Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Wiki Activity

feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop

Browse Source 
forte_drop is moving to per-slug subdomains: forte-login drops served at
<slug>.drop.forteapps.net (sidecar-gated), public/password drops at
drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert.

- letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to
  the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net'
  selector only matches single-label children, so it does NOT cover the two-label
  '*.drop.forteapps.net' — without this the wildcard challenge has no matching solver
  and issuance fails. SP already has zone-level rights on forteapps.net.
- new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret
  wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the
  app's Traefik IngressRoute can reference it directly (the secret-cloner can't help:
  generateExisting:false + forte-drop ns already exists). Added to the overlay
  kustomization so ArgoCD manages it (the Application is prune+selfHeal).

This is the SINGLE issuer of that secret. The forte-helm chart must reference it
verbatim and must NOT create its own Certificate into the same secret.

Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net
zone (no delegated drop. child zone). Do NOT merge until that's confirmed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
Sten
2026-06-09 16:49:15 +02:00
parent a70f078bbb
commit 44ae8e0da6
3 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
cluster-resources/letsencrypt-issuer.yaml
View File

@@ -25,6 +25,10 @@ spec:
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates
@@ -59,6 +63,10 @@ spec:
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates