fix(azure): add cert-manager annotation for API ingress TLS

[beastawakens]

What is the feature/update/fix?

Fix: cert-manager Annotation on Azure API Ingress for TLS

The Azure provider was missing the cert-manager.io/cluster-issuer annotation on the API ingress, unlike AWS, GCP, and DO providers. Without this annotation, cert-manager did not provision the api-certificate TLS secret, causing nginx to serve its default ingress.local certificate for api.<domain>.convox.cloud.

This fix adds the cert-manager.io/cluster-issuer = "letsencrypt" annotation to the Azure module "k8s" block in terraform/api/azure/main.tf, bringing Azure in line with all other providers.

Provider coverage:

Provider	Has annotation?
AWS	Yes (already present in terraform/api/aws/main.tf)
GCP	Yes (already present in terraform/api/gcp/main.tf)
DO	Yes (already present in terraform/api/do/main.tf)
Azure	No → Yes (this fix)

Without a valid certificate on the API endpoint, any client performing TLS verification against api.<domain>.convox.cloud would see an error like:

Authenticating api.<domain>.convox.cloud/myapp: Error response from daemon:
Get "https://api.<domain>.convox.cloud/v2/": tls: failed to verify certificate:
x509: certificate is valid for ingress.local, not api.<domain>.convox.cloud

This most visibly broke convox build --external, which requires Docker to authenticate against the API endpoint over TLS.

---

Why is this important?

The API endpoint is the front door for authenticated Convox operations, and several features depend on it presenting a valid, publicly trusted certificate. On Azure racks that never received this annotation, cert-manager never issued the api-certificate secret, so nginx fell back to its built-in ingress.local self-signed certificate. Clients that properly validate TLS — including the Docker daemon used by convox build --external — would reject the connection.

Benefits:

• convox build --external works on Azure. Docker can now authenticate against api.<domain>.convox.cloud over a valid TLS connection, unblocking external builds on Azure racks.
• Consistent TLS behavior across providers. Azure racks now provision the api-certificate secret via Let's Encrypt just like AWS, GCP, and DO racks.
• Eliminates a silent misconfiguration. Previously, Azure users had no indication that the API certificate was not being issued until a TLS-validating client tried to connect.

Workaround for existing racks (no rack update required):

Existing Azure racks can be fixed in place by manually annotating the API ingress:

kubectl annotate ingress api-ing-v1 -n <rack-namespace> cert-manager.io/cluster-issuer=letsencrypt

cert-manager will then automatically provision the api-certificate secret via Let's Encrypt within roughly 30 seconds. Updating the rack to 3.24.4 applies the annotation automatically via Terraform.

---

Does it have a breaking change?

No breaking changes are introduced with this fix.

• Scope is limited to the Azure provider — AWS, GCP, and DO racks are unaffected because they already had the annotation.
• The change is purely additive: a single annotation on the existing API ingress.
• No new rack parameters, no API changes, and no changes to user-facing configuration.
• On rack update, cert-manager issues the api-certificate secret and nginx begins serving it — no manual intervention is required.

---

Requirements

This fix requires version 3.24.4 or later for the rack.

Update the Rack: Run convox rack update 3.24.4 -r rackName to update to this version.

Note that your rack must already be on at least version 3.23.0 before performing this update.

If you're unfamiliar with v3 rack versioning, we recommend reviewing the documentation on Updating a Rack before applying any updates.