---
# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
# forte_drop serves forte-login drops on their own subdomain (gated by the auth
# sidecar), so each drop needs a valid cert for *.drop.forteapps.net — a name the
# existing *.forteapps.net wildcard CANNOT cover (TLS wildcards match one label only).
#
# Scope: this cert covers ONLY *.drop.forteapps.net. The apex drop.forteapps.net is
# NOT included here — it is served by the forteapp chart's own Certificate (secret
# forte-drop-tls, dnsNames: [drop.forteapps.net]) and/or the existing *.forteapps.net
# wildcard, so adding it here would be redundant.
#
# Issued DIRECTLY into the forte-drop namespace (not via the chart) so the app's
# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — can
# use it without cross-namespace cloning. This is the single issuer of secret
# wildcard-drop-forteapps-net-tls; the forte-drop-subdomains IngressRoute references
# that secret. The letsencrypt-prod dns01 solver is authorized for this name via its
# selector.dnsZones (forteapps.net).
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-drop-forteapps-net
  namespace: forte-drop
spec:
  secretName: wildcard-drop-forteapps-net-tls
  issuerRef:
    name: letsencrypt-prod
    kind: ClusterIssuer
  dnsNames:
  - '*.drop.forteapps.net' # per-slug forte drop subdomains
  duration: 2160h0m0s # 90 days
  renewBefore: 720h0m0s # renew 30 days before expiry
  privateKey:
    algorithm: RSA
    encoding: PKCS1
    size: 4096