{{- /*
TLS source resolution:

  - If the instance domain is COVERED by the tenant's shared wildcard
    cert (e.g. instance domain ends in `.<tenantWildcardHost>`), we
    reuse the existing wildcard Secret — no new cert to issue.
  - Otherwise (multi-domain tenants deploying on a domain outside their
    wildcard zone, e.g. `app.havari.me` when wildcard is
    `*.tenants.4th.online`), cert-manager issues a per-host
    Let's Encrypt cert via DNS-01. The IngressRoute references that
    cert's Secret instead.

This logic lives at template render time so a single chart serves both
shapes — operators don't have to think about "which TLS mode am I in".

`tenantWildcardHost` is set by Tower per-instance from the tenant's
settings (the suffix of the wildcard pattern, without the `*.`). Empty
(legacy / no wildcard configured) → always per-host.
*/}}
{{- $useWildcard := false -}}
{{- if .Values.tenantWildcardHost -}}
  {{- if hasSuffix (printf ".%s" .Values.tenantWildcardHost) .Values.instance.domain -}}
    {{- $useWildcard = true -}}
  {{- end -}}
{{- end -}}

{{- if not $useWildcard }}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: {{ include "instance.fullname" . }}-tls
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  secretName: {{ include "instance.fullname" . }}-tls
  issuerRef:
    name: {{ .Values.ingress.certIssuer | default "letsencrypt-prod" }}
    kind: ClusterIssuer
  dnsNames:
    - {{ .Values.instance.domain }}
{{- end }}
---
# HTTP → HTTPS redirect lives at the cluster's Traefik entrypoint
# config (cluster-platform-v3 chart, `traefik.ports.web.redirectTo`)
# — every cluster's `web` entrypoint redirects port 80 → 443
# uniformly, before any IngressRoute matching runs. Per-instance
# redirect is redundant and intentionally NOT defined here.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: {{ include "instance.fullname" . }}
  labels:
    {{- include "instance.labels" . | nindent 4 }}
spec:
  entryPoints:
    - {{ .Values.ingress.entryPoint }}
  routes:
    - match: Host(`{{ .Values.instance.domain }}`)
      kind: Rule
      services:
        - name: {{ include "instance.fullname" . }}-odoo
          port: 8069
  tls:
    secretName: {{ if $useWildcard }}{{ .Values.ingress.tlsSecret }}{{ else }}{{ include "instance.fullname" . }}-tls{{ end }}