56 lines
1.7 KiB
YAML
56 lines
1.7 KiB
YAML
# LAN ingress for FlowerCore.DeviceManagement Web.
|
|
#
|
|
# RKE2 Traefik has no built-in ACME resolver configured. Keep TLS certificate
|
|
# ownership in cert-manager Certificate/fc-devicemgmt-web-tls.
|
|
apiVersion: traefik.io/v1alpha1
|
|
kind: IngressRoute
|
|
metadata:
|
|
name: fc-devicemgmt-web
|
|
namespace: fc-devicemgmt
|
|
labels:
|
|
app.kubernetes.io/name: fc-devicemgmt-web
|
|
app.kubernetes.io/component: web
|
|
app.kubernetes.io/part-of: flowercore
|
|
app.kubernetes.io/managed-by: argocd
|
|
flowercore.io/tenant-id: system
|
|
flowercore.io/created-by: bluejay-infra
|
|
spec:
|
|
entryPoints:
|
|
- websecure
|
|
routes:
|
|
- match: Host(`devices.iamworkin.lan`)
|
|
kind: Rule
|
|
services:
|
|
- name: fc-devicemgmt-web
|
|
port: 80
|
|
tls:
|
|
secretName: fc-devicemgmt-web-tls
|
|
|
|
# Future public agent/update host gate (OFF by default):
|
|
#
|
|
# Do not enable `update.flowercore.io` here until Authentik OIDC Q-OIDC-1
|
|
# resolves the public-device-management auth model and route ownership with
|
|
# UpdateCenter. When enabled, use a separate public IngressRoute with an
|
|
# explicit Method allowlist, public-host auth middleware, and public TLS
|
|
# certificate strategy. Leaving this as comments keeps ArgoCD from stealing
|
|
# live UpdateCenter traffic.
|
|
#
|
|
# apiVersion: traefik.io/v1alpha1
|
|
# kind: IngressRoute
|
|
# metadata:
|
|
# name: fc-devicemgmt-web-public
|
|
# namespace: fc-devicemgmt
|
|
# annotations:
|
|
# flowercore.io/public-host-gate: "disabled-until-Q-OIDC-1"
|
|
# spec:
|
|
# entryPoints:
|
|
# - websecure
|
|
# routes:
|
|
# - match: Host(`update.flowercore.io`) && (Method(`GET`) || Method(`HEAD`) || Method(`POST`) || Method(`OPTIONS`))
|
|
# kind: Rule
|
|
# services:
|
|
# - name: fc-devicemgmt-web
|
|
# port: 80
|
|
# tls:
|
|
# secretName: fc-devicemgmt-public-tls
|