# edge2 Services — Traefik IngressRoutes for FlowerCore Print.Web on edge2
# Proxies print.iamworkin.lan to edge2 (10.0.57.16:5200) via headless Service
# + manual Endpoints (same K8s external-proxy pattern as noc-services).
#
# Print.Web has its own X-Api-Key authentication and exposes anonymous
# endpoints for the bookmarklet / Python CLI / cups-notifier flow, so no
# Traefik basicAuth middleware is wired here.
#
# ArgoCD managed - BlueJay Lab
---
apiVersion: v1
kind: Namespace
metadata:
  name: edge2-proxy
  labels:
    app.kubernetes.io/part-of: bluejay-infra
---
# ============================================================
# Print.Web - edge2:5200 (FlowerCore.Print.Web on Pi 4)
# ============================================================
apiVersion: v1
kind: Service
metadata:
  name: print-web-external
  namespace: edge2-proxy
spec:
  ports:
    - port: 5200
      targetPort: 5200
      name: http
  clusterIP: None
---
apiVersion: v1
kind: Endpoints
metadata:
  name: print-web-external
  namespace: edge2-proxy
subsets:
  - addresses:
      - ip: 10.0.57.16
    ports:
      - port: 5200
        name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: print-web-tls
  namespace: edge2-proxy
spec:
  secretName: print-web-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - print.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: print-web
  namespace: edge2-proxy
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`print.iamworkin.lan`)
      services:
        - name: print-web-external
          port: 5200
  tls:
    secretName: print-web-tls
---
# NetworkPolicy: allow Traefik ingress, allow egress to edge2 + DNS
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: edge2-proxy-netpol
  namespace: edge2-proxy
spec:
  podSelector: {}
  policyTypes:
    - Ingress
    - Egress
  ingress:
    - from:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: traefik-system
  egress:
    - to:
        - ipBlock:
            cidr: 10.0.57.16/32
      ports:
        - port: 5200
          protocol: TCP
    - to:
        - namespaceSelector:
            matchLabels:
              kubernetes.io/metadata.name: kube-system
      ports:
        - port: 53
          protocol: UDP
        - port: 53
          protocol: TCP