Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Wiki Activity

Compare commits

merge into: Forte:main
Branches Tags
Forte:main Forte:feat/subdomain-drop-wildcard-cert Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure
...
pull from: Forte:feat/subdomain-drop-wildcard-cert
Branches Tags
Forte:feat/subdomain-drop-wildcard-cert Forte:main Forte:fix/drop-duplicate-keycloak-secret Forte:feature/dns01 Forte:feat/forte-drop-infra Forte:feature/ppusher Forte:feature/chibisafe Forte:hotfix/backup Forte:feature/vault-migration Forte:feature/hashicorp-vault Forte:feature/homepage Forte:feature/argocd-rbac Forte:feature/argocd-tls Forte:feature/multi-cloud Forte:feature/karpor Forte:feature/backstage Forte:feature/ai-review Forte:gitea-pages Forte:feature/gitea-docs Forte:feature/multicluster Forte:feature/secret-syncing Forte:feature/smtp Forte:renovate/configure

1 Commits

Author SHA1 Message Date
Sten
44ae8e0da6 feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop 
forte_drop is moving to per-slug subdomains: forte-login drops served at
<slug>.drop.forteapps.net (sidecar-gated), public/password drops at
drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert.

- letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to
  the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net'
  selector only matches single-label children, so it does NOT cover the two-label
  '*.drop.forteapps.net' — without this the wildcard challenge has no matching solver
  and issuance fails. SP already has zone-level rights on forteapps.net.
- new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret
  wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the
  app's Traefik IngressRoute can reference it directly (the secret-cloner can't help:
  generateExisting:false + forte-drop ns already exists). Added to the overlay
  kustomization so ArgoCD manages it (the Application is prune+selfHeal).

This is the SINGLE issuer of that secret. The forte-helm chart must reference it
verbatim and must NOT create its own Certificate into the same secret.

Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net
zone (no delegated drop. child zone). Do NOT merge until that's confirmed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
 2026-06-09 16:49:15 +02:00
3 changed files with 43 additions and 0 deletions
Expand all files Collapse all files

1
apps/overlays/upc-dev/forte-drop/kustomization.yaml
View File

@@ -5,3 +5,4 @@ resources:
- keycloak-client-forte-drop.yaml
- forte-drop-pdb.yaml
- forte-drop-secrets-sealed.yaml
- wildcard-drop-tls-certificate.yaml

34
apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml Normal file
View File

@@ -0,0 +1,34 @@
---
# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
# forte_drop serves forte-login drops on their own subdomain (gated by the auth
# sidecar), so each drop needs a valid cert for *.drop.forteapps.net.
#
# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's
# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace —
# can use it without cross-namespace cloning. The secret-cloner Kyverno policy
# can't help here: it only clones on NEW namespace creation (generateExisting:false)
# and forte-drop already exists.
#
# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The
# forte-helm chart must reference this secret VERBATIM and must NOT also create a
# Certificate into the same secret (else cert-manager thrashes). The dns01 solver
# in letsencrypt-prod is authorized for these names via its selector.dnsNames.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-drop-forteapps-net
namespace: forte-drop
spec:
secretName: wildcard-drop-forteapps-net-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- '*.drop.forteapps.net' # per-slug forte drop subdomains
- 'drop.forteapps.net' # apex (admin + /shared public drops)
duration: 2160h0m0s # 90 days
renewBefore: 720h0m0s # renew 30 days before expiry
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096

8
cluster-resources/letsencrypt-issuer.yaml
View File

@@ -25,6 +25,10 @@ spec:
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates
@@ -59,6 +63,10 @@ spec:
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates