Add step-ca TLS certs for mysql, php, desktop, signage, fc-landing

RKE2 Traefik has no ACME certResolver configured, so IngressRoutes
using certResolver: step-ca silently fall back to the Traefik default
self-signed cert. Fix by using cert-manager Certificate resources with
the step-ca-acme ClusterIssuer and tls.secretName in IngressRoutes.

- fc-landing: Add Certificate, change tls: {} to tls.secretName
- fc-mysql: New app (Certificate + IngressRoute only)
- fc-php: New app (Certificate + IngressRoute only)
- fc-desktop: New app (Certificate + IngressRoute only)
- fc-signage: New app (Certificate + IngressRoute, plus HTTP route for players)

Deployments/Services for mysql/php/desktop/signage are managed by
deploy scripts, not ArgoCD. These apps only manage TLS + ingress.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/fc-desktop/fc-desktop.yaml

@@ -0,0 +1,32 @@
+# FlowerCore Remote Desktop — TLS + Ingress
+# Deployment and Service managed by deploy script (not ArgoCD)
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: remotedesktop-web-tls
+  namespace: fc-desktop
+spec:
+  secretName: remotedesktop-web-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - desktop.iamworkin.lan
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: remotedesktop-web
+  namespace: fc-desktop
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`desktop.iamworkin.lan`)
+      kind: Rule
+      services:
+        - name: remotedesktop-web
+          port: 8080
+  tls:
+    secretName: remotedesktop-web-tls