deploy(dns): enable production auth profile

apps/fc-dns/fc-dns.yaml

@@ -26,6 +26,17 @@ metadata:
 spec:
   itemPath: "vaults/IAmWorkin/items/dns-oidc-client"
 ---
+# Service X-Api-Key for the cert-manager ACME webhook -> dns-web call path.
+# The 1Password operator resolves this item into Secret/dns-api-keys; field
+# `api_key` becomes Secret key `api_key`.
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: dns-api-keys
+  namespace: fc-dns
+spec:
+  itemPath: "vaults/IAmWorkin/items/FlowerCore DNS API Keys"
+---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
@@ -48,7 +59,7 @@ data:
     {
         "FlowerCore": {
         "Auth": {
-          "Enabled": false,
+          "Enabled": true,
           "Oidc": {
             "Enabled": true,
             "Audience": "dns",
@@ -63,7 +74,7 @@ data:
         },
         "Tenant": {
           "DefaultTenantId": "default",
-          "JwtClaimsEnabled": false,
+          "JwtClaimsEnabled": true,
           "DefaultTenantHosts": [
             "dns.iamworkin.lan"
           ]
@@ -111,7 +122,7 @@ spec:
         fsGroup: 1654
       containers:
         - name: dns-web
-          image: localhost/fc-dns-web:v20260614-wave5-isolation-6124856
+          image: localhost/fc-dns-web:v20260615-phase0-hybrid-f77fb94
           imagePullPolicy: Never
           securityContext:
             readOnlyRootFilesystem: true
@@ -148,8 +159,14 @@ spec:
                   name: dns-oidc-client
                   key: client_secret
                   optional: true
+            - name: FlowerCore__Auth__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: dns-api-keys
+                  key: api_key
+                  optional: true
             - name: FlowerCore__Auth__Enabled
-              value: "false"
+              value: "true"
             - name: FlowerCore__Auth__Oidc__Enabled
               value: "true"
             - name: FlowerCore__Auth__Oidc__Audience
@@ -209,6 +226,42 @@ spec:
       targetPort: 5320
   type: ClusterIP
 ---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: dns-web-ingress-isolation
+  namespace: fc-dns
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: dns-web
+  policyTypes:
+    - Ingress
+  ingress:
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+          podSelector:
+            matchLabels:
+              app.kubernetes.io/name: traefik
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: fc-dns
+        - ipBlock:
+            cidr: 10.42.0.0/16
+        - ipBlock:
+            cidr: 10.0.56.0/24
+        - ipBlock:
+            cidr: 10.0.57.0/24
+        - ipBlock:
+            cidr: 10.0.58.0/24
+        - ipBlock:
+            cidr: 10.0.68.0/27
+      ports:
+        - port: 5320
+          protocol: TCP
+---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
@@ -303,7 +356,7 @@ spec:
         fsGroup: 1654
       containers:
         - name: dns-acme-webhook
-          image: localhost/fc-dns-acme-webhook:v20260614-wave5-isolation-6124856
+          image: localhost/fc-dns-acme-webhook:v20260615-phase0-hybrid-f77fb94
           imagePullPolicy: Never
           securityContext:
             readOnlyRootFilesystem: true
@@ -322,6 +375,12 @@ spec:
               value: /tls/tls.key
             - name: FlowerCore__Dns__AcmeWebhook__ServiceBaseUrl
               value: http://dns-web:5320
+            - name: FlowerCore__Dns__AcmeWebhook__ApiKey
+              valueFrom:
+                secretKeyRef:
+                  name: dns-api-keys
+                  key: api_key
+                  optional: true
             - name: FlowerCore__Dns__AcmeWebhook__GroupName
               value: acme.flowercore.io
             - name: FlowerCore__Dns__AcmeWebhook__SolverName