# FlowerCore.Library.Web GitOps adoption manifest.
#
# Authored from the already-live fc-library resources on 2026-06-04.
# Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
# ArgoCD adopts in place instead of replacing the workload or data volume.
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: library-web-data
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
  volumeMode: Filesystem
  volumeName: pvc-2690bae2-4ee0-417a-b95f-50ec5c632b63
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: library-web
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: library-web
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/health"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
      labels:
        app.kubernetes.io/name: library-web
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: library-web-config
          image: localhost/fc-library-web:v20260602-library-owned-deploy-fix1
          imagePullPolicy: Never
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          name: library-web
          ports:
            - containerPort: 5000
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /data
              name: data
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: library-web-data
---
apiVersion: v1
kind: Service
metadata:
  name: library-web
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
spec:
  clusterIP: 10.43.179.63
  clusterIPs:
    - 10.43.179.63
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 5000
  selector:
    app.kubernetes.io/name: library-web
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: library-web-tls
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web-tls
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
spec:
  dnsNames:
    - library.iamworkin.lan
  issuerRef:
    kind: ClusterIssuer
    name: step-ca-acme
  secretName: library-web-tls
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: library-web
  namespace: fc-library
  labels:
    app.kubernetes.io/name: library-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-library
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`library.iamworkin.lan`)
      services:
        - name: library-web
          port: 80
  tls:
    secretName: library-web-tls
# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
# When the operator decides to expose library-web publicly, uncomment + update the host,
# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
#
# --- IngressRoute ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
#   name: library-web-public
#   namespace: fc-library
# spec:
#   entryPoints: [websecure]
#   routes:
#     - match: Host(`library.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
#       kind: Rule
#       middlewares:
#         - name: library-web-public-profile-header  # injects entitlement profile
#       services:
#         - name: library-web
#           port: 80
#   tls: {}
# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).