From 44ae8e0da68944644065d3b9eb777b0a85a29019 Mon Sep 17 00:00:00 2001 From: Sten Date: Tue, 9 Jun 2026 16:49:15 +0200 Subject: [PATCH 1/3] feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit forte_drop is moving to per-slug subdomains: forte-login drops served at .drop.forteapps.net (sidecar-gated), public/password drops at drop.forteapps.net/shared/. That needs a wildcard TLS cert. - letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net' selector only matches single-label children, so it does NOT cover the two-label '*.drop.forteapps.net' — without this the wildcard challenge has no matching solver and issuance fails. SP already has zone-level rights on forteapps.net. - new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the app's Traefik IngressRoute can reference it directly (the secret-cloner can't help: generateExisting:false + forte-drop ns already exists). Added to the overlay kustomization so ArgoCD manages it (the Application is prune+selfHeal). This is the SINGLE issuer of that secret. The forte-helm chart must reference it verbatim and must NOT create its own Certificate into the same secret. Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net zone (no delegated drop. child zone). Do NOT merge until that's confirmed. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../upc-dev/forte-drop/kustomization.yaml | 1 + .../wildcard-drop-tls-certificate.yaml | 34 +++++++++++++++++++ cluster-resources/letsencrypt-issuer.yaml | 8 +++++ 3 files changed, 43 insertions(+) create mode 100644 apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml diff --git a/apps/overlays/upc-dev/forte-drop/kustomization.yaml b/apps/overlays/upc-dev/forte-drop/kustomization.yaml index 8dc592b..410825a 100644 --- a/apps/overlays/upc-dev/forte-drop/kustomization.yaml +++ b/apps/overlays/upc-dev/forte-drop/kustomization.yaml @@ -5,3 +5,4 @@ resources: - keycloak-client-forte-drop.yaml - forte-drop-pdb.yaml - forte-drop-secrets-sealed.yaml +- wildcard-drop-tls-certificate.yaml diff --git a/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml b/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml new file mode 100644 index 0000000..fde30ec --- /dev/null +++ b/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml @@ -0,0 +1,34 @@ +--- +# Wildcard TLS cert for the per-slug drop subdomains: .drop.forteapps.net. +# forte_drop serves forte-login drops on their own subdomain (gated by the auth +# sidecar), so each drop needs a valid cert for *.drop.forteapps.net. +# +# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's +# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — +# can use it without cross-namespace cloning. The secret-cloner Kyverno policy +# can't help here: it only clones on NEW namespace creation (generateExisting:false) +# and forte-drop already exists. +# +# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The +# forte-helm chart must reference this secret VERBATIM and must NOT also create a +# Certificate into the same secret (else cert-manager thrashes). The dns01 solver +# in letsencrypt-prod is authorized for these names via its selector.dnsNames. +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: wildcard-drop-forteapps-net + namespace: forte-drop +spec: + secretName: wildcard-drop-forteapps-net-tls + issuerRef: + name: letsencrypt-prod + kind: ClusterIssuer + dnsNames: + - '*.drop.forteapps.net' # per-slug forte drop subdomains + - 'drop.forteapps.net' # apex (admin + /shared public drops) + duration: 2160h0m0s # 90 days + renewBefore: 720h0m0s # renew 30 days before expiry + privateKey: + algorithm: RSA + encoding: PKCS1 + size: 4096 diff --git a/cluster-resources/letsencrypt-issuer.yaml b/cluster-resources/letsencrypt-issuer.yaml index 8881362..2f1689b 100644 --- a/cluster-resources/letsencrypt-issuer.yaml +++ b/cluster-resources/letsencrypt-issuer.yaml @@ -25,6 +25,10 @@ spec: key: client-secret selector: dnsNames: + # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net, + # so the per-drop subdomain wildcard needs its own selector entry. + - '*.drop.forteapps.net' + - 'drop.forteapps.net' - '*.forteapps.net' - 'forteapps.net' # HTTP-01 fallback for non-wildcard certificates @@ -59,6 +63,10 @@ spec: key: client-secret selector: dnsNames: + # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net, + # so the per-drop subdomain wildcard needs its own selector entry. + - '*.drop.forteapps.net' + - 'drop.forteapps.net' - '*.forteapps.net' - 'forteapps.net' # HTTP-01 fallback for non-wildcard certificates -- 2.52.0 From fcd8f99a52f0a0ac7f0d58a468798f356171d9b2 Mon Sep 17 00:00:00 2001 From: Sten Date: Wed, 10 Jun 2026 09:53:10 +0200 Subject: [PATCH 2/3] feat(forte-drop): wildcard IngressRoute for per-slug drop subdomains MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit No forte-helm chart change needed after all. The forteapp chart emits one exact Host(`drop.forteapps.net`) route (apex: admin + /api + public /shared). Add an ADDITIVE standalone IngressRoute for the per-slug wildcard *.drop.forteapps.net, pointing at the SAME chart service (forte-drop-app:3000 — whose targetPort is the auth sidecar when auth is on), so forte drop subdomains flow through the sidecar and are Forte-login gated exactly like the admin root. priority:1 (LOW) is load-bearing: Traefik orders routers by rule-length by default, and this regex is longer than Host(`mcp.drop.forteapps.net`) — without the explicit low priority it would STEAL mcp.drop (and apex) traffic into the web pod. priority:1 guarantees the exact Host() routers (mcp release + chart apex) always win. Traefik v3 (chart 28.x) HostRegexp = Go RE2; verify the rendered router against mcp./www./app./apex/ before prod. Uses the wildcard-drop-forteapps-net-tls secret from the Certificate added in the same branch. Co-Authored-By: Claude Opus 4.8 (1M context) --- .../forte-drop-subdomains-ingressroute.yaml | 39 +++++++++++++++++++ .../upc-dev/forte-drop/kustomization.yaml | 1 + 2 files changed, 40 insertions(+) create mode 100644 apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml diff --git a/apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml b/apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml new file mode 100644 index 0000000..36aee8e --- /dev/null +++ b/apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml @@ -0,0 +1,39 @@ +# Wildcard routing for per-slug forte drops: .drop.forteapps.net -> the forte-drop +# web pod. The forteapp chart only emits a single exact Host(`drop.forteapps.net`) route +# (the apex: admin + /api + public /shared drops), so this ADDITIVE IngressRoute adds the +# wildcard. Kept in launchpad (forte-drop-specific) rather than the shared forteapp chart. +# +# It targets the SAME service the chart's route does — forte-drop-app:3000 — whose +# targetPort is the auth sidecar (service.yaml: targetPort = auth.sidecarPort when auth is +# on). So wildcard subdomains flow service:3000 -> sidecar -> app, i.e. they are Forte-login +# gated exactly like the admin root. A forteOnly drop is therefore never served un-gated. +# +# priority: 1 (intentionally LOW). Traefik orders routers by rule-length by default, and the +# regex string is longer than Host(`mcp.drop.forteapps.net`); without an explicit low +# priority this regex would OUTRANK and STEAL mcp.drop.forteapps.net (and the apex) into the +# web pod. priority:1 guarantees the exact Host() routers (mcp release, chart apex) always win; +# only real per-slug subdomains fall through to here. The app's reserved-slug check +# (mcp/www/api/admin/app) is a second line of defence. +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: forte-drop-subdomains + namespace: forte-drop + labels: + app.kubernetes.io/name: forte-drop + app.kubernetes.io/part-of: apps + app.kubernetes.io/managed-by: argocd +spec: + entryPoints: + - websecure + routes: + # Traefik v3 (chart 28.x) HostRegexp takes a Go RE2 pattern. Verify the rendered + # router against mcp./www./app./apex/ before relying on it in prod. + - match: HostRegexp(`^[a-z0-9-]+\.drop\.forteapps\.net$`) + kind: Rule + priority: 1 + services: + - name: forte-drop-app + port: 3000 + tls: + secretName: wildcard-drop-forteapps-net-tls diff --git a/apps/overlays/upc-dev/forte-drop/kustomization.yaml b/apps/overlays/upc-dev/forte-drop/kustomization.yaml index 410825a..890a9c1 100644 --- a/apps/overlays/upc-dev/forte-drop/kustomization.yaml +++ b/apps/overlays/upc-dev/forte-drop/kustomization.yaml @@ -6,3 +6,4 @@ resources: - forte-drop-pdb.yaml - forte-drop-secrets-sealed.yaml - wildcard-drop-tls-certificate.yaml +- forte-drop-subdomains-ingressroute.yaml -- 2.52.0 From fcf187e903acd3250da1c1d95fafc256cdfd9f62 Mon Sep 17 00:00:00 2001 From: Sten Date: Fri, 12 Jun 2026 09:24:22 +0200 Subject: [PATCH 3/3] fix(forte-drop): drop apex SAN, use dnsZones in issuer selector - Apex drop.forteapps.net already gets its own cert from the forteapp chart (forte-drop-tls); the SAN on the wildcard cert was redundant. - cert-manager selector.dnsNames matches exact FQDNs (no wildcard expansion), so the enumerated list is replaced by dnsZones: [forteapps.net], covering apex + all subdomains. Refs #22 Co-Authored-By: Claude Opus 4.8 (1M context) --- .../wildcard-drop-tls-certificate.yaml | 23 +++++++------- cluster-resources/letsencrypt-issuer.yaml | 30 +++++++++++-------- 2 files changed, 30 insertions(+), 23 deletions(-) diff --git a/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml b/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml index fde30ec..d83faf5 100644 --- a/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml +++ b/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml @@ -1,18 +1,20 @@ --- # Wildcard TLS cert for the per-slug drop subdomains: .drop.forteapps.net. # forte_drop serves forte-login drops on their own subdomain (gated by the auth -# sidecar), so each drop needs a valid cert for *.drop.forteapps.net. +# sidecar), so each drop needs a valid cert for *.drop.forteapps.net — a name the +# existing *.forteapps.net wildcard CANNOT cover (TLS wildcards match one label only). # -# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's -# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — -# can use it without cross-namespace cloning. The secret-cloner Kyverno policy -# can't help here: it only clones on NEW namespace creation (generateExisting:false) -# and forte-drop already exists. +# Scope: this cert covers ONLY *.drop.forteapps.net. The apex drop.forteapps.net is +# NOT included here — it is served by the forteapp chart's own Certificate (secret +# forte-drop-tls, dnsNames: [drop.forteapps.net]) and/or the existing *.forteapps.net +# wildcard, so adding it here would be redundant. # -# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The -# forte-helm chart must reference this secret VERBATIM and must NOT also create a -# Certificate into the same secret (else cert-manager thrashes). The dns01 solver -# in letsencrypt-prod is authorized for these names via its selector.dnsNames. +# Issued DIRECTLY into the forte-drop namespace (not via the chart) so the app's +# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — can +# use it without cross-namespace cloning. This is the single issuer of secret +# wildcard-drop-forteapps-net-tls; the forte-drop-subdomains IngressRoute references +# that secret. The letsencrypt-prod dns01 solver is authorized for this name via its +# selector.dnsZones (forteapps.net). apiVersion: cert-manager.io/v1 kind: Certificate metadata: @@ -25,7 +27,6 @@ spec: kind: ClusterIssuer dnsNames: - '*.drop.forteapps.net' # per-slug forte drop subdomains - - 'drop.forteapps.net' # apex (admin + /shared public drops) duration: 2160h0m0s # 90 days renewBefore: 720h0m0s # renew 30 days before expiry privateKey: diff --git a/cluster-resources/letsencrypt-issuer.yaml b/cluster-resources/letsencrypt-issuer.yaml index 2f1689b..480b193 100644 --- a/cluster-resources/letsencrypt-issuer.yaml +++ b/cluster-resources/letsencrypt-issuer.yaml @@ -24,12 +24,15 @@ spec: name: azuredns-config key: client-secret selector: - dnsNames: - # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net, - # so the per-drop subdomain wildcard needs its own selector entry. - - '*.drop.forteapps.net' - - 'drop.forteapps.net' - - '*.forteapps.net' + # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames + # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally + # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones + # instead suffix-matches the zone apex AND every subdomain at any depth, so this single + # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net, + # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this + # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail + # to match fall through to the http01 solver below. + dnsZones: - 'forteapps.net' # HTTP-01 fallback for non-wildcard certificates - http01: @@ -62,12 +65,15 @@ spec: name: azuredns-config key: client-secret selector: - dnsNames: - # *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net, - # so the per-drop subdomain wildcard needs its own selector entry. - - '*.drop.forteapps.net' - - 'drop.forteapps.net' - - '*.forteapps.net' + # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames + # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally + # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones + # instead suffix-matches the zone apex AND every subdomain at any depth, so this single + # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net, + # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this + # Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail + # to match fall through to the http01 solver below. + dnsZones: - 'forteapps.net' # HTTP-01 fallback for non-wildcard certificates - http01: -- 2.52.0