# FlowerCore Remote Desktop — TLS + Ingress
# Deployment and Service managed by deploy script (not ArgoCD)
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: remotedesktop-web-tls
  namespace: fc-desktop
spec:
  secretName: remotedesktop-web-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - desktop.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: remotedesktop-web
  namespace: fc-desktop
spec:
  entryPoints:
    - websecure
  routes:
    # Single-host Guacamole routing: Traefik forwards the /guacamole
    # path-prefix directly to the guacamole Service in the guacamole
    # namespace. Must precede the catch-all Host() rule so priority
    # resolves the more-specific match first. RemoteDesktop.Web then
    # emits launch URLs with host=desktop.iamworkin.lan + /guacamole
    # prefix, keeping Guacamole reachable through the same public
    # surface (GuacamolePublicUrl=https://desktop.iamworkin.lan/guacamole).
    - match: Host(`desktop.iamworkin.lan`) && PathPrefix(`/guacamole`)
      kind: Rule
      priority: 20
      services:
        - name: guacamole
          namespace: guacamole
          port: 8080
    - match: Host(`desktop.iamworkin.lan`)
      kind: Rule
      priority: 10
      services:
        - name: remotedesktop-web
          port: 8080
  tls:
    secretName: remotedesktop-web-tls