44ae8e0da6
forte_drop is moving to per-slug subdomains: forte-login drops served at <slug>.drop.forteapps.net (sidecar-gated), public/password drops at drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert. - letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net' selector only matches single-label children, so it does NOT cover the two-label '*.drop.forteapps.net' — without this the wildcard challenge has no matching solver and issuance fails. SP already has zone-level rights on forteapps.net. - new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the app's Traefik IngressRoute can reference it directly (the secret-cloner can't help: generateExisting:false + forte-drop ns already exists). Added to the overlay kustomization so ArgoCD manages it (the Application is prune+selfHeal). This is the SINGLE issuer of that secret. The forte-helm chart must reference it verbatim and must NOT create its own Certificate into the same secret. Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net zone (no delegated drop. child zone). Do NOT merge until that's confirmed. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
7.5 KiB
7.5 KiB