# FlowerCore MySQL Manager — TLS + Ingress
# Deployment and Service managed by deploy script (not ArgoCD)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: mysql-web-tls
  namespace: fc-mysql
spec:
  secretName: mysql-web-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - mysql.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: mysql-web
  namespace: fc-mysql
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`mysql.iamworkin.lan`)
      kind: Rule
      services:
        - name: mysql-web
          port: 5300
  tls:
    secretName: mysql-web-tls
# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
# When the operator decides to expose mysql-web publicly, uncomment + update the host,
# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
#
# --- IngressRoute ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
#   name: mysql-web-public
#   namespace: fc-mysql
# spec:
#   entryPoints: [websecure]
#   routes:
#     - match: Host(`mysql.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
#       kind: Rule
#       middlewares:
#         - name: mysql-web-public-profile-header  # injects entitlement profile
#       services:
#         - name: mysql-web
#           port: 80
#   tls: {}
# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).