bluejay-infra/apps/fc-messageboard/fc-messageboard.yaml

# FlowerCore MessageBoard — Message board service
---
apiVersion: v1
kind: Namespace
metadata:
  name: fc-messageboard
  labels:
    app.kubernetes.io/part-of: bluejay-infra
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: messageboard-web-config
  namespace: fc-messageboard
data:
  ASPNETCORE_ENVIRONMENT: Production
  ASPNETCORE_URLS: http://+:8080
  ASPNETCORE_FORWARDEDHEADERS_ENABLED: "true"
  Security__AllowedOrigins__0: https://messageboard.iamworkin.lan
  FlowerCore__Database__ConnectionStrings__Sqlite: Data Source=/data/messageboard.db
  OTEL_SERVICE_NAME: FlowerCore.MessageBoard
  OTEL_EXPORTER_OTLP_ENDPOINT: http://otel-collector.monitoring.svc.cluster.local:4317
  OTEL_EXPORTER_OTLP_PROTOCOL: grpc
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: messageboard-web
  namespace: fc-messageboard
  labels:
    app: messageboard-web
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app: messageboard-web
  template:
    metadata:
      labels:
        app: messageboard-web
      annotations:
        fc.flowercore.io/healthz-anon: "true"
        fc.flowercore.io/probe-path: "/healthz"
        prometheus.io/scrape: "true"
        prometheus.io/port: "8080"
        prometheus.io/path: "/metrics/prometheus"
    spec:
      containers:
        - name: messageboard-web
          image: localhost/fc-messageboard-web:latest
          imagePullPolicy: Never
          ports:
            - containerPort: 8080
              name: http
          # fc-safe-to-expose: X-Forwarded-Proto handled by AddFlowerCoreWebAuth (ADR-178) before any future public/OIDC flip.
          envFrom:
            - configMapRef:
                name: messageboard-web-config
            - secretRef:
                name: messageboard-web-secrets
                optional: true
          volumeMounts:
            - name: data
              mountPath: /data
          resources:
            requests:
              memory: "128Mi"
              cpu: "100m"
            limits:
              memory: "512Mi"
              cpu: "500m"
          livenessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 30
            timeoutSeconds: 5
            failureThreshold: 3
          readinessProbe:
            tcpSocket:
              port: 8080
            initialDelaySeconds: 10
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 6
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: messageboard-web-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: messageboard-web-data
  namespace: fc-messageboard
spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
---
apiVersion: v1
kind: Service
metadata:
  name: messageboard-web
  namespace: fc-messageboard
spec:
  selector:
    app: messageboard-web
  ports:
    - port: 80
      targetPort: 8080
      name: http
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: messageboard-web-tls
  namespace: fc-messageboard
spec:
  secretName: messageboard-web-tls
  issuerRef:
    name: step-ca-acme
    kind: ClusterIssuer
  dnsNames:
    - messageboard.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: messageboard-web
  namespace: fc-messageboard
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`messageboard.iamworkin.lan`)
      kind: Rule
      services:
        - name: messageboard-web
          port: 80
  tls:
    secretName: messageboard-web-tls
# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
# When the operator decides to expose messageboard-web publicly, uncomment + update the host,
# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
#
# --- IngressRoute ---
# apiVersion: traefik.io/v1alpha1
# kind: IngressRoute
# metadata:
#   name: messageboard-web-public
#   namespace: fc-messageboard
# spec:
#   entryPoints: [websecure]
#   routes:
#     - match: Host(`messageboard.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
#       kind: Rule
#       middlewares:
#         - name: messageboard-web-public-profile-header  # injects entitlement profile
#       services:
#         - name: messageboard-web
#           port: 80
#   tls: {}
# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).