Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Wiki Activity

feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop #22

Open
jorgen.stensrud wants to merge 3 commits from feat/subdomain-drop-wildcard-cert into main
pull from: feat/subdomain-drop-wildcard-cert
merge into: Forte:main
Conversation 2 Commits 3 Files Changed 4
+40
2 changed files with 40 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit fcd8f99a52 - Show all commits
apps/overlays/upc-dev/forte-drop/forte-drop-subdomains-ingressroute.yaml
+39
View File
@@ -0,0 +1,39 @@
# Wildcard routing for per-slug forte drops: <slug>.drop.forteapps.net -> the forte-drop
# web pod. The forteapp chart only emits a single exact Host(`drop.forteapps.net`) route
# (the apex: admin + /api + public /shared drops), so this ADDITIVE IngressRoute adds the
# wildcard. Kept in launchpad (forte-drop-specific) rather than the shared forteapp chart.
#
# It targets the SAME service the chart's route does — forte-drop-app:3000 — whose
# targetPort is the auth sidecar (service.yaml: targetPort = auth.sidecarPort when auth is
# on). So wildcard subdomains flow service:3000 -> sidecar -> app, i.e. they are Forte-login
# gated exactly like the admin root. A forteOnly drop is therefore never served un-gated.
#
# priority: 1 (intentionally LOW). Traefik orders routers by rule-length by default, and the
# regex string is longer than Host(`mcp.drop.forteapps.net`); without an explicit low
# priority this regex would OUTRANK and STEAL mcp.drop.forteapps.net (and the apex) into the
# web pod. priority:1 guarantees the exact Host() routers (mcp release, chart apex) always win;
# only real per-slug subdomains fall through to here. The app's reserved-slug check
# (mcp/www/api/admin/app) is a second line of defence.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: forte-drop-subdomains
namespace: forte-drop
labels:
app.kubernetes.io/name: forte-drop
app.kubernetes.io/part-of: apps
app.kubernetes.io/managed-by: argocd
spec:
entryPoints:
- websecure
routes:
# Traefik v3 (chart 28.x) HostRegexp takes a Go RE2 pattern. Verify the rendered
# router against mcp./www./app./apex/<real-slug> before relying on it in prod.
- match: HostRegexp(`^[a-z0-9-]+\.drop\.forteapps\.net$`)
danijel.simeunovic commented 2026-06-11 12:54:34 +00:00
Review
Copy Link
Copy Source

Dette kan vi legge til støtte for i helm chart, da vil det vel ikke være behov for egen IngressRoute her?

Dette kan vi legge til støtte for i helm chart, da vil det vel ikke være behov for egen IngressRoute her?
kind: Rule
priority: 1
services:
- name: forte-drop-app
port: 3000
tls:
secretName: wildcard-drop-forteapps-net-tls
apps/overlays/upc-dev/forte-drop/kustomization.yaml
+1
View File
@@ -6,3 +6,4 @@ resources:
- forte-drop-pdb.yaml
- forte-drop-secrets-sealed.yaml
- wildcard-drop-tls-certificate.yaml
- forte-drop-subdomains-ingressroute.yaml