34 lines
1.3 KiB
YAML
34 lines
1.3 KiB
YAML
{{- if .Values.tenant.wildcardHost }}
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: tenants-wildcard
|
|
namespace: tenants
|
|
labels:
|
|
app.kubernetes.io/managed-by: cluster-platform-v3
|
|
annotations:
|
|
# See cluster-issuer.yaml for sync-wave rationale. Certificate
|
|
# also references the cert-manager.io CRD that lands via the
|
|
# subchart; without a wave bump Argo discovery fails on first sync.
|
|
argocd.argoproj.io/sync-wave: "5"
|
|
spec:
|
|
secretName: tenants-wildcard-tls
|
|
issuerRef:
|
|
name: letsencrypt-prod
|
|
kind: ClusterIssuer
|
|
commonName: {{ .Values.tenant.wildcardHost | quote }}
|
|
dnsNames:
|
|
- {{ .Values.tenant.wildcardHost | quote }}
|
|
{{- if .Values.cluster.name }}
|
|
# Per-cluster differentiator. Same Registered Domain, but a unique
|
|
# SAN-list per cluster so Let's Encrypt's "Duplicate Certificate"
|
|
# rate limit (5 per identical SAN list per Registered Domain per
|
|
# week) doesn't trip when a tenant runs multiple clusters. The
|
|
# wildcard SAN above stays in every cert, so customer-facing
|
|
# routing (`<instance>.tenants.<domain>`) is unchanged. Only the
|
|
# per-domain rate limit (50/week) bounds tenant capacity now.
|
|
- {{ printf "%s.platform.%s" .Values.cluster.name .Values.tenant.domain | quote }}
|
|
{{- end }}
|
|
renewBefore: 720h
|
|
{{- end }}
|