Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Wiki Activity

feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop #22

Open
jorgen.stensrud wants to merge 3 commits from feat/subdomain-drop-wildcard-cert into main
pull from: feat/subdomain-drop-wildcard-cert
merge into: Forte:main
Conversation 2 Commits 3 Files Changed 4
+94 -4
jorgen.stensrud commented 2026-06-09 14:56:19 +00:00
Member
Copy Link
Copy Source

Part of subdomain-per-drop. See forte-drop docs/subdomain-per-drop-rollout.md for the full plan, the forte-helm chart spec, the 3 questions for Danijel, and the strict rollout order.

DO NOT MERGE YET — infra has a required ordering (DNS -> issuer -> cert Ready -> forte-helm chart -> mcp priority -> helm /shared -> app image). Merging out of order breaks live drops/MCP. Reviews (codex + /code-review) still pending; reviewers not yet tagged.

Part of subdomain-per-drop. See forte-drop docs/subdomain-per-drop-rollout.md for the full plan, the forte-helm chart spec, the 3 questions for Danijel, and the strict rollout order. DO NOT MERGE YET — infra has a required ordering (DNS -> issuer -> cert Ready -> forte-helm chart -> mcp priority -> helm /shared -> app image). Merging out of order breaks live drops/MCP. Reviews (codex + /code-review) still pending; reviewers not yet tagged.
jorgen.stensrud added 1 commit 2026-06-09 14:56:20 +00:00
feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop 44ae8e0da6 
forte_drop is moving to per-slug subdomains: forte-login drops served at
<slug>.drop.forteapps.net (sidecar-gated), public/password drops at
drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert.

- letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to
  the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net'
  selector only matches single-label children, so it does NOT cover the two-label
  '*.drop.forteapps.net' — without this the wildcard challenge has no matching solver
  and issuance fails. SP already has zone-level rights on forteapps.net.
- new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret
  wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the
  app's Traefik IngressRoute can reference it directly (the secret-cloner can't help:
  generateExisting:false + forte-drop ns already exists). Added to the overlay
  kustomization so ArgoCD manages it (the Application is prune+selfHeal).

This is the SINGLE issuer of that secret. The forte-helm chart must reference it
verbatim and must NOT create its own Certificate into the same secret.

Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net
zone (no delegated drop. child zone). Do NOT merge until that's confirmed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jorgen.stensrud marked the pull request as work in progress 2026-06-10 07:19:33 +00:00
jorgen.stensrud added 1 commit 2026-06-10 08:01:07 +00:00
feat(forte-drop): wildcard IngressRoute for per-slug drop subdomains
AI Code Review / ai-review (pull_request) Has been skipped
Details
fcd8f99a52 
No forte-helm chart change needed after all. The forteapp chart emits one exact
Host(`drop.forteapps.net`) route (apex: admin + /api + public /shared). Add an
ADDITIVE standalone IngressRoute for the per-slug wildcard *.drop.forteapps.net,
pointing at the SAME chart service (forte-drop-app:3000 — whose targetPort is the
auth sidecar when auth is on), so forte drop subdomains flow through the sidecar and
are Forte-login gated exactly like the admin root.

priority:1 (LOW) is load-bearing: Traefik orders routers by rule-length by default,
and this regex is longer than Host(`mcp.drop.forteapps.net`) — without the explicit
low priority it would STEAL mcp.drop (and apex) traffic into the web pod. priority:1
guarantees the exact Host() routers (mcp release + chart apex) always win.

Traefik v3 (chart 28.x) HostRegexp = Go RE2; verify the rendered router against
mcp./www./app./apex/<real-slug> before prod. Uses the wildcard-drop-forteapps-net-tls
secret from the Certificate added in the same branch.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jorgen.stensrud marked the pull request as ready for review 2026-06-10 08:41:29 +00:00
jorgen.stensrud requested review from danijel.simeunovic 2026-06-10 08:46:24 +00:00
jorgen.stensrud requested review from gitea_admin 2026-06-10 12:29:15 +00:00
danijel.simeunovic requested changes 2026-06-11 12:56:48 +00:00
apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml
@@ -0,0 +29,4 @@
routes:
# Traefik v3 (chart 28.x) HostRegexp takes a Go RE2 pattern. Verify the rendered
# router against mcp./www./app./apex/<real-slug> before relying on it in prod.
- match: HostRegexp(`^[a-z0-9-]+\.drop\.forteapps\.net$`)
danijel.simeunovic commented 2026-06-11 12:54:34 +00:00
Member
Copy Link
Copy Source

Dette kan vi legge til støtte for i helm chart, da vil det vel ikke være behov for egen IngressRoute her?

Dette kan vi legge til støtte for i helm chart, da vil det vel ikke være behov for egen IngressRoute her?
apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml
@@ -0,0 +23,4 @@
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
danijel.simeunovic commented 2026-06-11 12:55:44 +00:00
Member
Copy Link
Copy Source

Samme som forrige kommentar, hvis vi legger inn støtte for multiple hosts i array, så trengs ikke egen ressurs her.

Samme som forrige kommentar, hvis vi legger inn støtte for multiple hosts i array, så trengs ikke egen ressurs her.
cluster-resources/letsencrypt-issuer.yaml Outdated
@@ -28,0 +28,4 @@
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
danijel.simeunovic commented 2026-06-11 12:56:37 +00:00
Member
Copy Link
Copy Source

Jeg skjønner *.drop.forteapps.net, men vil ikke drop.forteapps.net omfattes av *.forteapps.net som allerede finnes?

Jeg skjønner `*.drop.forteapps.net`, men vil ikke `drop.forteapps.net` omfattes av `*.forteapps.net` som allerede finnes?
jorgen.stensrud added 1 commit 2026-06-12 07:24:25 +00:00
fix(forte-drop): drop apex SAN, use dnsZones in issuer selector
AI Code Review / ai-review (pull_request) Has been skipped
Details
fcf187e903 
- Apex drop.forteapps.net already gets its own cert from the forteapp
  chart (forte-drop-tls); the SAN on the wildcard cert was redundant.
- cert-manager selector.dnsNames matches exact FQDNs (no wildcard
  expansion), so the enumerated list is replaced by
  dnsZones: [forteapps.net], covering apex + all subdomains.

Refs #22

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
jorgen.stensrud commented 2026-06-12 07:26:40 +00:00
Author
Member
Copy Link
Copy Source

Takk! Oppdatert:

#3: I solver-selectoren matches dnsNames på eksakt FQDN — ikke som TLS-wildcard — så *.forteapps.net dekker faktisk ikke drop.forteapps.net her. Byttet til dnsZones: ['forteapps.net'], som dekker apex + alle subdomener i én oppføring.

#2: Fjernet apex-SAN — drop.forteapps.net har allerede eget cert fra charten (forte-drop-tls). Certet dekker nå kun *.drop.forteapps.net.

#1: Enig, men charten lager i dag bare én Host()-route + cert med ett SAN. Tar chart-konsolideringen som egen oppfølging — ok?

@danijel.simeunovic

Takk! Oppdatert: **#3:** I solver-selectoren matches `dnsNames` på eksakt FQDN — ikke som TLS-wildcard — så `*.forteapps.net` dekker faktisk ikke `drop.forteapps.net` her. Byttet til `dnsZones: ['forteapps.net']`, som dekker apex + alle subdomener i én oppføring. **#2:** Fjernet apex-SAN — `drop.forteapps.net` har allerede eget cert fra charten (`forte-drop-tls`). Certet dekker nå kun `*.drop.forteapps.net`. **#1:** Enig, men charten lager i dag bare én `Host()`-route + cert med ett SAN. Tar chart-konsolideringen som egen oppfølging — ok? @danijel.simeunovic
Some checks are pending
AI Code Review / ai-review (pull_request) Has been skipped
Details
This pull request doesn't have enough required approvals yet. 0 of 1 approvals granted from users or teams on the allowlist.
This branch is out-of-date with the base branch
You are not authorized to merge this pull request.
View command line instructions

Checkout

From your project repository, check out a new branch and test the changes.
git fetch -u origin feat/subdomain-drop-wildcard-cert:feat/subdomain-drop-wildcard-cert
git checkout feat/subdomain-drop-wildcard-cert
Sign in to join this conversation.
Reviewers
No Reviewers
gitea_admin
danijel.simeunovic
Labels
Clear labels
ai-review
Request AI review on your pull request
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
danijel.simeunovic (Danijel Simeunovic) edvard.unsvag (Edvard Unsvåg) ellina.ivleva gitea_admin henrik.farstad jorgen.stensrud (Jørgen Stensrud) petter.schultz (Petter Schultz) ragnhild.hande (Ragnhild Aaraas Hånde) thomas.solbjor (Thomas Solbjor)
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: Forte/launchpad#22
Delete Branch "feat/subdomain-drop-wildcard-cert"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?