56 lines
1.5 KiB
YAML
56 lines
1.5 KiB
YAML
# FlowerCore DMS — TLS + Ingress
|
|
# Deployment and Service managed by deploy script (not ArgoCD)
|
|
---
|
|
apiVersion: cert-manager.io/v1
|
|
kind: Certificate
|
|
metadata:
|
|
name: dms-web-tls
|
|
namespace: fc-dms
|
|
spec:
|
|
secretName: dms-web-tls
|
|
issuerRef:
|
|
name: step-ca-acme
|
|
kind: ClusterIssuer
|
|
dnsNames:
|
|
- dms.iamworkin.lan
|
|
---
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: dms-web
|
|
namespace: fc-dms
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
- match: Host(`dms.iamworkin.lan`)
|
|
kind: Rule
|
|
services:
|
|
- name: dms-web
|
|
port: 80
|
|
tls:
|
|
secretName: dms-web-tls
|
|
# ---- PUBLIC HOST PRE-STAGING (DISABLED - Sprint 61+ exposure go-decision only) ----
|
|
# When the operator decides to expose dms-web publicly, uncomment + update the host,
|
|
# then verify the five safe-to-expose gates (authentik-safe-to-expose-readiness-2026-06-07.md section 2).
|
|
#
|
|
# --- IngressRoute ---
|
|
# apiVersion: traefik.io/v1alpha1
|
|
# kind: IngressRoute
|
|
# metadata:
|
|
# name: dms-web-public
|
|
# namespace: fc-dms
|
|
# spec:
|
|
# entryPoints: [websecure]
|
|
# routes:
|
|
# - match: Host(`dms.flowercore.io`) && (Method(`GET`) || Method(`HEAD`))
|
|
# kind: Rule
|
|
# middlewares:
|
|
# - name: dms-web-public-profile-header # injects entitlement profile
|
|
# services:
|
|
# - name: dms-web
|
|
# port: 80
|
|
# tls: {}
|
|
# # POST/PUT/PATCH/DELETE miss every route -> Traefik 404 -> no admin writes on the public surface.
|
|
# # Reference pattern: dist.flowercore.io (already live + method-gated; do not edit that one).
|