Sync GX10 Traefik VIP and Intranet route

apps-gx10/fc-apple-mdm/README.md

@@ -50,7 +50,7 @@ IAmWorkin ACME CA; Smallstep SCEP requires an RSA intermediate/decrypter path.
    1Password operator for this workload.
 2. Import `localhost/fc-apple-mdm-nanohub:v0.2.0-20260617` into GX10 containerd
    before ArgoCD syncs. The deployment uses `imagePullPolicy: Never`.
-3. Ensure `mdm.iamworkin.lan` resolves to the GX10 Traefik VIP `10.0.57.202`
+3. Ensure `mdm.iamworkin.lan` resolves to the GX10 Traefik VIP `10.0.56.200`
    before cert-manager requests `Certificate/fc-apple-mdm-tls`.
 4. Prove `https://mdm.iamworkin.lan/version` after ArgoCD converges.
 5. Prove SCEP CA publication with

apps-gx10/fc-apple-mdm/fc-apple-mdm.yaml

@@ -235,7 +235,7 @@ metadata:
   name: fc-apple-mdm-tls
   namespace: fc-apple-mdm
   annotations:
-    flowercore.io/dns-preflight: "mdm.iamworkin.lan must resolve to 10.0.57.202 before ACME sync"
+    flowercore.io/dns-preflight: "mdm.iamworkin.lan must resolve to 10.0.56.200 before ACME sync"
 spec:
   secretName: fc-apple-mdm-tls
   issuerRef:

apps-gx10/intranet/ingressroute-intranet-web.json

@@ -22,8 +22,6 @@
         ]
       }
     ],
-    "tls": {
+    "tls": {}
-      "secretName": "intranet-tls"
-    }
   }
 }

gx10/platform/README.md

@@ -8,8 +8,8 @@ auto-deploy them there. Once ArgoCD is stood up on the GX10, a GX10-only
 ApplicationSet (`apps-gx10/*`) will own these.
 
 - `step-ca-acme.yaml` — cert-manager ClusterIssuer (ACME → noc1 step-ca, in-spec caBundle). APPLIED + Ready.
-- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5) via the RKE2 HelmChart CRD, LoadBalancer VIP 10.0.57.202 (prod-pool; temp parallel-run VIP — canonical .200 reclaimed at cutover), with `externalTrafficPolicy: Local` so tenant IP allowlists see client source IP instead of the GX10 node hop. APPLIED.
+- `traefik-helmchart.yaml` — Traefik v3.6.10 (chart 39.0.5), live as a Helm release in `traefik-system`, LoadBalancer VIP `10.0.56.200` from the active `bluejay-pool` (`10.0.56.200-10.0.56.220`). APPLIED.
-- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.57.202`. APPLIED.
+- `gitea-ssh-service.yaml` — Gitea SSH LoadBalancer service on `10.0.57.206:22` with `externalTrafficPolicy: Local`; HTTPS Gitea remains behind the Traefik VIP at `10.0.56.200`. APPLIED.
 
 cert-manager v1.17.2 was installed separately (upstream static manifest). See
 `docs/ai-agents/gx10-migration-continuation-2026-06-14.md` + memory

gx10/platform/traefik-helmchart.yaml

@@ -10,12 +10,58 @@ spec:
   targetNamespace: traefik-system
   createNamespace: true
   valuesContent: |
+    additionalArguments:
+      - --api.dashboard=true
+      - --log.level=INFO
+      - --providers.kubernetescrd
+      - --providers.kubernetesingress
+    deployment:
+      replicas: 2
     service:
       type: LoadBalancer
       spec:
-        externalTrafficPolicy: Local
+        externalTrafficPolicy: Cluster
-      annotations:
+        loadBalancerIP: 10.0.56.200
-        metallb.io/loadBalancerIPs: 10.0.57.202
+    ports:
+      irc:
+        expose:
+          default: true
+        exposedPort: 6667
+        port: 6667
+        protocol: TCP
+      irctls:
+        expose:
+          default: true
+        exposedPort: 6697
+        port: 6697
+        protocol: TCP
+      traefik:
+        expose:
+          default: false
+        exposedPort: 8080
+        port: 8080
+        protocol: TCP
+      web:
+        exposedPort: 80
+        port: 8000
+        protocol: TCP
+      websecure:
+        exposedPort: 443
+        port: 8443
+        protocol: TCP
+    rbac:
+      enabled: true
+    resources:
+      limits:
+        cpu: 500m
+        memory: 256Mi
+      requests:
+        cpu: 100m
+        memory: 128Mi
+    tolerations:
+      - effect: NoSchedule
+        key: node-role.kubernetes.io/control-plane
+        operator: Exists
     ingressClass:
       enabled: true
       isDefaultClass: false

tests/bluejay-infra-lint/FleetManifestLintTests.cs

@@ -255,8 +255,8 @@ public sealed class FleetManifestLintTests
         var traefikPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "traefik-helmchart.yaml");
         var traefik = File.ReadAllText(traefikPath);
 
-        traefik.Should().Contain("metallb.io/loadBalancerIPs: 10.0.57.202");
+        traefik.Should().Contain("loadBalancerIP: 10.0.56.200");
-        traefik.Should().Contain("spec:\n        externalTrafficPolicy: Local");
+        traefik.Should().Contain("externalTrafficPolicy: Cluster");
 
         var giteaPath = Path.Combine(Inventory.BluejayRoot, "gx10", "platform", "gitea-ssh-service.yaml");
         var gitea = File.ReadAllText(giteaPath);

tests/bluejay-infra-lint/Gx10AppleMdmNanohubTests.cs

@@ -120,7 +120,7 @@ public sealed class Gx10AppleMdmNanohubTests
         readme.Should().Contain("FlowerCore Apple MDM Runtime");
         readme.Should().Contain("Secret/fc-apple-mdm-runtime");
         readme.Should().Contain("imagePullPolicy: Never");
-        readme.Should().Contain("10.0.57.202");
+        readme.Should().Contain("10.0.56.200");
         readme.Should().Contain("https://mdm.iamworkin.lan/scep/apple-mdm-scep");
         readme.Should().Contain("Smallstep SCEP requires an RSA intermediate");
         readme.Should().Contain("does not create an APNs MDM push certificate");