enable optional TLS for canaries with configurable secret

argocd/countly-hosted/applications/07-v2-new-tls.yaml

@@ -0,0 +1,62 @@
+# ApplicationSet that deploys the cert-manager bootstrap manifests
+# (selfsigned Issuer + internal CA + wildcard Cert) for v2-new's canaries.
+#
+# Layout split (mirrors all other AppSets in this dir):
+#   - manifests:    countly-deployment/argocd/bootstrap/v2-new-tls/
+#   - cluster info: countly-deployment/customers/v2-new.yaml  (server URL, project)
+#   - this wrapper: helm/argocd/countly-hosted/applications/07-v2-new-tls.yaml
+#
+# Single-file generator on customers/v2-new.yaml restricts deployment to
+# v2-new only — TLS bootstrap can't land on any other cluster. The server
+# URL and project come from that customer file, so rotating either does
+# not require touching this AppSet.
+#
+# All resources created here live in the countly namespace
+# (Issuer, Certificate). No cluster-scoped objects.
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: v2-new-canary-tls
+  namespace: argocd
+  labels:
+    app.kubernetes.io/part-of: countly
+    app.kubernetes.io/component: canary-tls
+spec:
+  goTemplate: true
+  goTemplateOptions: ["missingkey=error"]
+  generators:
+    - git:
+        repoURL: https://github.com/Countly/countly-deployment.git
+        revision: main
+        files:
+          - path: customers/v2-new.yaml
+  template:
+    metadata:
+      name: '{{ .customer }}-canary-tls'
+      labels:
+        app.kubernetes.io/part-of: countly
+        app.kubernetes.io/component: canary-tls
+    spec:
+      project: '{{ .project }}'
+      source:
+        repoURL: https://github.com/Countly/countly-deployment.git
+        targetRevision: main
+        path: argocd/bootstrap/v2-new-tls
+        directory:
+          recurse: false
+      destination:
+        server: '{{ .server }}'
+        namespace: countly
+      syncPolicy:
+        automated:
+          prune: true
+          selfHeal: true
+        syncOptions:
+          - CreateNamespace=false
+          - ServerSideApply=true
+        retry:
+          limit: 5
+          backoff:
+            duration: 10s
+            factor: 2
+            maxDuration: 2m

argocd/countly-hosted/applicationsets/06-canary-web-ui.yaml

@@ -1,24 +1,23 @@
 # ApplicationSet that creates one ArgoCD Application per countly-web-ui canary.
 #
 # Layout split:
-#   - chart: helm/charts/countly-web-ui-canary/                 (this repo)
-#   - per-canary values: countly-deployment/argocd/canaries/<slug>/values.yaml
-#   - cert-manager bootstrap App + ClusterIssuer: countly-deployment/argocd/{applications,bootstrap}/
+#   - chart:               helm/charts/countly-web-ui-canary/         (this repo)
+#   - per-canary values:   countly-deployment/argocd/canaries/<slug>/values.yaml
+#   - cluster (server URL, project): countly-deployment/customers/v2-new.yaml
 #
-# This file lives in helm/ because the root `countly-bootstrap` Application
-# (helm/argocd/root-application.yaml) auto-syncs everything in helm/argocd/.
-# Putting it here means the ApplicationSet is git-discovered without any
-# ArgoCD UI step.
+# This file lives in helm/ because the root countly-hosted-bootstrap App
+# recursively syncs helm/argocd/countly-hosted/. Putting it here means the
+# ApplicationSet is git-discovered without any ArgoCD UI step.
 #
-# Generator: scans countly-deployment/argocd/canaries/*/values.yaml and
-# produces one Application per file. Pipeline B (countly-web-ui's
-# canary-build-deploy.yml) writes/deletes those files.
+# Generator: matrix of two git generators —
+#   1. customers/v2-new.yaml — produces {{ .server }}, {{ .project }}, etc.
+#      pathParamPrefix=customer so its `path` becomes .customerPath.* and
+#      doesn't collide with the canary path below.
+#   2. argocd/canaries/*/values.yaml — one entry per canary; provides
+#      .path.basename (the canary slug) plus the per-canary values.
 #
-# Sources (multi-source): the chart comes from helm.git, the per-canary
-# values file comes from countly-deployment.git via the $values alias.
-#
-# Destination: hardcoded to v2-new (https://34.62.8.139). No matrix or
-# cluster fan-out — canaries can never land on other clusters.
+# Restricting to v2-new is by explicit single-file generator (customers/v2-new.yaml)
+# rather than a customers/*.yaml glob, because canaries never land on other clusters.
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
@@ -31,11 +30,19 @@ spec:
   goTemplate: true
   goTemplateOptions: ["missingkey=error"]
   generators:
-    - git:
-        repoURL: https://github.com/Countly/countly-deployment.git
-        revision: main
-        files:
-          - path: argocd/canaries/*/values.yaml
+    - matrix:
+        generators:
+          - git:
+              repoURL: https://github.com/Countly/countly-deployment.git
+              revision: main
+              files:
+                - path: customers/v2-new.yaml
+              pathParamPrefix: customer
+          - git:
+              repoURL: https://github.com/Countly/countly-deployment.git
+              revision: main
+              files:
+                - path: argocd/canaries/*/values.yaml
   template:
     metadata:
       name: 'canary-ui-{{ .path.basename }}'
@@ -44,7 +51,7 @@ spec:
         app.kubernetes.io/component: canary-web-ui
         countly.io/canary: '{{ .path.basename }}'
     spec:
-      project: countly-customers
+      project: '{{ .project }}'
       sources:
         - repoURL: https://github.com/Countly/helm.git
           targetRevision: main
@@ -56,11 +63,14 @@ spec:
             values: |
               imagePullSecrets:
                 - name: countly-registry
+              ingress:
+                tls:
+                  secretName: v2-count-ly-wildcard-tls
         - repoURL: https://github.com/Countly/countly-deployment.git
           targetRevision: main
           ref: values
       destination:
-        server: https://34.62.8.139
+        server: '{{ .server }}'
         namespace: countly
       syncPolicy:
         automated:

charts/countly-web-ui-canary/templates/ingress.yaml

@@ -11,16 +11,17 @@ metadata:
   labels:
     {{- include "canary.labels" . | nindent 4 }}
   annotations:
-    # No TLS on canaries: F5 NIC's hardcoded HTTP→HTTPS redirect plus its
-    # mergeable-ingress requirement (master/minion annotations on both the
-    # canary Ingress and cert-manager's solver Ingress) make HTTP-01 unworkable
-    # without splitting the canary Ingress into master/minion or setting up
-    # DNS-01 with Cloud DNS IAM. Canaries are dev-only previews; serving
-    # http:// is acceptable here. Switch back to TLS once a wildcard cert
-    # for *.v2.count.ly is provisioned (DNS-01 wildcard or external cert).
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- with .Values.ingress.tls }}
+  {{- if .secretName }}
+  tls:
+    - hosts:
+        - {{ include "canary.hostname" $ | quote }}
+      secretName: {{ .secretName | quote }}
+  {{- end }}
+  {{- end }}
   rules:
     - host: {{ include "canary.hostname" . | quote }}
       http:

charts/countly-web-ui-canary/values.yaml

@@ -24,12 +24,11 @@ backend:
 
 ingress:
   className: nginx
-  # No TLS for canaries (HTTP-only). Canaries are dev-only previews; F5 NIC
-  # mergeable-ingress requirements make per-canary HTTP-01 unworkable without
-  # significant chart restructuring. To re-enable TLS later, provision a
-  # wildcard cert for *.v2.count.ly (DNS-01 ClusterIssuer or external) and
-  # add a tls section back to templates/ingress.yaml referencing the shared Secret.
   annotations: {}
+  # TLS off by default — chart stays generic. Cluster-specific override
+  # comes via ApplicationSet helm.values (see canary-web-ui ApplicationSet).
+  tls: {}
+    # secretName: <wildcard-tls-secret-name>   # set per cluster
 
 resources:
   requests: