Add MuffinLabs SSL configuration for hearth

Kubernetes manifests for muffinlabs.ai SSL via cert-manager:
- Namespace
- Certificate (Let's Encrypt via letsencrypt-production ClusterIssuer)
- Traefik IngressRoute with TLS
- HTTP to HTTPS redirect middleware
- www to apex redirect middleware

Part of RFC 0002: amplify-deployment

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

kubernetes/muffinlabs/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: muffinlabs-ai-tls
+  namespace: muffinlabs
+spec:
+  secretName: muffinlabs-ai-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  dnsNames:
+    - muffinlabs.ai
+    - www.muffinlabs.ai

kubernetes/muffinlabs/ingressroute.yaml

@@ -0,0 +1,80 @@
+# Traefik IngressRoute for muffinlabs.ai with TLS
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: muffinlabs-web
+  namespace: muffinlabs
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`muffinlabs.ai`)
+      kind: Rule
+      services:
+        - name: muffinlabs-web
+          port: 80
+    - match: Host(`www.muffinlabs.ai`)
+      kind: Rule
+      middlewares:
+        - name: www-to-apex
+          namespace: muffinlabs
+      services:
+        - name: muffinlabs-web
+          port: 80
+  tls:
+    secretName: muffinlabs-ai-tls
+---
+# HTTP to HTTPS redirect
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: muffinlabs-web-http
+  namespace: muffinlabs
+spec:
+  entryPoints:
+    - web
+  routes:
+    - match: Host(`muffinlabs.ai`) || Host(`www.muffinlabs.ai`)
+      kind: Rule
+      middlewares:
+        - name: https-redirect
+          namespace: muffinlabs
+      services:
+        - name: muffinlabs-web
+          port: 80
+---
+# Middleware: www to apex redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: www-to-apex
+  namespace: muffinlabs
+spec:
+  redirectRegex:
+    regex: ^https://www\.muffinlabs\.ai/(.*)
+    replacement: https://muffinlabs.ai/${1}
+    permanent: true
+---
+# Middleware: HTTP to HTTPS redirect
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: https-redirect
+  namespace: muffinlabs
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+---
+# Service (placeholder - will redirect to Amplify once deployed)
+apiVersion: v1
+kind: Service
+metadata:
+  name: muffinlabs-web
+  namespace: muffinlabs
+spec:
+  type: ExternalName
+  externalName: muffinlabs.ai.amplifyapp.com
+  ports:
+    - port: 80
+      targetPort: 443

kubernetes/muffinlabs/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: muffinlabs
+  labels:
+    app.kubernetes.io/name: muffinlabs
+    app.kubernetes.io/part-of: muffinlabs-web