Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Wiki Activity

feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop #22

Open
jorgen.stensrud wants to merge 3 commits from feat/subdomain-drop-wildcard-cert into main
pull from: feat/subdomain-drop-wildcard-cert
merge into: Forte:main
Conversation 2 Commits 3 Files Changed 4
+43
3 changed files with 43 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit 44ae8e0da6 - Show all commits
apps/overlays/upc-dev/forte-drop/kustomization.yaml
+1
View File
@@ -5,3 +5,4 @@ resources:
- keycloak-client-forte-drop.yaml
- forte-drop-pdb.yaml
- forte-drop-secrets-sealed.yaml
- wildcard-drop-tls-certificate.yaml
apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml
+34
View File
@@ -0,0 +1,34 @@
---
# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
# forte_drop serves forte-login drops on their own subdomain (gated by the auth
# sidecar), so each drop needs a valid cert for *.drop.forteapps.net.
#
# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's
# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace —
# can use it without cross-namespace cloning. The secret-cloner Kyverno policy
# can't help here: it only clones on NEW namespace creation (generateExisting:false)
# and forte-drop already exists.
#
# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The
# forte-helm chart must reference this secret VERBATIM and must NOT also create a
# Certificate into the same secret (else cert-manager thrashes). The dns01 solver
# in letsencrypt-prod is authorized for these names via its selector.dnsNames.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-drop-forteapps-net
namespace: forte-drop
spec:
secretName: wildcard-drop-forteapps-net-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
danijel.simeunovic commented 2026-06-11 12:55:44 +00:00
Review
Copy Link
Copy Source

Samme som forrige kommentar, hvis vi legger inn støtte for multiple hosts i array, så trengs ikke egen ressurs her.

Samme som forrige kommentar, hvis vi legger inn støtte for multiple hosts i array, så trengs ikke egen ressurs her.
- '*.drop.forteapps.net' # per-slug forte drop subdomains
- 'drop.forteapps.net' # apex (admin + /shared public drops)
duration: 2160h0m0s # 90 days
renewBefore: 720h0m0s # renew 30 days before expiry
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096
cluster-resources/letsencrypt-issuer.yaml
+8
View File
@@ -25,6 +25,10 @@ spec:
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates
@@ -59,6 +63,10 @@ spec:
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates