fix(forte-drop): drop apex SAN, use dnsZones in issuer selector

- Apex drop.forteapps.net already gets its own cert from the forteapp chart (forte-drop-tls); the SAN on the wildcard cert was redundant. - cert-manager selector.dnsNames matches exact FQDNs (no wildcard expansion), so the enumerated list is replaced by dnsZones: [forteapps.net], covering apex + all subdomains. Refs #22 Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-12 09:24:22 +02:00
parent fcd8f99a52
commit fcf187e903
2 changed files with 30 additions and 23 deletions
@@ -24,12 +24,15 @@ spec:
            name: azuredns-config
            key: client-secret
      selector:
-        dnsNames:
-        # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
-        # so the per-drop subdomain wildcard needs its own selector entry.
-        - '*.drop.forteapps.net'
-        - 'drop.forteapps.net'
-        - '*.forteapps.net'
+        # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
+        # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
+        # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
+        # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
+        # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
+        # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
+        # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
+        # to match fall through to the http01 solver below.
+        dnsZones:
        - 'forteapps.net'
    # HTTP-01 fallback for non-wildcard certificates
    - http01:
@@ -62,12 +65,15 @@ spec:
            name: azuredns-config
            key: client-secret
      selector:
-        dnsNames:
-        # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
-        # so the per-drop subdomain wildcard needs its own selector entry.
-        - '*.drop.forteapps.net'
-        - 'drop.forteapps.net'
-        - '*.forteapps.net'
+        # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
+        # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
+        # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
+        # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
+        # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
+        # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
+        # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
+        # to match fall through to the http01 solver below.
+        dnsZones:
        - 'forteapps.net'
    # HTTP-01 fallback for non-wildcard certificates
    - http01: