{{- $suffix = printf "-%s" (replace "." "-" .root) }}
|
|
{{- end }}
|
|
---
|
|
apiVersion: v1
|
|
kind: Secret
|
|
metadata:
|
|
name: {{ printf "tenants-wildcard%s-tls" $suffix | quote }}
|
|
namespace: tenants
|
|
labels:
|
|
app.kubernetes.io/managed-by: cluster-platform-v3
|
|
odoosky.io/domain-root: {{ .root | quote }}
|
|
odoosky.io/wildcard-source: vault-injected
|
|
{{- if .primary }}
|
|
odoosky.io/domain-primary: "true"
|
|
{{- end }}
|
|
annotations:
|
|
# Wave 2 to land in the same step as the (skipped) Certificate
|
|
# resource would have. Keeps the substrate-Ready timing model
|
|
# identical between ACME-issued and injected paths.
|
|
argocd.argoproj.io/sync-wave: "2"
|
|
type: kubernetes.io/tls
|
|
data:
|
|
tls.crt: {{ .crt | b64enc | quote }}
|
|
tls.key: {{ .key | b64enc | quote }}
|
|
{{- end }}
|
|
{{- end }}
|