Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Wiki Activity
Files
44ae8e0da68944644065d3b9eb777b0a85a29019
launchpad/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml
Sten 44ae8e0da6 feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop 
forte_drop is moving to per-slug subdomains: forte-login drops served at
<slug>.drop.forteapps.net (sidecar-gated), public/password drops at
drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert.

- letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to
  the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net'
  selector only matches single-label children, so it does NOT cover the two-label
  '*.drop.forteapps.net' — without this the wildcard challenge has no matching solver
  and issuance fails. SP already has zone-level rights on forteapps.net.
- new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret
  wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the
  app's Traefik IngressRoute can reference it directly (the secret-cloner can't help:
  generateExisting:false + forte-drop ns already exists). Added to the overlay
  kustomization so ArgoCD manages it (the Application is prune+selfHeal).

This is the SINGLE issuer of that secret. The forte-helm chart must reference it
verbatim and must NOT create its own Certificate into the same secret.

Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net
zone (no delegated drop. child zone). Do NOT merge until that's confirmed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 16:49:15 +02:00

35 lines
1.4 KiB
YAML
Raw Blame History

---
# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
# forte_drop serves forte-login drops on their own subdomain (gated by the auth
# sidecar), so each drop needs a valid cert for *.drop.forteapps.net.
#
# Issued DIRECTLY into the forte-drop namespace (not cert-manager) so the app's
# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace —
# can use it without cross-namespace cloning. The secret-cloner Kyverno policy
# can't help here: it only clones on NEW namespace creation (generateExisting:false)
# and forte-drop already exists.
#
# This is the SINGLE issuer of secret `wildcard-drop-forteapps-net-tls`. The
# forte-helm chart must reference this secret VERBATIM and must NOT also create a
# Certificate into the same secret (else cert-manager thrashes). The dns01 solver
# in letsencrypt-prod is authorized for these names via its selector.dnsNames.
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-drop-forteapps-net
namespace: forte-drop
spec:
secretName: wildcard-drop-forteapps-net-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- '*.drop.forteapps.net' # per-slug forte drop subdomains
- 'drop.forteapps.net' # apex (admin + /shared public drops)
duration: 2160h0m0s # 90 days
renewBefore: 720h0m0s # renew 30 days before expiry
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096
Reference in New Issue View Git Blame Copy Permalink