Forte/launchpad
6
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Wiki Activity
Files
fcf187e903acd3250da1c1d95fafc256cdfd9f62
launchpad/apps/overlays/upc-dev/forte-drop/wildcard-drop-tls-certificate.yaml
T
Sten fcf187e903
AI Code Review / ai-review (pull_request) Has been skipped
Details
fix(forte-drop): drop apex SAN, use dnsZones in issuer selector 
- Apex drop.forteapps.net already gets its own cert from the forteapp
  chart (forte-drop-tls); the SAN on the wildcard cert was redundant.
- cert-manager selector.dnsNames matches exact FQDNs (no wildcard
  expansion), so the enumerated list is replaced by
  dnsZones: [forteapps.net], covering apex + all subdomains.

Refs #22

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
2026-06-12 09:24:22 +02:00

36 lines
1.5 KiB
YAML
Raw Blame History

---
# Wildcard TLS cert for the per-slug drop subdomains: <slug>.drop.forteapps.net.
# forte_drop serves forte-login drops on their own subdomain (gated by the auth
# sidecar), so each drop needs a valid cert for *.drop.forteapps.net — a name the
# existing *.forteapps.net wildcard CANNOT cover (TLS wildcards match one label only).
#
# Scope: this cert covers ONLY *.drop.forteapps.net. The apex drop.forteapps.net is
# NOT included here — it is served by the forteapp chart's own Certificate (secret
# forte-drop-tls, dnsNames: [drop.forteapps.net]) and/or the existing *.forteapps.net
# wildcard, so adding it here would be redundant.
#
# Issued DIRECTLY into the forte-drop namespace (not via the chart) so the app's
# Traefik IngressRoute — which must reference a TLS secret in its OWN namespace — can
# use it without cross-namespace cloning. This is the single issuer of secret
# wildcard-drop-forteapps-net-tls; the forte-drop-subdomains IngressRoute references
# that secret. The letsencrypt-prod dns01 solver is authorized for this name via its
# selector.dnsZones (forteapps.net).
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: wildcard-drop-forteapps-net
namespace: forte-drop
spec:
secretName: wildcard-drop-forteapps-net-tls
issuerRef:
name: letsencrypt-prod
kind: ClusterIssuer
dnsNames:
- '*.drop.forteapps.net' # per-slug forte drop subdomains
duration: 2160h0m0s # 90 days
renewBefore: 720h0m0s # renew 30 days before expiry
privateKey:
algorithm: RSA
encoding: PKCS1
size: 4096
Reference in New Issue View Git Blame Copy Permalink