diff --git a/apps/worldbuilder/worldbuilder.yaml b/apps/worldbuilder/worldbuilder.yaml index 126427b..55587c3 100644 --- a/apps/worldbuilder/worldbuilder.yaml +++ b/apps/worldbuilder/worldbuilder.yaml @@ -90,7 +90,7 @@ spec: containers: - name: web # Bump tag for each rebuild. Initial deploy: v202605062048 - image: localhost/fc-worldbuilder:v20260613-e4-about-edd6efc + image: localhost/fc-worldbuilder:v20260620-chrome-94c6d42 imagePullPolicy: Never ports: - containerPort: 8080 @@ -208,34 +208,6 @@ spec: - name: http port: 80 targetPort: 8080 ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: worldbuilder-web-tls - namespace: fc-worldbuilder - labels: - app.kubernetes.io/name: worldbuilder-web-tls - app.kubernetes.io/component: ingress - app.kubernetes.io/part-of: flowercore - app.kubernetes.io/managed-by: argocd - flowercore.io/tenant-id: system - flowercore.io/created-by: bluejay-infra -spec: - secretName: worldbuilder-web-tls - issuerRef: - name: step-ca-acme - kind: ClusterIssuer - dnsNames: - - worldbuilder.iamworkin.lan - # step-ca ACME provisioner caps lifetime at 30d. Requesting 90d - # silently capped to 30d, making renewBefore 720h (30d) equal to the - # actual cert lifetime — triggered a perpetual renewal loop that - # generated 2365+ CertificateRequest objects in 18h. Match the working - # 720h/240h pattern used by every other FC service cert. - duration: 720h # 30d (step-ca cap) - renewBefore: 240h # 10d ---- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: @@ -257,8 +229,7 @@ spec: services: - name: worldbuilder-web port: 80 - tls: - secretName: worldbuilder-web-tls + tls: {} # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ---- # When the operator decides to expose worldbuilder-web publicly, uncomment + update the host, # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).