OK that took the whole morning, mostly getting the ingress controller to correctly serve #tls (I didn't realise that in addition to setting the host names and cert secret, I also needed to ensure that each named server has an explicit rules block otherwise nginx uses the catch-all rules and doesn't apply TLS).

So now, when I push my #gnustepweb app to main, #woodpeckerCI builds and pushes to #quayio and #argoCD pulls and deploys the app in my prod cluster.