fix(apps): drop duplicate keycloak-client secret (chart owns it)

The forteapp chart renders Secret/keycloak-client-forte-drop from
auth.registration values (verified: the live secret is tracked by
the forte-drop Application and carries the correct
drop.forteapps.net redirect). The overlay copy gives the secret two
owners — enterprise-apps and forte-drop self-heal against each
other in a sync loop (the Slack spam). Remove the overlay copy;
the chart is the single source.

apps/overlays/upc-dev/forte-drop/forte-drop.yaml

@@ -5,9 +5,9 @@ metadata:
   namespace: argocd
   annotations:
     argocd.argoproj.io/sync-wave: "1"
-#    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
-#    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
-#    notifications.argoproj.io/subscribe.on-degraded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-succeeded.slack: ""
+    notifications.argoproj.io/subscribe.on-sync-failed.slack: ""
+    notifications.argoproj.io/subscribe.on-degraded.slack: ""
   labels:
     app.kubernetes.io/name: forte-drop
     app.kubernetes.io/part-of: apps

apps/overlays/upc-dev/forte-drop/keycloak-client-forte-drop.yaml

@@ -1,38 +0,0 @@
-# Labeled config Secret read by the Keycloak Client Registrar. Kyverno clones it
-# to the keycloak namespace; a CronJob registers the OIDC client in the forte
-# realm and writes the credentials back as forte-drop-oidc-credentials in THIS
-# namespace (~2 min). The forte-helm auth sidecar (auth.type: oidc) consumes that
-# registrar-created Secret automatically — no manual SealedSecret step needed.
-apiVersion: v1
-kind: Secret
-metadata:
-  name: keycloak-client-forte-drop
-  namespace: forte-drop
-  labels:
-    keycloak.forteapps.net/client-config: "true"
-  annotations:
-    keycloak.forteapps.net/source-namespace: "forte-drop"
-stringData:
-  client.json: |
-    {
-      "clientId": "forte-drop",
-      "name": "Forte Drop (web)",
-      "enabled": true,
-      "protocol": "openid-connect",
-      "clientAuthenticatorType": "client-secret",
-      "standardFlowEnabled": true,
-      "directAccessGrantsEnabled": false,
-      "serviceAccountsEnabled": false,
-      "publicClient": false,
-      "redirectUris": ["https://drop.forteapps.net/auth/callback"],
-      "webOrigins": ["https://drop.forteapps.net"],
-      "defaultClientScopes": ["openid","email","profile"],
-      "secret": {
-        "namespace": "forte-drop",
-        "name": "forte-drop-oidc-credentials",
-        "keys": {
-          "clientId": "client-id",
-          "clientSecret": "client-secret"
-        }
-      }
-    }

apps/overlays/upc-dev/forte-drop/kustomization.yaml

@@ -2,7 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
 - forte-drop.yaml
-- keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml
 - forte-drop-secrets-sealed.yaml
-- wildcard-drop-tls-certificate.yaml

apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml

@@ -1,34 +0,0 @@
----
-# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
-# forte_drop serves forte-login drops on their own subdomain (gated by the auth
-# sidecar), so each drop needs a valid cert for *.drop.forteapps.net.
-#
-# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's
-# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace —
-# can use it without cross-namespace cloning. The secret-cloner Kyverno policy
-# can't help here: it only clones on NEW namespace creation (generateExisting:false)
-# and forte-drop already exists.
-#
-# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The
-# forte-helm chart must reference this secret VERBATIM and must NOT also create a
-# Certificate into the same secret (else cert-manager thrashes). The dns01 solver
-# in letsencrypt-prod is authorized for these names via its selector.dnsNames.
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: wildcard-drop-forteapps-net
-  namespace: forte-drop
-spec:
-  secretName: wildcard-drop-forteapps-net-tls
-  issuerRef:
-    name: letsencrypt-prod
-    kind: ClusterIssuer
-  dnsNames:
-  - '*.drop.forteapps.net' # per-slug forte drop subdomains
-  - 'drop.forteapps.net'   # apex (admin + /shared public drops)
-  duration: 2160h0m0s # 90 days
-  renewBefore: 720h0m0s # renew 30 days before expiry
-  privateKey:
-    algorithm: RSA
-    encoding: PKCS1
-    size: 4096

cluster-resources/letsencrypt-issuer.yaml

@@ -25,10 +25,6 @@ spec:
             key: client-secret
       selector:
         dnsNames:
-        # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
-        # so the per-drop subdomain wildcard needs its own selector entry.
-        - '*.drop.forteapps.net'
-        - 'drop.forteapps.net'
         - '*.forteapps.net'
         - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates
@@ -63,10 +59,6 @@ spec:
             key: client-secret
       selector:
         dnsNames:
-        # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
-        # so the per-drop subdomain wildcard needs its own selector entry.
-        - '*.drop.forteapps.net'
-        - 'drop.forteapps.net'
         - '*.forteapps.net'
         - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates

infra/values/upc-dev/homepage-values.yaml

@@ -59,6 +59,10 @@ config:
         href: https://benken.hackathon.forteapps.net
         description: Teknisk kompetanse fra offentlige anbud
         icon: forte
+    - Forte Drop:
+        href: https://drop.forteapps.net
+        description: Self-hosted HTML-drops + MCP for Claude
+        icon: forte
     - Forte Feedback:
         href: https://feedback.forteapps.net
         description: Fortes internal feedback app