# Wildcard routing for per-slug forte drops: <slug>.drop.forteapps.net -> the forte-drop
# web pod. The forteapp chart only emits a single exact Host(`drop.forteapps.net`) route
# (the apex: admin + /api + public /shared drops), so this ADDITIVE IngressRoute adds the
# wildcard. Kept in launchpad (forte-drop-specific) rather than the shared forteapp chart.
#
# It targets the SAME service the chart's route does — forte-drop-app:3000 — whose
# targetPort is the auth sidecar (service.yaml: targetPort = auth.sidecarPort when auth is
# on). So wildcard subdomains flow service:3000 -> sidecar -> app, i.e. they are Forte-login
# gated exactly like the admin root. A forteOnly drop is therefore never served un-gated.
#
# priority: 1 (intentionally LOW). Traefik orders routers by rule-length by default, and the
# regex string is longer than Host(`mcp.drop.forteapps.net`); without an explicit low
# priority this regex would OUTRANK and STEAL mcp.drop.forteapps.net (and the apex) into the
# web pod. priority:1 guarantees the exact Host() routers (mcp release, chart apex) always win;
# only real per-slug subdomains fall through to here. The app's reserved-slug check
# (mcp/www/api/admin/app) is a second line of defence.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: forte-drop-subdomains
  namespace: forte-drop
  labels:
    app.kubernetes.io/name: forte-drop
    app.kubernetes.io/part-of: apps
    app.kubernetes.io/managed-by: argocd
spec:
  entryPoints:
    - websecure
  routes:
    # Traefik v3 (chart 28.x) HostRegexp takes a Go RE2 pattern. Verify the rendered
    # router against mcp./www./app./apex/<real-slug> before relying on it in prod.
    - match: HostRegexp(`^[a-z0-9-]+\.drop\.forteapps\.net$`)
      kind: Rule
      priority: 1
      services:
        - name: forte-drop-app
          port: 3000
  tls:
    secretName: wildcard-drop-forteapps-net-tls