merge

forte-drop, forte-drop-mcp and forte-drop-postgresql lived under apps/base/
but were only ever wired into the upc-dev overlay (never listed in
apps/base/kustomization.yaml). They carry hackathon-domain hardcoded values
and must not sync to upc-prod, so they belong in the overlay alongside
dbunk-demo — per danijel.simeunovic's review on PR #18.

- git mv the three dirs into apps/overlays/upc-dev/ (history preserved)
- rewrite overlay kustomization refs from ../../base/forte-drop* to local
- repoint forte-drop-postgresql Application path
  apps/base/... -> apps/overlays/upc-dev/forte-drop-postgresql/resources

Render-verified: kubectl kustomize apps/overlays/upc-dev differs only by the
postgres path line; apps/overlays/upc-prod render byte-identical (forte-drop
never reaches prod).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>

apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml

@@ -1,39 +0,0 @@
-# Wildcard routing for per-slug forte drops: <slug>.drop.forteapps.net -> the forte-drop
-# web pod. The forteapp chart only emits a single exact Host(`drop.forteapps.net`) route
-# (the apex: admin + /api + public /shared drops), so this ADDITIVE IngressRoute adds the
-# wildcard. Kept in launchpad (forte-drop-specific) rather than the shared forteapp chart.
-#
-# It targets the SAME service the chart's route does — forte-drop-app:3000 — whose
-# targetPort is the auth sidecar (service.yaml: targetPort = auth.sidecarPort when auth is
-# on). So wildcard subdomains flow service:3000 -> sidecar -> app, i.e. they are Forte-login
-# gated exactly like the admin root. A forteOnly drop is therefore never served un-gated.
-#
-# priority: 1 (intentionally LOW). Traefik orders routers by rule-length by default, and the
-# regex string is longer than Host(`mcp.drop.forteapps.net`); without an explicit low
-# priority this regex would OUTRANK and STEAL mcp.drop.forteapps.net (and the apex) into the
-# web pod. priority:1 guarantees the exact Host() routers (mcp release, chart apex) always win;
-# only real per-slug subdomains fall through to here. The app's reserved-slug check
-# (mcp/www/api/admin/app) is a second line of defence.
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: forte-drop-subdomains
-  namespace: forte-drop
-  labels:
-    app.kubernetes.io/name: forte-drop
-    app.kubernetes.io/part-of: apps
-    app.kubernetes.io/managed-by: argocd
-spec:
-  entryPoints:
-    - websecure
-  routes:
-    # Traefik v3 (chart 28.x) HostRegexp takes a Go RE2 pattern. Verify the rendered
-    # router against mcp./www./app./apex/<real-slug> before relying on it in prod.
-    - match: HostRegexp(`^[a-z0-9-]+\.drop\.forteapps\.net$`)
-      kind: Rule
-      priority: 1
-      services:
-        - name: forte-drop-app
-          port: 3000
-  tls:
-    secretName: wildcard-drop-forteapps-net-tls

apps/overlays/upc-dev/forte-drop/forte-drop.yaml

@@ -5,9 +5,9 @@ metadata:
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "1"
-#    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-#    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-#    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
   labels:
     app.kubernetes.io/name: forte-drop
     app.kubernetes.io/part-of: apps

apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml

@@ -24,8 +24,8 @@ stringData:
       "directAccessGrantsEnabled": false,
       "serviceAccountsEnabled": false,
       "publicClient": false,
-      "redirectUris": ["https://drop.forteapps.net/auth/callback"],
+      "redirectUris": ["https://drop-k8s.hackathon.forteapps.net/auth/callback"],
-      "webOrigins": ["https://drop.forteapps.net"],
+      "webOrigins": ["https://drop-k8s.hackathon.forteapps.net"],
       "defaultClientScopes": ["openid","email","profile"],
       "secret": {
         "namespace": "forte-drop",

apps/overlays/upc-dev/forte-drop/kustomization.yaml

@@ -1,9 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+- namespace.yaml
 - forte-drop.yaml
 - keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml
 - forte-drop-secrets-sealed.yaml
-- wildcard-drop-tls-certificate.yaml
-- forte-drop-subdomains-ingressroute.yaml

apps/overlays/upc-dev/forte-drop/namespace.yaml

@@ -0,0 +1,17 @@
+# Owns the forte-drop namespace shared by the web + mcp deployments and the
+# postgres StatefulSet (infra overlay). sync-wave -1 ensures the namespace exists
+# before the namespaced Secrets/PDB in this base apply (avoids a first-sync
+# "namespaces forte-drop not found" race when the business-apps parent syncs).
+# Prune=false so removing this base never cascade-deletes the namespace (and with
+# it postgres data + the mcp deployment) — matches the earlier decision to keep
+# namespace ownership decoupled from any single workload.
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: forte-drop
+  annotations:
+    argocd.argoproj.io/sync-wave: "-1"
+    argocd.argoproj.io/sync-options: Prune=false
+  labels:
+    app.kubernetes.io/managed-by: argocd
+    app.kubernetes.io/part-of: apps

apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml

@@ -1,35 +0,0 @@
----
-# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
-# forte_drop serves forte-login drops on their own subdomain (gated by the auth
-# sidecar), so each drop needs a valid cert for *.drop.forteapps.net — a name the
-# existing *.forteapps.net wildcard CANNOT cover (TLS wildcards match one label only).
-#
-# Scope: this cert covers ONLY *.drop.forteapps.net. The apex drop.forteapps.net is
-# NOT included here — it is served by the forteapp chart's own Certificate (secret
-# forte-drop-tls, dnsNames: [drop.forteapps.net]) and/or the existing *.forteapps.net
-# wildcard, so adding it here would be redundant.
-#
-# Issued DIRECTLY into the forte-drop namespace (not via the chart) so the app's
-# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — can
-# use it without cross-namespace cloning. This is the single issuer of secret
-# wildcard-drop-forteapps-net-tls; the forte-drop-subdomains IngressRoute references
-# that secret. The letsencrypt-prod dns01 solver is authorized for this name via its
-# selector.dnsZones (forteapps.net).
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: wildcard-drop-forteapps-net
-  namespace: forte-drop
-spec:
-  secretName: wildcard-drop-forteapps-net-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  dnsNames:
-  - '*.drop.forteapps.net' # per-slug forte drop subdomains
-  duration: 2160h0m0s # 90 days
-  renewBefore: 720h0m0s # renew 30 days before expiry
-  privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 4096

apps/overlays/upc-dev/kustomization.yaml

@@ -8,6 +8,6 @@ resources:
 
 # No patches needed — base apps already default to "upc-dev" value paths
 # (upc-dev is the default/base cluster).
-# forte-drop (postgres + web + mcp) and dbunk-demo are upc-dev-only apps — their
+# forte-drop (postgres + web + mcp) and dbunk-demo are upc-dev-only apps — they
-# values hardcode upc-dev hosts (drop.forteapps.net etc.) and must not sync to
+# have hackathon-domain hardcoded values and must not sync to upc-prod, so they
-# upc-prod, so they live here in the overlay rather than in apps/base/.
+# live here in the overlay rather than in apps/base/.

cluster-resources/letsencrypt-issuer.yaml

@@ -24,15 +24,8 @@ spec:
             name: azuredns-config
             key: client-secret
       selector:
-        # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
+        dnsNames:
-        # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
+        - '*.forteapps.net'
-        # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
-        # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
-        # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
-        # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
-        # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
-        # to match fall through to the http01 solver below.
-        dnsZones:
         - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates
     - http01:
@@ -65,15 +58,8 @@ spec:
             name: azuredns-config
             key: client-secret
       selector:
-        # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
+        dnsNames:
-        # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
+        - '*.forteapps.net'
-        # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
-        # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
-        # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
-        # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
-        # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
-        # to match fall through to the http01 solver below.
-        dnsZones:
         - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates
     - http01:

infra/values/upc-dev/homepage-values.yaml

@@ -59,6 +59,10 @@ config:
         href: https://benken.hackathon.forteapps.net
         description: Teknisk kompetanse fra offentlige anbud
         icon: forte
+    - Forte Drop:
+        href: https://drop.hackathon.forteapps.net
+        description: Self-hosted HTML-drops + MCP for Claude
+        icon: forte
     - Forte Feedback:
         href: https://feedback.forteapps.net
         description: Fortes internal feedback app