# LAN ingress for NanoHUB.
#
# Traefik terminates step-ca TLS; NanoHUB listens on HTTP :9004 and serves the
# Apple MDM protocol endpoints. The NanoHUB API stays cluster-internal for
# MDM-N1; do not route /api/v1 through Traefik until the operator approves an
# API exposure model.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: fc-apple-mdm
  namespace: fc-apple-mdm
  labels:
    app.kubernetes.io/name: fc-apple-mdm
    app.kubernetes.io/component: mdm
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    flowercore.io/tenant-id: system
    flowercore.io/created-by: bluejay-infra
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`mdm.iamworkin.lan`) && (PathPrefix(`/mdm`) || PathPrefix(`/checkin`) || PathPrefix(`/version`))
      kind: Rule
      services:
        - name: fc-apple-mdm
          port: 80
  tls:
    secretName: fc-apple-mdm-tls