fix(forte-drop): drop apex SAN, use dnsZones in issuer selector

- Apex drop.forteapps.net already gets its own cert from the forteapp
  chart (forte-drop-tls); the SAN on the wildcard cert was redundant.
- cert-manager selector.dnsNames matches exact FQDNs (no wildcard
  expansion), so the enumerated list is replaced by
  dnsZones: [forteapps.net], covering apex + all subdomains.

Refs #22

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml

@@ -0,0 +1,39 @@
+# Wildcard routing for per-slug forte drops: <slug>.drop.forteapps.net -> the forte-drop
+# web pod. The forteapp chart only emits a single exact Host(`drop.forteapps.net`) route
+# (the apex: admin + /api + public /shared drops), so this ADDITIVE IngressRoute adds the
+# wildcard. Kept in launchpad (forte-drop-specific) rather than the shared forteapp chart.
+#
+# It targets the SAME service the chart's route does — forte-drop-app:3000 — whose
+# targetPort is the auth sidecar (service.yaml: targetPort = auth.sidecarPort when auth is
+# on). So wildcard subdomains flow service:3000 -> sidecar -> app, i.e. they are Forte-login
+# gated exactly like the admin root. A forteOnly drop is therefore never served un-gated.
+#
+# priority: 1 (intentionally LOW). Traefik orders routers by rule-length by default, and the
+# regex string is longer than Host(`mcp.drop.forteapps.net`); without an explicit low
+# priority this regex would OUTRANK and STEAL mcp.drop.forteapps.net (and the apex) into the
+# web pod. priority:1 guarantees the exact Host() routers (mcp release, chart apex) always win;
+# only real per-slug subdomains fall through to here. The app's reserved-slug check
+# (mcp/www/api/admin/app) is a second line of defence.
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: forte-drop-subdomains
+  namespace: forte-drop
+  labels:
+    app.kubernetes.io/name: forte-drop
+    app.kubernetes.io/part-of: apps
+    app.kubernetes.io/managed-by: argocd
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    # Traefik v3 (chart 28.x) HostRegexp takes a Go RE2 pattern. Verify the rendered
+    # router against mcp./www./app./apex/<real-slug> before relying on it in prod.
+    - match: HostRegexp(`^[a-z0-9-]+\.drop\.forteapps\.net$`)
+      kind: Rule
+      priority: 1
+      services:
+        - name: forte-drop-app
+          port: 3000
+  tls:
+    secretName: wildcard-drop-forteapps-net-tls

apps/overlays/upc-dev/forte-drop/kustomization.yaml

@@ -5,3 +5,5 @@ resources:
 - keycloak-client-forte-drop.yaml
 - forte-drop-pdb.yaml
 - forte-drop-secrets-sealed.yaml
+- wildcard-drop-tls-certificate.yaml
+- forte-drop-subdomains-ingressroute.yaml

apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml

@@ -0,0 +1,35 @@
+---
+# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
+# forte_drop serves forte-login drops on their own subdomain (gated by the auth
+# sidecar), so each drop needs a valid cert for *.drop.forteapps.net — a name the
+# existing *.forteapps.net wildcard CANNOT cover (TLS wildcards match one label only).
+#
+# Scope: this cert covers ONLY *.drop.forteapps.net. The apex drop.forteapps.net is
+# NOT included here — it is served by the forteapp chart's own Certificate (secret
+# forte-drop-tls, dnsNames: [drop.forteapps.net]) and/or the existing *.forteapps.net
+# wildcard, so adding it here would be redundant.
+#
+# Issued DIRECTLY into the forte-drop namespace (not via the chart) so the app's
+# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — can
+# use it without cross-namespace cloning. This is the single issuer of secret
+# wildcard-drop-forteapps-net-tls; the forte-drop-subdomains IngressRoute references
+# that secret. The letsencrypt-prod dns01 solver is authorized for this name via its
+# selector.dnsZones (forteapps.net).
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-drop-forteapps-net
+  namespace: forte-drop
+spec:
+  secretName: wildcard-drop-forteapps-net-tls
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer
+  dnsNames:
+  - '*.drop.forteapps.net' # per-slug forte drop subdomains
+  duration: 2160h0m0s # 90 days
+  renewBefore: 720h0m0s # renew 30 days before expiry
+  privateKey:
+    algorithm: RSA
+    encoding: PKCS1
+    size: 4096

cluster-resources/letsencrypt-issuer.yaml

@@ -24,8 +24,15 @@ spec:
             name: azuredns-config
             key: client-secret
       selector:
-        dnsNames:
-        - '*.forteapps.net'
+        # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
+        # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
+        # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
+        # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
+        # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
+        # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
+        # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
+        # to match fall through to the http01 solver below.
+        dnsZones:
         - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates
     - http01:
@@ -58,8 +65,15 @@ spec:
             name: azuredns-config
             key: client-secret
       selector:
-        dnsNames:
-        - '*.forteapps.net'
+        # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
+        # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
+        # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
+        # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
+        # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
+        # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
+        # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
+        # to match fall through to the http01 solver below.
+        dnsZones:
         - 'forteapps.net'
     # HTTP-01 fallback for non-wildcard certificates
     - http01: