# LAN ingress for FlowerCore.Network Web (network.iamworkin.lan).
#
# RKE2 Traefik has no built-in ACME resolver; TLS certificate ownership stays in
# cert-manager Certificate/fc-network-web-tls. Phase 0 is read-only but the POST
# ingest endpoint is genuinely needed by the noc1 exporter, so this route allows
# all methods (no GET/HEAD-only restriction like fc-dns) — the service itself has
# NO pfSense write path, so allowing POST here only reaches the local snapshot
# ingest.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: fc-network-web
  namespace: fc-network
  labels:
    app: fc-network-web
    app.kubernetes.io/name: fc-network-web
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`network.iamworkin.lan`)
      kind: Rule
      services:
        - name: fc-network-web
          port: 80
  tls:
    secretName: fc-network-web-tls