apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: apilab-wildcard
  namespace: authentik # keep it with authentik if that's controlling your routes
spec:
  secretName: apilab-wildcard-tls # <— single secret for all apps
  issuerRef:
    kind: ClusterIssuer
    name: letsencrypt-dns01-cloudflare
  dnsNames:
    - "*.apilab.us"