# FlowerCore MCP Gateway for the GX10 cluster. # Secret values are copied into Kubernetes Secrets out of band until the # 1Password operator exists on GX10; never commit secret data here. --- apiVersion: v1 kind: Namespace metadata: name: fc-gateway labels: app.kubernetes.io/part-of: flowercore --- apiVersion: apps/v1 kind: Deployment metadata: name: fc-gateway namespace: fc-gateway labels: app.kubernetes.io/name: fc-gateway app.kubernetes.io/part-of: flowercore spec: replicas: 1 revisionHistoryLimit: 3 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: fc-gateway template: metadata: labels: app.kubernetes.io/name: fc-gateway app.kubernetes.io/part-of: flowercore annotations: fc.flowercore.io/healthz-anon: "true" fc.flowercore.io/probe-path: "/healthz" prometheus.io/scrape: "true" prometheus.io/port: "8080" prometheus.io/path: "/metrics/prometheus" spec: securityContext: runAsNonRoot: true runAsUser: 1654 runAsGroup: 1654 fsGroup: 1654 fsGroupChangePolicy: OnRootMismatch containers: - name: web image: localhost/fc-gateway:v20260617-hm1-gateway-e0627e3 imagePullPolicy: Never ports: - containerPort: 8080 name: http env: - name: ASPNETCORE_URLS value: "http://+:8080" - name: ASPNETCORE_ENVIRONMENT value: "Production" - name: DOTNET_SYSTEM_GLOBALIZATION_INVARIANT value: "false" - name: FlowerCore__Mcp__ApiKey__Key valueFrom: secretKeyRef: name: gateway-mcp-keys key: credential - name: FlowerCore__Mcp__Gateway__Embedding__BaseUrl value: "http://fc-llm-bridge.fc-llm-bridge.svc:8080/v1" - name: FlowerCore__Mcp__Gateway__Embedding__Model value: "fc:embedding" - name: FlowerCore__Mcp__Gateway__Embedding__Mode value: "openai" - name: FlowerCore__Mcp__Gateway__Embedding__ApiKey valueFrom: secretKeyRef: name: fc-llm-bridge-api-keys key: agent-zero-k8s optional: true - name: GW_BACKEND_fc_mysql_KEY valueFrom: secretKeyRef: name: mysql-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_php_KEY valueFrom: secretKeyRef: name: php-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_telephony_KEY valueFrom: secretKeyRef: name: telephony-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_chat_KEY valueFrom: secretKeyRef: name: chat-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_dms_KEY valueFrom: secretKeyRef: name: dms-mcp-keys key: credential optional: true - name: GW_BACKEND_fc_knowledge_KEY valueFrom: secretKeyRef: name: knowledge-mcp-tokens key: password optional: true resources: requests: cpu: 50m memory: 128Mi limits: cpu: 500m memory: 384Mi volumeMounts: - name: tmp mountPath: /tmp - name: logs mountPath: /home/app/logs securityContext: runAsNonRoot: true runAsUser: 1654 runAsGroup: 1654 readOnlyRootFilesystem: true allowPrivilegeEscalation: false capabilities: drop: - ALL startupProbe: httpGet: path: /healthz port: 8080 initialDelaySeconds: 5 periodSeconds: 5 failureThreshold: 30 readinessProbe: httpGet: path: /healthz port: 8080 periodSeconds: 10 livenessProbe: tcpSocket: port: 8080 initialDelaySeconds: 30 periodSeconds: 30 volumes: - name: tmp emptyDir: {} - name: logs emptyDir: {} --- apiVersion: v1 kind: Service metadata: name: fc-gateway namespace: fc-gateway spec: type: ClusterIP selector: app.kubernetes.io/name: fc-gateway ports: - name: http port: 80 targetPort: 8080 protocol: TCP --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: fc-gateway-tls namespace: fc-gateway spec: secretName: fc-gateway-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - gateway.iamworkin.lan duration: 720h renewBefore: 240h --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: fc-gateway namespace: fc-gateway spec: entryPoints: - websecure routes: - match: Host(`gateway.iamworkin.lan`) kind: Rule services: - name: fc-gateway port: 80 tls: secretName: fc-gateway-tls --- apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: name: fc-gateway-netpol namespace: fc-gateway spec: podSelector: matchLabels: app.kubernetes.io/name: fc-gateway policyTypes: - Ingress - Egress ingress: - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: agent-zero ports: - port: 8080 protocol: TCP - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: traefik-system ports: - port: 8080 protocol: TCP - from: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: monitoring ports: - port: 8080 protocol: TCP egress: - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: kube-system ports: - port: 53 protocol: UDP - port: 53 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-llm-bridge ports: - port: 8080 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-mysql ports: - port: 5300 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-php ports: - port: 5400 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: telephony ports: - port: 5100 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-chat ports: - port: 80 protocol: TCP - port: 8080 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: fc-dms ports: - port: 80 protocol: TCP - port: 8080 protocol: TCP - to: - namespaceSelector: matchLabels: kubernetes.io/metadata.name: knowledge ports: - port: 80 protocol: TCP - port: 8080 protocol: TCP