diff --git a/apps/fc-desktop/fc-desktop.yaml b/apps/fc-desktop/fc-desktop.yaml new file mode 100644 index 0000000..dc49ae5 --- /dev/null +++ b/apps/fc-desktop/fc-desktop.yaml @@ -0,0 +1,32 @@ +# FlowerCore Remote Desktop — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: remotedesktop-web-tls + namespace: fc-desktop +spec: + secretName: remotedesktop-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - desktop.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: remotedesktop-web + namespace: fc-desktop +spec: + entryPoints: + - websecure + routes: + - match: Host(`desktop.iamworkin.lan`) + kind: Rule + services: + - name: remotedesktop-web + port: 8080 + tls: + secretName: remotedesktop-web-tls diff --git a/apps/fc-landing/fc-landing.yaml b/apps/fc-landing/fc-landing.yaml index ad6b4bc..f6d2c34 100644 --- a/apps/fc-landing/fc-landing.yaml +++ b/apps/fc-landing/fc-landing.yaml @@ -256,6 +256,20 @@ spec: targetPort: 80 name: http --- +# TLS Certificate for internal LAN access +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: fc-landing-tls + namespace: fc-system +spec: + secretName: fc-landing-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - flowercore.iamworkin.lan +--- # Internal IngressRoute (LAN access) apiVersion: traefik.io/v1alpha1 kind: IngressRoute @@ -271,7 +285,8 @@ spec: services: - name: fc-landing port: 80 - tls: {} + tls: + secretName: fc-landing-tls --- # Public IngressRoute (flowercore.io with Cloudflare origin cert) apiVersion: traefik.io/v1alpha1 diff --git a/apps/fc-mysql/fc-mysql.yaml b/apps/fc-mysql/fc-mysql.yaml new file mode 100644 index 0000000..35e386d --- /dev/null +++ b/apps/fc-mysql/fc-mysql.yaml @@ -0,0 +1,32 @@ +# FlowerCore MySQL Manager — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: mysql-web-tls + namespace: fc-mysql +spec: + secretName: mysql-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - mysql.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: mysql-web + namespace: fc-mysql +spec: + entryPoints: + - websecure + routes: + - match: Host(`mysql.iamworkin.lan`) + kind: Rule + services: + - name: mysql-web + port: 5300 + tls: + secretName: mysql-web-tls diff --git a/apps/fc-php/fc-php.yaml b/apps/fc-php/fc-php.yaml new file mode 100644 index 0000000..feb5614 --- /dev/null +++ b/apps/fc-php/fc-php.yaml @@ -0,0 +1,32 @@ +# FlowerCore PHP Manager — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: php-web-tls + namespace: fc-php +spec: + secretName: php-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - php.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: php-web + namespace: fc-php +spec: + entryPoints: + - websecure + routes: + - match: Host(`php.iamworkin.lan`) + kind: Rule + services: + - name: php-web + port: 5400 + tls: + secretName: php-web-tls diff --git a/apps/fc-signage/fc-signage.yaml b/apps/fc-signage/fc-signage.yaml new file mode 100644 index 0000000..fcafe8e --- /dev/null +++ b/apps/fc-signage/fc-signage.yaml @@ -0,0 +1,48 @@ +# FlowerCore Digital Signage — TLS + Ingress +# Deployment and Service managed by deploy script (not ArgoCD) +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: signage-web-tls + namespace: fc-signage +spec: + secretName: signage-web-tls + issuerRef: + name: step-ca-acme + kind: ClusterIssuer + dnsNames: + - signage.iamworkin.lan +--- +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: signage-web + namespace: fc-signage +spec: + entryPoints: + - websecure + routes: + - match: Host(`signage.iamworkin.lan`) + kind: Rule + services: + - name: signage-web + port: 5190 + tls: + secretName: signage-web-tls +--- +# HTTP route for signage players that may not use TLS +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: signage-web-http + namespace: fc-signage +spec: + entryPoints: + - web + routes: + - match: Host(`signage.iamworkin.lan`) + kind: Rule + services: + - name: signage-web + port: 5190