From dd48fd2c222ee8f8a9683fd2c0b3e8145e3f228e Mon Sep 17 00:00:00 2001
From: John Sell <jsell@redhat.com>
Date: Thu, 23 Apr 2026 14:04:50 -0400
Subject: [PATCH] fix(deploy): use FQDN for SpiceDB endpoint in stage overlay

OpenShift service serving certificates have SANs for the full
service DNS name (kartograph-spicedb.kartograph-stage.svc), not
the short name. TLS cert verification fails with "Peer name
kartograph-spicedb is not in peer certificate".

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 deploy/apps/kartograph/overlays/stage/configmap-patch.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/deploy/apps/kartograph/overlays/stage/configmap-patch.yaml b/deploy/apps/kartograph/overlays/stage/configmap-patch.yaml
index cea89b3e9..25d12814a 100644
--- a/deploy/apps/kartograph/overlays/stage/configmap-patch.yaml
+++ b/deploy/apps/kartograph/overlays/stage/configmap-patch.yaml
@@ -4,6 +4,8 @@ metadata:
   name: kartograph-config
 data:
   # Stage-specific overrides (merged with base)
+  # FQDN required for TLS cert SAN matching (service cert issued for kartograph-spicedb.kartograph-stage.svc)
+  SPICEDB_ENDPOINT: "kartograph-spicedb.kartograph-stage.svc:50051"
   KARTOGRAPH_CORS_ORIGINS: "https://kartograph-stage.devshift.net,https://kartograph-dev-ui-kartograph-stage.apps.rosa.appsres09ue1.24ep.p3.openshiftapps.com"
   # Dev UI
   DEV_UI_API_BASE_URL: "https://kartograph-api-kartograph-stage.apps.rosa.appsres09ue1.24ep.p3.openshiftapps.com"