# LAN ingress for FlowerCore.DeviceManagement Web.
#
# RKE2 Traefik has no built-in ACME resolver configured. Keep TLS certificate
# ownership in cert-manager Certificate/fc-devicemgmt-web-tls.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: fc-devicemgmt-web
  namespace: fc-devicemgmt
  labels:
    app.kubernetes.io/name: fc-devicemgmt-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`devices.iamworkin.lan`)
      kind: Rule
      services:
        - name: fc-devicemgmt-web
          port: 80
  tls:
    secretName: fc-devicemgmt-web-tls

# Future public agent/update host gate (OFF by default):
#
# Do not enable `update.flowercore.io` here until Authentik OIDC Q-OIDC-1
# resolves the public-device-management auth model and route ownership with
# UpdateCenter. When enabled, use a separate public IngressRoute with an
# explicit Method allowlist, public-host auth middleware, and public TLS
# certificate strategy. Leaving this as comments keeps ArgoCD from stealing
# live UpdateCenter traffic.
#
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
#   name: fc-devicemgmt-web-public
#   namespace: fc-devicemgmt
#   annotations:
#     flowercore.io/public-host-gate: "disabled-until-Q-OIDC-1"
# spec:
#   entryPoints:
#     - websecure
#   routes:
#     - match: Host(`update.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
#       kind: Rule
#       services:
#         - name: fc-devicemgmt-web
#           port: 80
#   tls:
#     secretName: fc-devicemgmt-public-tls