fc-apple-mdm: add NanoHUB GitOps workload

apps/fc-apple-mdm/ingressroute.yaml

@@ -0,0 +1,29 @@
+# LAN ingress for NanoHUB.
+#
+# Traefik terminates step-ca TLS; NanoHUB listens on HTTP :9004 and serves the
+# Apple MDM protocol endpoints. The NanoHUB API stays cluster-internal for
+# MDM-N1; do not route /api/v1 through Traefik until the operator approves an
+# API exposure model.
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: fc-apple-mdm
+  namespace: fc-apple-mdm
+  labels:
+    app.kubernetes.io/name: fc-apple-mdm
+    app.kubernetes.io/component: mdm
+    app.kubernetes.io/part-of: flowercore
+    app.kubernetes.io/managed-by: argocd
+    flowercore.io/tenant-id: system
+    flowercore.io/created-by: bluejay-infra
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`mdm.iamworkin.lan`) && (PathPrefix(`/mdm`) || PathPrefix(`/checkin`) || PathPrefix(`/version`))
+      kind: Rule
+      services:
+        - name: fc-apple-mdm
+          port: 80
+  tls:
+    secretName: fc-apple-mdm-tls