- Apex drop.forteapps.net already gets its own cert from the forteapp
chart (forte-drop-tls); the SAN on the wildcard cert was redundant.
- cert-manager selector.dnsNames matches exact FQDNs (no wildcard
expansion), so the enumerated list is replaced by
dnsZones: [forteapps.net], covering apex + all subdomains.
Refs #22
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
No forte-helm chart change needed after all. The forteapp chart emits one exact
Host(`drop.forteapps.net`) route (apex: admin + /api + public /shared). Add an
ADDITIVE standalone IngressRoute for the per-slug wildcard *.drop.forteapps.net,
pointing at the SAME chart service (forte-drop-app:3000 — whose targetPort is the
auth sidecar when auth is on), so forte drop subdomains flow through the sidecar and
are Forte-login gated exactly like the admin root.
priority:1 (LOW) is load-bearing: Traefik orders routers by rule-length by default,
and this regex is longer than Host(`mcp.drop.forteapps.net`) — without the explicit
low priority it would STEAL mcp.drop (and apex) traffic into the web pod. priority:1
guarantees the exact Host() routers (mcp release + chart apex) always win.
Traefik v3 (chart 28.x) HostRegexp = Go RE2; verify the rendered router against
mcp./www./app./apex/<real-slug> before prod. Uses the wildcard-drop-forteapps-net-tls
secret from the Certificate added in the same branch.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
forte_drop is moving to per-slug subdomains: forte-login drops served at
<slug>.drop.forteapps.net (sidecar-gated), public/password drops at
drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert.
- letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to
the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net'
selector only matches single-label children, so it does NOT cover the two-label
'*.drop.forteapps.net' — without this the wildcard challenge has no matching solver
and issuance fails. SP already has zone-level rights on forteapps.net.
- new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret
wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the
app's Traefik IngressRoute can reference it directly (the secret-cloner can't help:
generateExisting:false + forte-drop ns already exists). Added to the overlay
kustomization so ArgoCD manages it (the Application is prune+selfHeal).
This is the SINGLE issuer of that secret. The forte-helm chart must reference it
verbatim and must NOT create its own Certificate into the same secret.
Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net
zone (no delegated drop. child zone). Do NOT merge until that's confirmed.
Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sten