Add step-ca TLS certs for mysql, php, desktop, signage, fc-landing

RKE2 Traefik has no ACME certResolver configured, so IngressRoutes
using certResolver: step-ca silently fall back to the Traefik default
self-signed cert. Fix by using cert-manager Certificate resources with
the step-ca-acme ClusterIssuer and tls.secretName in IngressRoutes.

- fc-landing: Add Certificate, change tls: {} to tls.secretName
- fc-mysql: New app (Certificate + IngressRoute only)
- fc-php: New app (Certificate + IngressRoute only)
- fc-desktop: New app (Certificate + IngressRoute only)
- fc-signage: New app (Certificate + IngressRoute, plus HTTP route for players)

Deployments/Services for mysql/php/desktop/signage are managed by
deploy scripts, not ArgoCD. These apps only manage TLS + ingress.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

apps/fc-landing/fc-landing.yaml

@@ -256,6 +256,20 @@ spec:
       targetPort: 80
       name: http
 ---
+# TLS Certificate for internal LAN access
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: fc-landing-tls
+  namespace: fc-system
+spec:
+  secretName: fc-landing-tls
+  issuerRef:
+    name: step-ca-acme
+    kind: ClusterIssuer
+  dnsNames:
+    - flowercore.iamworkin.lan
+---
 # Internal IngressRoute (LAN access)
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
@@ -271,7 +285,8 @@ spec:
       services:
         - name: fc-landing
           port: 80
-  tls: {}
+  tls:
+    secretName: fc-landing-tls
 ---
 # Public IngressRoute (flowercore.io with Cloudflare origin cert)
 apiVersion: traefik.io/v1alpha1