Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Wiki Activity
Files
44ae8e0da68944644065d3b9eb777b0a85a29019
launchpad/cluster-resources/letsencrypt-issuer.yaml
Sten 44ae8e0da6 feat(forte-drop): wildcard cert *.drop.forteapps.net for subdomain-per-drop 
forte_drop is moving to per-slug subdomains: forte-login drops served at
<slug>.drop.forteapps.net (sidecar-gated), public/password drops at
drop.forteapps.net/shared/<slug>. That needs a wildcard TLS cert.

- letsencrypt-issuer.yaml: add '*.drop.forteapps.net' + 'drop.forteapps.net' to
  the dns01 azureDNS solver selector in BOTH issuers. The existing '*.forteapps.net'
  selector only matches single-label children, so it does NOT cover the two-label
  '*.drop.forteapps.net' — without this the wildcard challenge has no matching solver
  and issuance fails. SP already has zone-level rights on forteapps.net.
- new Certificate wildcard-drop-forteapps-net in the forte-drop namespace -> secret
  wildcard-drop-forteapps-net-tls (dnsNames *.drop + apex). Issued in-namespace so the
  app's Traefik IngressRoute can reference it directly (the secret-cloner can't help:
  generateExisting:false + forte-drop ns already exists). Added to the overlay
  kustomization so ArgoCD manages it (the Application is prune+selfHeal).

This is the SINGLE issuer of that secret. The forte-helm chart must reference it
verbatim and must NOT create its own Certificate into the same secret.

Depends on: DNS *.drop.forteapps.net resolving + ACME TXT in the flat forteapps.net
zone (no delegated drop. child zone). Do NOT merge until that's confirmed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-09 16:49:15 +02:00

200 lines
7.5 KiB
YAML
Raw Blame History

---
# Staging ClusterIssuer for testing (higher rate limits, not browser-trusted)
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
# Let's Encrypt staging server
server: https://acme-staging-v02.api.letsencrypt.org/directory
email: danijels@gmail.com
privateKeySecretRef:
name: letsencrypt-staging-key
solvers:
- dns01:
azureDNS:
subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
resourceGroupName: forteapps-domain
hostedZoneName: forteapps.net
environment: AzurePublicCloud
tenantID: 063afd9e-5fcb-48d2-a769-ca31b0f5b443
clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
clientSecretSecretRef:
name: azuredns-config
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates
- http01:
ingress:
class: traefik
---
# Production ClusterIssuer for browser-trusted certificates
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-prod
spec:
acme:
# Let's Encrypt production server
server: https://acme-v02.api.letsencrypt.org/directory
email: danijels@gmail.com
privateKeySecretRef:
name: letsencrypt-prod-key
solvers:
# DNS-01 solver for wildcard certificates (*.forteapps.net)
- dns01:
azureDNS:
subscriptionID: 1b52bc03-6815-4574-b579-60745dce544d
resourceGroupName: forteapps-domain
hostedZoneName: forteapps.net
environment: AzurePublicCloud
tenantID: 063afd9e-5fcb-48d2-a769-ca31b0f5b443
clientID: 3b7a4ebf-894c-4f5d-9b1e-2b61312f8e74
clientSecretSecretRef:
name: azuredns-config
key: client-secret
selector:
dnsNames:
# *.forteapps.net only matches single-label children, NOT *.drop.forteapps.net,
# so the per-drop subdomain wildcard needs its own selector entry.
- '*.drop.forteapps.net'
- 'drop.forteapps.net'
- '*.forteapps.net'
- 'forteapps.net'
# HTTP-01 fallback for non-wildcard certificates
- http01:
ingress:
class: traefik
# =============================================================================
# CONFIGURATION INSTRUCTIONS FOR AZURE DNS WITH WILDCARD CERTIFICATES
# =============================================================================
#
# PREREQUISITES IN AZURE DNS PORTAL:
# ----------------------------------
# 1. Ensure you have an Azure DNS Zone for "forteapps.net" created in your
# Azure subscription. If not, create it in Azure Portal:
# - Search for "DNS zones" → Create → Zone name: forteapps.net
# - Note the Resource Group where you create it (e.g., "dns-zones-rg")
#
# 2. Configure NS records at your domain registrar to point to Azure DNS:
# - In Azure Portal → DNS zones → forteapps.net
# - Note the 4 NS records shown (e.g., ns1-04.azure-dns.com, etc.)
# - Go to your domain registrar and update the NS records to these values
#
# AUTHENTICATION (Service Principal - Required for UpCloud/non-Azure clusters):
# ----------------------------------------------------------------------------
# Since your cluster runs on UpCloud (not AKS), you must use Service Principal
# authentication. Managed Identity only works with Azure-hosted resources.
#
# =============================================================================
# SETUP: Service Principal for UpCloud Clusters
# =============================================================================
#
# 1. Create Azure AD App Registration:
# az ad sp create-for-rbac --name cert-manager-dns --sdk-auth
# # Save the JSON output - you'll need appId (clientID) and password (clientSecret)
#
# 2. Assign DNS Zone Contributor role:
# az role assignment create \
# --role "DNS Zone Contributor" \
# --assignee <SERVICE_PRINCIPAL_CLIENT_ID> \
# --scope /subscriptions/<SUBSCRIPTION_ID>/resourceGroups/<DNS_RESOURCE_GROUP>/providers/Microsoft.Network/dnszones/forteapps.net
#
# 3. Create Kubernetes secret for the service principal:
# kubectl create secret generic azuredns-config \
# --namespace cert-manager \
# --from-literal=client-secret=YOUR_CLIENT_SECRET
#
# 4. Update the ClusterIssuer above with:
# - subscriptionID: Your Azure subscription ID
# - resourceGroupName: The resource group containing your DNS zone
# - clientID: The Service Principal appId/clientID
# - clientSecretSecretRef: References the secret created in step 3
#
# =============================================================================
# ALTERNATIVE DNS PROVIDERS (for reference):
# =============================================================================
# -----------------------------------------------------------------------------
# Cloudflare (original configuration)
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic cloudflare-api-token-secret \
# --from-literal=api-token=YOUR_CLOUDFLARE_API_TOKEN -n cert-manager
#
# dns01:
# cloudflare:
# email: your-cloudflare-email@example.com
# apiTokenSecretRef:
# name: cloudflare-api-token-secret
# key: api-token
# -----------------------------------------------------------------------------
# AWS Route53
# -----------------------------------------------------------------------------
# Create secret with: kubectl create secret generic route53-credentials \
# --from-literal=secret-access-key=YOUR_SECRET_KEY -n cert-manager
#
# dns01:
# route53:
# region: us-east-1
# hostedZoneID: ZXXXXXXXXXXXXX
# accessKeyID: YOUR_ACCESS_KEY_ID
# secretAccessKeySecretRef:
# name: route53-credentials
# key: secret-access-key
# -----------------------------------------------------------------------------
# Google Cloud DNS
# -----------------------------------------------------------------------------
# Create secret with service account JSON key:
# kubectl create secret generic clouddns-service-account \
# --from-file=service-account.json=path/to/key.json -n cert-manager
#
# dns01:
# cloudDNS:
# project: YOUR_GCP_PROJECT_ID
# hostedZoneName: example-com
# serviceAccountSecretRef:
# name: clouddns-service-account
# key: service-account.json
# -----------------------------------------------------------------------------
# GoDaddy
# -----------------------------------------------------------------------------
# Requires external webhook: https://github.com/snowdrop/godaddy-webhook
#
# dns01:
# webhook:
# groupName: acme.yourcompany.com
# solverName: godaddy
# config:
# apiKeySecretRef:
# name: godaddy-api-credentials
# key: api-key
# apiSecretSecretRef:
# name: godaddy-api-credentials
# key: api-secret
# -----------------------------------------------------------------------------
# Manual/Dynamic DNS (for homelab)
# -----------------------------------------------------------------------------
# Requires RFC2136 provider or external webhook
#
# dns01:
# rfc2136:
# nameserver: your-dns-server.example.com
# tsigKeyName: cert-manager-key
# tsigAlgorithm: HMACSHA256
# tsigSecretSecretRef:
# name: tsig-secret
# key: secret
Reference in New Issue View Git Blame Copy Permalink