Countly · kanwarujjaval · May 9, 2026 · May 9, 2026 · May 9, 2026
diff --git a/charts/countly-web-ui-canary/templates/certificate.yaml b/charts/countly-web-ui-canary/templates/certificate.yaml
@@ -1,10 +1,7 @@
-{{- if eq .Values.ingress.mode "acmeMergeable" -}}
+{{- $issuer := .Values.ingress.tls.issuerRef -}}
+{{- if $issuer.name -}}
 {{- $fullname := include "canary.fullname" . -}}
 {{- $hostname := include "canary.hostname" . -}}
-{{- $issuer := .Values.ingress.tls.issuerRef -}}
-{{- if not $issuer.name -}}
-{{- fail "ingress.tls.issuerRef.name is required when ingress.mode=acmeMergeable" -}}
-{{- end -}}
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:

diff --git a/charts/countly-web-ui-canary/templates/ingress-master.yaml b/charts/countly-web-ui-canary/templates/ingress-master.yaml
@@ -1,4 +1,3 @@
-{{- if eq .Values.ingress.mode "acmeMergeable" -}}
 {{- $fullname := include "canary.fullname" . -}}
 {{- $hostname := include "canary.hostname" . -}}
 apiVersion: networking.k8s.io/v1
@@ -23,10 +22,11 @@ metadata:
     {{- include "canary.ingressAnnotations" . | nindent 4 }}
 spec:
   ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls.issuerRef.name }}
   tls:
     - hosts:
         - {{ $hostname | quote }}
       secretName: {{ $fullname }}-tls
+  {{- end }}
   rules:
     - host: {{ $hostname | quote }}
-{{- end }}
diff --git a/charts/countly-web-ui-canary/templates/ingress-minion.yaml b/charts/countly-web-ui-canary/templates/ingress-minion.yaml
@@ -1,4 +1,3 @@
-{{- if eq .Values.ingress.mode "acmeMergeable" -}}
 {{- $fullname := include "canary.fullname" . -}}
 {{- $hostname := include "canary.hostname" . -}}
 {{- $stable := .Values.backend.release -}}
@@ -62,4 +61,3 @@ spec:
           - path: /
             pathType: Prefix
             backend: { service: { name: {{ $fullname }}, port: { number: 80 } } }
-{{- end }}
diff --git a/charts/countly-web-ui-canary/templates/ingress.yaml b/charts/countly-web-ui-canary/templates/ingress.yaml
diff --git a/charts/countly-web-ui-canary/values.yaml b/charts/countly-web-ui-canary/values.yaml
@@ -26,22 +26,11 @@ ingress:
   className: nginx
   annotations: {}
 
-  # Two TLS strategies, mutually exclusive:
-  #   sharedSecret  — point at a pre-existing wildcard Secret (Flavor B).
-  #                   Single Ingress, references tls.secretName.
-  #   acmeMergeable — per-canary LE cert via cert-manager + F5 mergeable
-  #                   Ingress (master + minion + Certificate).
-  # Default keeps the cluster on its current TLS path so a chart-only
-  # change is always a no-op until the AppSet flips this.
-  mode: sharedSecret
-
+  # TLS: per-canary public cert via Let's Encrypt + cert-manager, served
+  # through F5 NIC mergeable Ingress (master + minion + Certificate). The
+  # ClusterIssuer is supplied per-cluster from the canary-web-ui
+  # ApplicationSet's helm.values, not from this chart default.
   tls:
-    # sharedSecret mode — name of the pre-existing wildcard Secret in the
-    # canary's namespace. Required when mode=sharedSecret.
-    secretName: ""
-
-    # acmeMergeable mode — ClusterIssuer (or Issuer) cert-manager uses to
-    # issue the per-canary Certificate. Required when mode=acmeMergeable.
     issuerRef:
       kind: ClusterIssuer
       name: ""