diff --git a/apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml b/apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml new file mode 100644 index 0000000..36aee8e --- /dev/null +++ b/apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml @@ -0,0 +1,39 @@ +# Wildcard routing for per-slug forte drops: .drop.forteapps.net -> the forte-drop +# web pod. The forteapp chart only emits a single exact Host(`drop.forteapps.net`) route +# (the apex: admin + /api + public /shared drops), so this ADDITIVE IngressRoute adds the +# wildcard. Kept in launchpad (forte-drop-specific) rather than the shared forteapp chart. +# +# It targets the SAME service the chart's route does — forte-drop-app:3000 — whose +# targetPort is the auth sidecar (service.yaml: targetPort = auth.sidecarPort when auth is +# on). So wildcard subdomains flow service:3000 -> sidecar -> app, i.e. they are Forte-login +# gated exactly like the admin root. A forteOnly drop is therefore never served un-gated. +# +# priority: 1 (intentionally LOW). Traefik orders routers by rule-length by default, and the +# regex string is longer than Host(`mcp.drop.forteapps.net`); without an explicit low +# priority this regex would OUTRANK and STEAL mcp.drop.forteapps.net (and the apex) into the +# web pod. priority:1 guarantees the exact Host() routers (mcp release, chart apex) always win; +# only real per-slug subdomains fall through to here. The app's reserved-slug check +# (mcp/www/api/admin/app) is a second line of defence. +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: forte-drop-subdomains + namespace: forte-drop + labels: + app.kubernetes.io/name: forte-drop + app.kubernetes.io/part-of: apps + app.kubernetes.io/managed-by: argocd +spec: + entryPoints: + - websecure + routes: + # Traefik v3 (chart 28.x) HostRegexp takes a Go RE2 pattern. Verify the rendered + # router against mcp./www./app./apex/ before relying on it in prod. + - match: HostRegexp(`^[a-z0-9-]+\.drop\.forteapps\.net$`) + kind: Rule + priority: 1 + services: + - name: forte-drop-app + port: 3000 + tls: + secretName: wildcard-drop-forteapps-net-tls diff --git a/apps/overlays/upc-dev/forte-drop/kustomization.yaml b/apps/overlays/upc-dev/forte-drop/kustomization.yaml index 8dc592b..890a9c1 100644 --- a/apps/overlays/upc-dev/forte-drop/kustomization.yaml +++ b/apps/overlays/upc-dev/forte-drop/kustomization.yaml @@ -5,3 +5,5 @@ resources: - keycloak-client-forte-drop.yaml - forte-drop-pdb.yaml - forte-drop-secrets-sealed.yaml +- wildcard-drop-tls-certificate.yaml +- forte-drop-subdomains-ingressroute.yaml diff --git a/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml b/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml new file mode 100644 index 0000000..d83faf5 --- /dev/null +++ b/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml @@ -0,0 +1,35 @@ +--- +# Wildcard TLS cert for the per-slug drop subdomains: .drop.forteapps.net. +# forte_drop serves forte-login drops on their own subdomain (gated by the auth +# sidecar), so each drop needs a valid cert for *.drop.forteapps.net — a name the +# existing *.forteapps.net wildcard CANNOT cover (TLS wildcards match one label only). +# +# Scope: this cert covers ONLY *.drop.forteapps.net. The apex drop.forteapps.net is +# NOT included here — it is served by the forteapp chart's own Certificate (secret +# forte-drop-tls, dnsNames: [drop.forteapps.net]) and/or the existing *.forteapps.net +# wildcard, so adding it here would be redundant. +# +# Issued DIRECTLY into the forte-drop namespace (not via the chart) so the app's +# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — can +# use it without cross-namespace cloning. This is the single issuer of secret +# wildcard-drop-forteapps-net-tls; the forte-drop-subdomains IngressRoute references +# that secret. The letsencrypt-prod dns01 solver is authorized for this name via its +# selector.dnsZones (forteapps.net). +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-drop-forteapps-net + namespace: forte-drop +spec: + secretName: wildcard-drop-forteapps-net-tls + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + dnsNames: + - '*.drop.forteapps.net' # per-slug forte drop subdomains + duration: 2160h0m0s # 90 days + renewBefore: 720h0m0s # renew 30 days before expiry + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 diff --git a/cluster-resources/letsencrypt-issuer.yaml b/cluster-resources/letsencrypt-issuer.yaml index 8881362..480b193 100644 --- a/cluster-resources/letsencrypt-issuer.yaml +++ b/cluster-resources/letsencrypt-issuer.yaml @@ -24,8 +24,15 @@ spec: name: azuredns-config key: client-secret selector: - dnsNames: - - '*.forteapps.net' + # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames + # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally + # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones + # instead suffix-matches the zone apex AND every subdomain at any depth, so this single + # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net, + # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this + # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail + # to match fall through to the http01 solver below. + dnsZones: - 'forteapps.net' # HTTP-01 fallback for non-wildcard certificates - http01: @@ -58,8 +65,15 @@ spec: name: azuredns-config key: client-secret selector: - dnsNames: - - '*.forteapps.net' + # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames + # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally + # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones + # instead suffix-matches the zone apex AND every subdomain at any depth, so this single + # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net, + # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this + # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail + # to match fall through to the http01 solver below. + dnsZones: - 'forteapps.net' # HTTP-01 fallback for non-wildcard certificates - http01: