forte_drop is moving to per-slug subdomains: forte-login drops served at
<slug>.drop.forteapps.net (sidecar-gated), public/password drops at
drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert.
- letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to
the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net'
selector only matches single-label children, so it does NOT cover the two-label
'*.drop.forteapps.net' — without this the wildcard challenge has no matching solver
and issuance fails. SP already has zone-level rights on forteapps.net.
- new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret
wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the
app's Traefik IngressRoute can reference it directly (the secret-cloner can't help:
generateExisting:false + forte-drop ns already exists). Added to the overlay
kustomization so ArgoCD manages it (the Application is prune+selfHeal).
This is the SINGLE issuer of that secret. The forte-helm chart must reference it
verbatim and must NOT create its own Certificate into the same secret.
Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net
zone (no delegated drop. child zone). Do NOT merge until that's confirmed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
