v0.42.1: wildcard cert via controller route (entrypoint domains don't issue)

Empirically (staging on 9201): traefik v3 issues a cert from a router-level
tls.domains but NOT from the entrypoint http.tls.domains. So the wildcard moves
to RenderControllerRoute (the always-present anchor): when DNS-01 ACME is
configured it carries tls.certResolver+domains *.<domain>+apex, and every other
router serves that wildcard by SNI (no per-app labels). Reverts v0.42.0's dead
entrypoint-domains + TraefikData.Domain.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

controller/internal/stacks/infra.go

@@ -92,7 +92,6 @@ func (m *Manager) ensureTraefik(dir string) error {
 		return fmt.Errorf("chmod acme.json: %w", err)
 	}
 	files, err := infra.RenderTraefik(infra.TraefikData{
-		Domain:     m.cfg.Customer.Domain,
 		ACMEEmail:  m.cfg.Customer.Email,
 		CFAPIToken: m.cfg.Infrastructure.CFAPIToken,
 	})
@@ -170,7 +169,9 @@ func (m *Manager) wireController(traefikDir string) error {
 		return fmt.Errorf("mkdir dynamic: %w", err)
 	}
 	routePath := filepath.Join(dynDir, "controller.yml")
-	want := infra.RenderControllerRoute(domain)
+	// DNS-01 ACME configured (CF token + email) → this route anchors wildcard proactive issuance.
+	wildcardTLS := m.cfg.Infrastructure.CFAPIToken != "" && m.cfg.Customer.Email != ""
+	want := infra.RenderControllerRoute(domain, wildcardTLS)
 	if cur, err := os.ReadFile(routePath); err != nil || string(cur) != want {
 		if err := os.WriteFile(routePath, []byte(want), 0o644); err != nil {
 			return fmt.Errorf("write controller route: %w", err)