# FlowerCore MessageBoard — Message board service --- apiVersion: v1 kind: Namespace metadata: name: fc-messageboard labels: app.kubernetes.io/part-of: bluejay-infra --- apiVersion: v1 kind: ConfigMap metadata: name: messageboard-web-config namespace: fc-messageboard data: ASPNETCORE_ENVIRONMENT: Production ASPNETCORE_URLS: http://+:8080 ASPNETCORE_FORWARDEDHEADERS_ENABLED: "true" Security__AllowedOrigins__0: https://messageboard.iamworkin.lan FlowerCore__Database__ConnectionStrings__Sqlite: Data Source=/data/messageboard.db OTEL_SERVICE_NAME: FlowerCore.MessageBoard OTEL_EXPORTER_OTLP_ENDPOINT: http://otel-collector.monitoring.svc.cluster.local:4317 OTEL_EXPORTER_OTLP_PROTOCOL: grpc --- apiVersion: apps/v1 kind: Deployment metadata: name: messageboard-web namespace: fc-messageboard labels: app: messageboard-web spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app: messageboard-web template: metadata: labels: app: messageboard-web annotations: fc.flowercore.io/healthz-anon: "true" fc.flowercore.io/probe-path: "/healthz" prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics/prometheus" spec: containers: - name: messageboard-web image: localhost/fc-messageboard-web:latest imagePullPolicy: Never ports: - containerPort: 8080 name: http # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip. envFrom: - configMapRef: name: messageboard-web-config - secretRef: name: messageboard-web-secrets optional: true volumeMounts: - name: data mountPath: /data resources: requests: memory: "128Mi" cpu: "100m" limits: memory: "512Mi" cpu: "500m" livenessProbe: tcpSocket: port: 8080 initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: tcpSocket: port: 8080 initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 6 volumes: - name: data persistentVolumeClaim: claimName: messageboard-web-data --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: messageboard-web-data namespace: fc-messageboard spec: accessModes: - ReadWriteOnce resources: requests: storage: 1Gi --- apiVersion: v1 kind: Service metadata: name: messageboard-web namespace: fc-messageboard spec: selector: app: messageboard-web ports: - port: 80 targetPort: 8080 name: http --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: messageboard-web-tls namespace: fc-messageboard spec: secretName: messageboard-web-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - messageboard.iamworkin.lan --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: messageboard-web namespace: fc-messageboard spec: entryPoints: - websecure routes: - match: Host(`messageboard.iamworkin.lan`) kind: Rule services: - name: messageboard-web port: 80 tls: secretName: messageboard-web-tls # ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ---- # When the operator decides to expose messageboard-web publicly, uncomment + update the host, # then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2). # # --- IngressRoute --- # apiVersion: traefik.io/v1alpha1 # kind: IngressRoute # metadata: # name: messageboard-web-public # namespace: fc-messageboard # spec: # entryPoints: [websecure] # routes: # - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`)) # kind: Rule # middlewares: # - name: messageboard-web-public-profile-header # injects entitlement profile # services: # - name: messageboard-web # port: 80 # tls: {} # # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface. # # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).