From 6e22f75eb86a81f04b528c4e745a2f2b7d4a727e Mon Sep 17 00:00:00 2001
From: Kanwar Ujjaval Singh <4216199+kanwarujjaval@users.noreply.github.com>
Date: Fri, 8 May 2026 00:35:25 +0530
Subject: [PATCH] =?UTF-8?q?=20disable=20HTTP=E2=86=92HTTPS=20redirect=20fo?=
 =?UTF-8?q?r=20cert-manager=20HTTP-01?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 charts/countly-web-ui-canary/templates/_helpers.tpl | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/charts/countly-web-ui-canary/templates/_helpers.tpl b/charts/countly-web-ui-canary/templates/_helpers.tpl
index 426f42c..b7eae73 100644
--- a/charts/countly-web-ui-canary/templates/_helpers.tpl
+++ b/charts/countly-web-ui-canary/templates/_helpers.tpl
@@ -52,6 +52,12 @@ nginx.org/proxy-buffering: "True"
 nginx.org/proxy-read-timeout: "120s"
 nginx.org/proxy-send-timeout: "120s"
 nginx.org/keepalive: "256"
+# Disable HTTP→HTTPS redirect: cert-manager's HTTP-01 self-check fails when
+# F5 NIC's default-on redirect short-circuits the ACME challenge GET to HTTPS
+# while the host has no cert yet (chicken-and-egg). With this off, the canary
+# is reachable on HTTP first; once the cert issues, browsers navigating
+# directly to https:// still get TLS.
+nginx.org/redirect-to-https: "false"
 {{- with .Values.ingress.annotations }}
 {{ toYaml . }}
 {{- end }}