workout-system: deploy SparkyFitness v0.16.6.3, park wger, take over workout.dooplex.hu

SparkyFitness (https://github.com/CodeWithCJ/SparkyFitness) replaces wger on
workout.dooplex.hu / workout.home with native Authentik OIDC.

Components (sparkyfitness.yaml): dedicated postgres:15-alpine, server (3010,
/api/health), frontend nginx (root image, listens :80). PVCs sparkyfitness-postgres
+ sparkyfitness-uploads (Longhorn, backup labels). In-app OIDC, no forward-auth.

Deviations from the deploy spec, following upstream ground truth:
- In-container mount path for uploads is /app/SparkyFitnessServer/uploads (per the
  upstream Helm chart values.yaml), not /app/uploads.
- Frontend root image (codewithcj/sparkyfitness) has 'listen 80;' hardcoded ->
  NGINX_LISTEN_PORT=80, containerPort/Service 80.
- Image names use the docker-compose variants (codewithcj/sparkyfitness_server,
  codewithcj/sparkyfitness); the upstream Helm chart uses -server/-frontend.
- All wger Deployments scaled to 0 (incl. celery worker/beat), not just
  wger + wger-redis, so celery doesn't crashloop against the downed redis.

Secrets (outside git): sparky-oauth (client-id/client-secret, pre-existing) +
sparky-app (db + app-db creds, api-encryption-key, better-auth-secret).

wger is parked, not deleted: Deployments at 0, both Ingresses removed (ArgoCD
prune frees the hostnames); Services/ConfigMap/PVCs/CNPG DB kept for rollback.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

workout-system/workout.yaml

@@ -1,3 +1,13 @@
+# ============================================================================
+# *** PARKED 2026-05-27 *** — wger has been REPLACED by SparkyFitness.
+# SparkyFitness now owns workout.dooplex.hu / workout.home (see sparkyfitness.yaml).
+# All wger Deployments are scaled to 0 and both wger Ingresses were removed
+# (ArgoCD prune deletes them, freeing the hostnames). The wger Services,
+# ConfigMap, PVCs (wger-media / wger-static) and the wger DB in the shared CNPG
+# cluster are KEPT, untouched, for rollback.
+# To revive wger: restore the two Ingress resources from git history and scale
+# the wger / wger-redis / wger-celery-* Deployments back to 1.
+# ============================================================================
 # wger - Workout Manager
 # https://github.com/wger-project/wger
 # Version: 2.5 (official image, no custom fork)
@@ -40,7 +50,7 @@ metadata:
     app.kubernetes.io/instance: wger
     app.kubernetes.io/name: wger-redis
 spec:
-  replicas: 1
+  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
   selector:
     matchLabels:
       app.kubernetes.io/instance: wger
@@ -78,7 +88,7 @@ metadata:
     extensions.v1alpha1.version-checker.io/wger: "true"
     extensions.v1alpha1.version-checker.io/wger.match-regex: "^\\d+\\.\\d+$"
 spec:
-  replicas: 1
+  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
   selector:
     matchLabels:
       app.kubernetes.io/instance: wger
@@ -256,7 +266,7 @@ metadata:
     app.kubernetes.io/instance: wger
     app.kubernetes.io/name: wger-celery-worker
 spec:
-  replicas: 1
+  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
   selector:
     matchLabels:
       app.kubernetes.io/instance: wger
@@ -336,7 +346,7 @@ metadata:
     app.kubernetes.io/instance: wger
     app.kubernetes.io/name: wger-celery-beat
 spec:
-  replicas: 1
+  replicas: 0  # parked 2026-05-27 (replaced by SparkyFitness)
   selector:
     matchLabels:
       app.kubernetes.io/instance: wger
@@ -439,117 +449,12 @@ spec:
     app.kubernetes.io/name: wger
 ---
 # ============================================================================
-# Ingress #1: web UI paths (/) - Authentik forward-auth protected
+# wger Ingresses (wger + wger-api) REMOVED 2026-05-27 — see PARKED note at top.
+# SparkyFitness's ingress (sparkyfitness.yaml) now serves workout.dooplex.hu /
+# workout.home. ArgoCD prune deletes the old Ingress objects from the cluster,
+# releasing the hostnames + the wger-tls certificate's hosts.
+# To revive wger: restore these two Ingress resources from git history.
 # ============================================================================
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wger
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    external-dns.alpha.kubernetes.io/hostname: workout.dooplex.hu,workout.home
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
-    # Authentik Forward Auth (domain mode) - same pattern as your other SSO apps
-    # If you use an internal outpost service URL elsewhere, swap auth-url for it.
-    nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-kisfenyo-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
-    nginx.ingress.kubernetes.io/auth-signin: https://workout.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
-    nginx.ingress.kubernetes.io/auth-response-headers: "Set-Cookie,X-Authentik-Username,X-Authentik-Email,X-Authentik-Name,X-Authentik-Groups,X-Authentik-Uid"
-    nginx.ingress.kubernetes.io/auth-snippet: |
-      proxy_set_header X-Forwarded-Host $http_host;
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      set $geo_allowed 0;
-      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
-      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
-      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
-      if ($geo_allowed = 0) {
-        return 403 "Access restricted to Hungary";
-      }
-spec:
-  ingressClassName: nginx-internal
-  rules:
-    - host: workout.dooplex.hu
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: wger
-                port:
-                  number: 80
-    - host: workout.home
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: wger
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - workout.dooplex.hu
-      secretName: wger-tls
----
-# ============================================================================
-# Ingress #2: API paths (/api/) - NO forward-auth, JWT token auth only
-# Required so the wger Flutter mobile app can hit /api/v2/token for login.
-# More-specific path match means /api/* hits this Ingress, not the / one.
-# ============================================================================
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: wger-api
-  namespace: workout-system
-  labels:
-    app.kubernetes.io/instance: wger
-    app.kubernetes.io/name: wger-api
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
-    nginx.ingress.kubernetes.io/configuration-snippet: |
-      # Same geo-block as the web UI ingress
-      set $geo_allowed 0;
-      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
-      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
-      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
-      if ($geo_allowed = 0) {
-        return 403 "Access restricted to Hungary";
-      }
-spec:
-  ingressClassName: nginx-internal
-  rules:
-    - host: workout.dooplex.hu
-      http:
-        paths:
-          - path: /api
-            pathType: Prefix
-            backend:
-              service:
-                name: wger
-                port:
-                  number: 80
-    - host: workout.home
-      http:
-        paths:
-          - path: /api
-            pathType: Prefix
-            backend:
-              service:
-                name: wger
-                port:
-                  number: 80
-  tls:
-    - hosts:
-        - workout.dooplex.hu
-      secretName: wger-tls
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim