Countly · kanwarujjaval · May 8, 2026 · May 8, 2026
diff --git a/argocd/countly-hosted/applicationsets/07-canary-cert-issuer.yaml b/argocd/countly-hosted/applicationsets/07-canary-cert-issuer.yaml
diff --git a/charts/countly-web-ui-canary/templates/certificate.yaml b/charts/countly-web-ui-canary/templates/certificate.yaml
diff --git a/charts/countly-web-ui-canary/templates/ingress.yaml b/charts/countly-web-ui-canary/templates/ingress.yaml
@@ -3,7 +3,6 @@
 {{- $apiPort := .Values.backend.ports.api | int -}}
 {{- $ingestorPort := .Values.backend.ports.ingestor | int -}}
 {{- $jobserverPort := .Values.backend.ports.jobserver | int -}}
-{{- $tlsSecret := printf "%s-tls" $fullname -}}
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -12,17 +11,16 @@ metadata:
   labels:
     {{- include "canary.labels" . | nindent 4 }}
   annotations:
-    # No cert-manager annotations here — the Certificate is managed explicitly
-    # by templates/certificate.yaml so we can set issue-temporary-certificate.
-    # ingress-shim in cert-manager v1.17 doesn't propagate that annotation from
-    # Ingress to Certificate, so chart owns the Certificate directly.
+    # No TLS on canaries: F5 NIC's hardcoded HTTP→HTTPS redirect plus its
+    # mergeable-ingress requirement (master/minion annotations on both the
+    # canary Ingress and cert-manager's solver Ingress) make HTTP-01 unworkable
+    # without splitting the canary Ingress into master/minion or setting up
+    # DNS-01 with Cloud DNS IAM. Canaries are dev-only previews; serving
+    # http:// is acceptable here. Switch back to TLS once a wildcard cert
+    # for *.v2.count.ly is provisioned (DNS-01 wildcard or external cert).
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
-  tls:
-    - hosts:
-        - {{ include "canary.hostname" . | quote }}
-      secretName: {{ $tlsSecret | quote }}
   rules:
     - host: {{ include "canary.hostname" . | quote }}
       http:

diff --git a/charts/countly-web-ui-canary/values.yaml b/charts/countly-web-ui-canary/values.yaml
@@ -22,12 +22,11 @@ backend:
 
 ingress:
   className: nginx
-  tls:
-    # cert-manager auto-provisions a per-canary Let's Encrypt cert via HTTP-01.
-    # Each canary gets its own Secret named canary-ui-<slug>-tls (created by cert-manager
-    # on first sync; ~30s ACME delay). The ClusterIssuer must be installed once on v2-new
-    # (see countly-deployment/argocd/bootstrap/letsencrypt-clusterissuer.yaml).
-    clusterIssuer: letsencrypt-prod-http01
+  # No TLS for canaries (HTTP-only). Canaries are dev-only previews; F5 NIC
+  # mergeable-ingress requirements make per-canary HTTP-01 unworkable without
+  # significant chart restructuring. To re-enable TLS later, provision a
+  # wildcard cert for *.v2.count.ly (DNS-01 ClusterIssuer or external) and
+  # add a tls section back to templates/ingress.yaml referencing the shared Secret.
   annotations: {}
 
 resources: