{{- /*
TLS source resolution:

  - If the instance domain is COVERED by the tenant's shared wildcard
    cert (e.g. instance domain ends in `.<tenantWildcardHost>`), we
    reuse the existing wildcard Secret — no new cert to issue.
  - Otherwise (multi-domain tenants deploying on a domain outside their
    wildcard zone, e.g. `app.havari.me` when wildcard is
    `*.tenants.4th.online`), cert-manager issues a per-host
    Let's Encrypt cert via DNS-01. The IngressRoute references that
    cert's Secret instead.

This logic lives at template render time so a single chart serves both
shapes — operators don't have to think about "which TLS mode am I in".

`tenantWildcardHost` is set by Tower per-instance from the tenant's
settings (the suffix of the wildcard pattern, without the `*.`). Empty
(legacy / no wildcard configured) → always per-host.
*/}}
{{- $useWildcard := false -}}
{{- if .Values.tenantWildcardHost -}}
  {{- if hasSuffix (printf ".%s" .Values.tenantWildcardHost) .Values.instance.domain -}}
    {{- $useWildcard = true -}}
  {{- end -}}
{{- end -}}

{{- if not $useWildcard }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ include "instance.fullname" . }}-tls
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  secretName: {{ include "instance.fullname" . }}-tls
  issuerRef:
    name: {{ .Values.ingress.certIssuer | default "letsencrypt-prod" }}
    kind: ClusterIssuer
  dnsNames:
    - {{ .Values.instance.domain }}
{{- end }}
---
# HTTP → HTTPS redirect. Browsers default a bare hostname to http://,
# but the only entrypoint serving Odoo is `websecure` — without this
# route plain-http requests fall through to Traefik's default backend
# and the user sees Traefik's "404 page not found" even though the
# instance is fully up. The Middleware lives in this same chart so a
# legacy cluster without a global redirect-to-https middleware works
# the same as a fresh one.
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: {{ include "instance.fullname" . }}-redirect-https
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: {{ include "instance.fullname" . }}-http
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`{{ .Values.instance.domain }}`)
      kind: Rule
      middlewares:
        - name: {{ include "instance.fullname" . }}-redirect-https
      services:
        - name: {{ include "instance.fullname" . }}-odoo
          port: 8069
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: {{ include "instance.fullname" . }}
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  entryPoints:
    - {{ .Values.ingress.entryPoint }}
  routes:
    - match: Host(`{{ .Values.instance.domain }}`)
      kind: Rule
      services:
        - name: {{ include "instance.fullname" . }}-odoo
          port: 8069
  tls:
    secretName: {{ if $useWildcard }}{{ .Values.ingress.tlsSecret }}{{ else }}{{ include "instance.fullname" . }}-tls{{ end }}