Add internal DNS IngressRoutes: telephony, grafana, prometheus, cockpit

- telephony.iamworkin.lan: cert-manager TLS + IngressRoute to telephony-web:5100
- grafana.iamworkin.lan: proxy to noc1:3000 via headless Service + Endpoints
- prometheus.iamworkin.lan: proxy to noc1:9091 via headless Service + Endpoints
- cockpit.iamworkin.lan: proxy to noc1:9090 with insecureSkipVerify (self-signed)
- All certs issued by step-ca-acme ClusterIssuer
- NetworkPolicy restricts noc-proxy to Traefik ingress + noc1 egress only

apps/telephony/telephony.yaml

@@ -277,3 +277,35 @@ spec:
         - namespaceSelector:
             matchLabels:
               kubernetes.io/metadata.name: onepassword-system
+---
+# TLS Certificate for internal hostname via cert-manager
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: telephony-internal-tls
+  namespace: telephony
+spec:
+  secretName: telephony-internal-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - telephony.iamworkin.lan
+---
+# Traefik IngressRoute — internal LAN access
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: telephony-web-internal
+  namespace: telephony
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - kind: Rule
+      match: Host(`telephony.iamworkin.lan`)
+      services:
+        - name: telephony-web
+          port: 5100
+  tls:
+    secretName: telephony-internal-tls