Implement wildcard certificate

[clofour]

No description provided.

[coderabbitai]

Important

Review skipped

Auto incremental reviews are disabled on this repository.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 45882906-7328-495f-a157-85dd3addee09

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

Walkthrough

The changes shift certificate provisioning from HTTP01 ingress-based validation to DNS01 DigitalOcean DNS provider validation. A new wildcard-certificate Helm chart is introduced to manage certificate generation, external-dns is removed, the reflector Helm chart is added, and the DigitalOcean DNS secret configuration is reorganized.

Changes

Cohort / File(s)	Summary
ClusterIssuer ACME Configuration helm/cluster-issuer/chart/templates/cluster-issuer.yaml, helm/cluster-issuer/chart/values.yaml	Replaced HTTP01 solver using ingress with DNS01 solver using DigitalOcean provider; updated values from ingressClass to secretName and secretKey for DigitalOcean secret reference.
Wildcard Certificate Helm Chart helm/wildcard-certificate/chart/.helmignore, helm/wildcard-certificate/chart/Chart.yaml, helm/wildcard-certificate/chart/templates/_helpers.tpl, helm/wildcard-certificate/chart/templates/wildcard-certificate.yaml, helm/wildcard-certificate/chart/values.yaml, helm/wildcard-certificate/values.yaml	Created new Helm chart to manage cert-manager Certificate resource generation with support for wildcard domains, namespace reflection, and parameterized domain/issuer configuration.
GitLab TLS Configuration helm/gitlab/values.yaml	Changed ingress TLS from cert-manager cluster issuer annotation to direct secret name reference (wildcard-certificate).
Terraform DNS Records terraform/dns.tf	Expanded DigitalOcean DNS records from single gitlab_host to include registry_host via for_each iteration; renamed resource from digitalocean_record.gitlab to digitalocean_record.main.
Terraform Helm Releases terraform/helm.tf	Removed external-dns Helm release; added reflector chart (v10.0.35) in kube-system namespace; added wildcard-certificate local chart with domain/namespace reflection values; updated gitlab release dependency from digitalocean_record.gitlab to digitalocean_record.main.
Terraform Kubernetes Resources terraform/kubernetes.tf	Removed external-dns namespace resource; renamed and relocated DigitalOcean DNS secret from external-dns namespace to cert-manager namespace; updated secret metadata names accordingly.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• Bug fixes and improvements #5 — Modifies cluster-issuer Helm chart and DigitalOcean DNS secret configuration with overlapping changes to template/values structure.
• Implement ingress-nginx and cert-manager #3 — Updates ACME solver configuration in ClusterIssuer, which this PR replaces with DNS01 provider approach.
• Implement GitLab and add terraform-validate action #2 — Modifies GitLab Helm values TLS and Terraform Helm release wiring that align with the infrastructure changes in this PR.

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	No pull request description was provided by the author, making it impossible to assess relevance to the changeset.	Provide a pull request description explaining the context, motivation, and key changes of the wildcard certificate implementation.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title 'Implement wildcard certificate' directly and clearly reflects the main objective of the PR, which is to introduce a new wildcard certificate Helm chart and configure cert-manager to use it.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[clofour]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Actionable comments posted: 11

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: dc63e211-8917-4eb8-8b10-bfc4594dd49d

📥 Commits

Reviewing files that changed from the base of the PR and between b03a56f and dd13962.

📒 Files selected for processing (12)

• helm/cluster-issuer/chart/templates/cluster-issuer.yaml
• helm/cluster-issuer/chart/values.yaml
• helm/gitlab/values.yaml
• helm/wildcard-certificate/chart/.helmignore
• helm/wildcard-certificate/chart/Chart.yaml
• helm/wildcard-certificate/chart/templates/_helpers.tpl
• helm/wildcard-certificate/chart/templates/wildcard-certificate.yaml
• helm/wildcard-certificate/chart/values.yaml
• helm/wildcard-certificate/values.yaml
• terraform/dns.tf
• terraform/helm.tf
• terraform/kubernetes.tf

📜 Review details

🧰 Additional context used

🪛 YAMLlint (1.38.0)

helm/cluster-issuer/chart/templates/cluster-issuer.yaml

[error] 15-15: too many spaces inside braces

(braces)

---

[error] 15-15: too many spaces inside braces

(braces)

---

[error] 16-16: too many spaces inside braces

(braces)

---

[error] 16-16: too many spaces inside braces

(braces)

helm/wildcard-certificate/chart/templates/wildcard-certificate.yaml

[error] 4-4: too many spaces inside braces

(braces)

---

[error] 4-4: too many spaces inside braces

(braces)

---

[error] 5-5: too many spaces inside braces

(braces)

---

[error] 5-5: too many spaces inside braces

(braces)

---

[error] 7-7: too many spaces inside braces

(braces)

---

[error] 7-7: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 9-9: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

---

[error] 11-11: too many spaces inside braces

(braces)

---

[error] 13-13: too many spaces inside braces

(braces)

---

[error] 13-13: too many spaces inside braces

(braces)

---

[error] 18-18: syntax error: could not find expected ':'

(syntax)

🔇 Additional comments (1)

helm/cluster-issuer/chart/templates/cluster-issuer.yaml (1)

12-16: DNS-01 solver wiring looks correct; yamllint brace warnings are false positives for Helm templates.

Cross-checked against terraform/kubernetes.tf (kubernetes_secret_v1.do_dns_secret in the cert-manager namespace with key password) and helm/cluster-issuer/chart/values.yaml — the tokenSecretRef resolves to the correct secret/key. cert-manager requires the DO token secret to live in the same namespace as cert-manager itself (not the ClusterIssuer), and Terraform places it there.

Two small considerations worth confirming:

1. No selector is set on the solver, so this DNS-01 config applies to all certificates using this issuer. That's fine for a single-tenant cluster but will need scoping if you later add HTTP-01 for other domains.
2. The yamllint "too many spaces inside braces" errors on lines 15-16 are noise from yamllint not understanding Go template syntax — no action needed.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

secretKey: password is misleading for a DigitalOcean API token.

The value being stored is a DigitalOcean PAT (var.do_dns_token, marked sensitive in terraform/variables.tf), not a password. Using password as the key works functionally but is confusing during on-call debugging and in logs. Consider access-token (cert-manager convention for the DO webhook) to match typical examples:

Proposed rename

-secretName: do-dns-secret
-secretKey: password
+secretName: do-dns-secret
+secretKey: access-token

Corresponding change in terraform/kubernetes.tf:

   data = {
-    password = var.do_dns_token
+    access-token = var.do_dns_token
   }

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

appVersion: "1.16.0" looks like it was left over from helm create.

This chart packages a cert-manager Certificate resource — there is no "application" version 1.16.0 being deployed. Consider aligning appVersion with version (0.1.0) or with the cert-manager API version this chart targets, to avoid misleading the app.kubernetes.io/version label should you ever wire up the helpers in _helpers.tpl.

[coderabbitai]

🧹 Nitpick | 🔵 Trivial

Remove the commented-out external_dns namespace block.

With helm_release.external_dns and this namespace both commented out — and helm/external-dns/values.yaml still referencing the old external-dns-do-secret name — the external-dns surface is fully dead. Prefer deleting rather than leaving it commented; git history preserves it if you need to restore. Otherwise the next person has to reason about stale wiring (e.g., the secret-name drift) that no longer exists.