# FlowerCore.Retail.Web GitOps adoption manifest.
#
# Authored from the already-live fc-retail resources on 2026-06-04.
# Keep the live image tag, Service ClusterIP, and PVC volumeName unchanged so
# ArgoCD adopts in place instead of replacing the workload or data volume.
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: retail-web-data
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
  volumeMode: Filesystem
  volumeName: pvc-3d40b336-eab4-41b3-812c-d5e9413ce0ab
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: retail-web
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
spec:
  progressDeadlineSeconds: 600
  replicas: 1
  revisionHistoryLimit: 3
  selector:
    matchLabels:
      app.kubernetes.io/name: retail-web
  strategy:
    type: Recreate
  template:
    metadata:
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        kubectl.kubernetes.io/restartedAt: "2026-06-02T01:34:08-05:00"
        prometheus.io/path: /metrics/prometheus
        prometheus.io/port: "5000"
        prometheus.io/scrape: "true"
      labels:
        app.kubernetes.io/name: retail-web
        app.kubernetes.io/part-of: flowercore
    spec:
      containers:
        # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
        - envFrom:
            - configMapRef:
                name: retail-web-config
          image: localhost/fc-retail-web:v20260602-retail-owned-deploy-fix5
          imagePullPolicy: Never
          livenessProbe:
            failureThreshold: 3
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 30
            periodSeconds: 30
            successThreshold: 1
            timeoutSeconds: 5
          name: retail-web
          ports:
            - containerPort: 5000
              name: http
              protocol: TCP
          readinessProbe:
            failureThreshold: 6
            httpGet:
              path: /health
              port: 5000
              scheme: HTTP
            initialDelaySeconds: 10
            periodSeconds: 10
            successThreshold: 1
            timeoutSeconds: 5
          resources: {}
          terminationMessagePath: /dev/termination-log
          terminationMessagePolicy: File
          volumeMounts:
            - mountPath: /data
              name: data
      dnsPolicy: ClusterFirst
      restartPolicy: Always
      schedulerName: default-scheduler
      securityContext: {}
      terminationGracePeriodSeconds: 30
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: retail-web-data
---
apiVersion: v1
kind: Service
metadata:
  name: retail-web
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
spec:
  clusterIP: 10.43.239.8
  clusterIPs:
    - 10.43.239.8
  internalTrafficPolicy: Cluster
  ipFamilies:
    - IPv4
  ipFamilyPolicy: SingleStack
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 5000
  selector:
    app.kubernetes.io/name: retail-web
  sessionAffinity: None
  type: ClusterIP
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: retail-web-tls
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web-tls
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
spec:
  dnsNames:
    - retail.iamworkin.lan
  issuerRef:
    kind: ClusterIssuer
    name: step-ca-acme
  secretName: retail-web-tls
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: retail-web
  namespace: fc-retail
  labels:
    app.kubernetes.io/name: retail-web
    app.kubernetes.io/part-of: flowercore
    app.kubernetes.io/managed-by: argocd
    argocd.argoproj.io/instance: infra-fc-retail
spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`retail.iamworkin.lan`)
      services:
        - name: retail-web
          port: 80
  tls:
    secretName: retail-web-tls
# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
# When the operator decides to expose retail-web publicly, uncomment + update the host,
# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
#
# --- IngressRoute ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
#   name: retail-web-public
#   namespace: fc-retail
# spec:
#   entryPoints: [websecure]
#   routes:
#     - match: Host(`retail.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
#       kind: Rule
#       middlewares:
#         - name: retail-web-public-profile-header  # injects entitlement profile
#       services:
#         - name: retail-web
#           port: 80
#   tls: {}
# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).