---
# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
# forte_drop serves forte-login drops on their own subdomain (gated by the auth
# sidecar), so each drop needs a valid cert for *.drop.forteapps.net.
#
# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's
# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace —
# can use it without cross-namespace cloning. The secret-cloner Kyverno policy
# can't help here: it only clones on NEW namespace creation (generateExisting:false)
# and forte-drop already exists.
#
# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The
# forte-helm chart must reference this secret VERBATIM and must NOT also create a
# Certificate into the same secret (else cert-manager thrashes). The dns01 solver
# in letsencrypt-prod is authorized for these names via its selector.dnsNames.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-drop-forteapps-net
  namespace: forte-drop
spec:
  secretName: wildcard-drop-forteapps-net-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - '*.drop.forteapps.net' # per-slug forte drop subdomains
  - 'drop.forteapps.net'   # apex (admin + /shared public drops)
  duration: 2160h0m0s # 90 days
  renewBefore: 720h0m0s # renew 30 days before expiry
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 4096