# FlowerCore Chat — TLS + Ingress # Deployment and Service managed by deploy script (not ArgoCD) --- apiVersion: cert-manager.io/v1 kind: Certificate metadata: name: chat-web-tls namespace: fc-chat spec: secretName: chat-web-tls issuerRef: name: step-ca-acme kind: ClusterIssuer dnsNames: - chat.iamworkin.lan --- apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: chat-web namespace: fc-chat spec: entryPoints: - websecure routes: - match: Host(`chat.iamworkin.lan`) kind: Rule services: - name: chat-web port: 80 tls: secretName: chat-web-tls --- # Public host profile marker. The app treats this header as authoritative for # the public twin, while the internal chat.iamworkin.lan route does not attach # it and keeps the operator-oriented UI. apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: name: chat-public-profile-header namespace: fc-chat spec: headers: customRequestHeaders: X-FC-Chat-Host-Profile: "public" --- # Public Cloudflare-fronted twin for the anonymous chat surface. Operator # paths are intentionally absent from the allowlist below, so /admin, # /operator, /console, /ops, /api/operator, and /operatorhub miss this route # and return Traefik 404 before reaching the pod. Operator action still needed: # create/verify Cloudflare DNS chat.flowercore.io -> public Traefik endpoint # and mirror the cf-origin-flowercore-io TLS secret into namespace fc-chat. apiVersion: traefik.io/v1alpha1 kind: IngressRoute metadata: name: chat-web-public namespace: fc-chat spec: entryPoints: - websecure routes: - match: Host(`chat.flowercore.io`) && (Path(`/`) || Path(`/chat`) || PathPrefix(`/_blazor`) || PathPrefix(`/_framework`) || PathPrefix(`/_content`) || PathPrefix(`/avatars`) || PathPrefix(`/css`) || PathPrefix(`/js`) || PathPrefix(`/favicon`) || PathPrefix(`/chathub`)) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`)) kind: Rule middlewares: - name: chat-public-profile-header services: - name: chat-web port: 80 tls: secretName: cf-origin-flowercore-io