bluejay/bluejay-infra
1
0
Fork 0
Code Issues Pull Requests 14 Actions Packages Projects Releases Wiki Activity
Files
6382582090c545a8aae774afd5b19d6471c06ddd
bluejay-infra/apps/fc-desktop/fc-desktop.yaml
Andrew Stoltz 6382582090 fc-desktop: add remotedesktop warm pool intent
2026-05-19 12:27:47 -05:00

57 lines
2.0 KiB
YAML
Raw Blame History

# FlowerCore Remote Desktop — TLS + Ingress
#
# Source-of-truth split:
# - bluejay-infra OWNS: Certificate, IngressRoute, all NetworkPolicies,
# and the explicit RemoteDesktopPoolCrd warm-pool intent in
# remotedesktop-pools.yaml.
# (see network-policies.yaml in this directory).
# - FlowerCore.RemoteDesktop OWNS: CRD definition/operator Deployment and
# scripts/deploy-web.sh Deployment + Service. Reason: image refs like
# `localhost/fc-desktop:linux-xfce`
# only exist on each node's containerd after a manual import, so a
# Deployment manifest in bluejay-infra would race the image-import
# step and crash-loop.
#
# NetworkPolicies moved into bluejay-infra 2026-05-07 — previously they
# were applied via the deploy script's kubectl apply calls, which broke
# cluster-rebuild repeatability. See
# feedback_networkpolicies_belong_in_bluejay_infra.md.
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: remotedesktop-web-tls
namespace: fc-desktop
spec:
secretName: remotedesktop-web-tls
issuerRef:
name: step-ca-acme
kind: ClusterIssuer
dnsNames:
- desktop.iamworkin.lan
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: remotedesktop-web
namespace: fc-desktop
spec:
entryPoints:
- websecure
routes:
# Host-level catch-all for desktop.iamworkin.lan. The /guacamole
# path-prefix match lives in apps/guacamole/guacamole.yaml as a
# separate IngressRoute in the guacamole namespace — the cluster
# Traefik disallows cross-namespace service refs, so the PathPrefix
# rule can't sit here. Traefik's router matching precedence gives
# longer/more-specific rules priority automatically, so as long as
# the guacamole IngressRoute exists it takes /guacamole traffic
# before this catch-all sees it.
- match: Host(`desktop.iamworkin.lan`)
kind: Rule
services:
- name: remotedesktop-web
port: 8080
tls:
secretName: remotedesktop-web-tls
Reference in New Issue View Git Blame Copy Permalink