Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Wiki Activity

feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop #22

Open
jorgen.stensrud wants to merge 3 commits from feat/subdomain-drop-wildcard-cert into main
pull from: feat/subdomain-drop-wildcard-cert
merge into: Forte:main
Conversation 2 Commits 3 Files Changed 4
+30 -23
2 changed files with 30 additions and 23 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Showing only changes of commit fcf187e903 - Show all commits
apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml
+12 -11
View File
@@ -1,18 +1,20 @@
--- ---
# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net. # Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
# forte_drop serves forte-login drops on their own subdomain (gated by the auth # forte_drop serves forte-login drops on their own subdomain (gated by the auth
# sidecar), so each drop needs a valid cert for *.drop.forteapps.net. # sidecar), so each drop needs a valid cert for *.drop.forteapps.net — a name the
# existing *.forteapps.net wildcard CANNOT cover (TLS wildcards match one label only).
# #
# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's # Scope: this cert covers ONLY *.drop.forteapps.net. The apex drop.forteapps.net is
# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — # NOT included here — it is served by the forteapp chart's own Certificate (secret
# can use it without cross-namespace cloning. The secret-cloner Kyverno policy # forte-drop-tls, dnsNames: [drop.forteapps.net]) and/or the existing *.forteapps.net
# can't help here: it only clones on NEW namespace creation (generateExisting:false) # wildcard, so adding it here would be redundant.
# and forte-drop already exists.
# #
# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The # Issued DIRECTLY into the forte-drop namespace (not via the chart) so the app's
# forte-helm chart must reference this secret VERBATIM and must NOT also create a # Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — can
# Certificate into the same secret (else cert-manager thrashes). The dns01 solver # use it without cross-namespace cloning. This is the single issuer of secret
# in letsencrypt-prod is authorized for these names via its selector.dnsNames. # wildcard-drop-forteapps-net-tls; the forte-drop-subdomains IngressRoute references
# that secret. The letsencrypt-prod dns01 solver is authorized for this name via its
# selector.dnsZones (forteapps.net).
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
1
 @@ -25,7 +27,6 @@ spec:
kind: ClusterIssuer kind: ClusterIssuer
dnsNames: dnsNames:
- '*.drop.forteapps.net' # per-slug forte drop subdomains - '*.drop.forteapps.net' # per-slug forte drop subdomains
- 'drop.forteapps.net' # apex (admin + /shared public drops)
duration: 2160h0m0s # 90 days duration: 2160h0m0s # 90 days
renewBefore: 720h0m0s # renew 30 days before expiry renewBefore: 720h0m0s # renew 30 days before expiry
privateKey: privateKey:
cluster-resources/letsencrypt-issuer.yaml
+18 -12
View File
@@ -24,12 +24,15 @@ spec:
name: azuredns-config name: azuredns-config
key: client-secret key: client-secret
selector: selector:
dnsNames: # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net, # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
# so the per-drop subdomain wildcard needs its own selector entry. # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
- '*.drop.forteapps.net' # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
- 'drop.forteapps.net' # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
- '*.forteapps.net' # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
# Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
# to match fall through to the http01 solver below.
dnsZones:
- 'forteapps.net' - 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates # HTTP-01 fallback for non-wildcard certificates
- http01: - http01:
@@ -62,12 +65,15 @@ spec:
name: azuredns-config name: azuredns-config
key: client-secret key: client-secret
selector: selector:
dnsNames: # NOTE: cert-manager solver selectors are NOT TLS-style wildcards. selector.dnsNames
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net, # matches by exact FQDN, so '*.forteapps.net' here would match only a cert literally
# so the per-drop subdomain wildcard needs its own selector entry. # named '*.forteapps.net' — it would NOT cover 'drop.forteapps.net'. selector.dnsZones
- '*.drop.forteapps.net' # instead suffix-matches the zone apex AND every subdomain at any depth, so this single
- 'drop.forteapps.net' # entry routes all forteapps.net ACME challenges (forteapps.net, *.forteapps.net,
- '*.forteapps.net' # drop.forteapps.net, *.drop.forteapps.net, mcp.drop.forteapps.net, ...) through this
# Azure dns01 solver. Wildcard names require dns01; non-wildcard names that ever fail
# to match fall through to the http01 solver below.
dnsZones:
- 'forteapps.net' - 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates # HTTP-01 fallback for non-wildcard certificates
- http01: - http01: