5ccf055465
Extends the pre-merge DNS gate to (optionally) scan live-cluster Certificates + IngressRoutes via kubectl. Closes the coverage hole where a service's IngressRoute gets deployed from its own repo (not from bluejay-infra/apps/) and the manifests-only scan misses it — fc-retail/retail-web-tls stuck Issuing for 15h on a missing pfSense Unbound override was exactly this class of bug. Auto mode: if kubectl is on PATH and usable, live-scan runs silently. --live forces it (and errors out if kubectl can't reach the cluster). --no-live skips live entirely (CI path with no cluster access). Immediate live-scan finding on 2026-04-23: 10 orphan *.iamworkin.lan IngressRoutes from failed e2e / codex / smoke / deleteproof test runs in fc-php + fc-tenant-default (2026-04-16/17). None have DNS overrides so their Certificates have been failing to issue for 7 days — the new CertManagerCertificateNotReady alert will catch them too. Cleanup (delete abandoned IngressRoutes + Certificates + CertificateRequests) is a separate task; this check now surfaces them.
8.0 KiB
8.0 KiB