From 289a23f7e638adb5d6a57b3e754d1a45c4f8e29f Mon Sep 17 00:00:00 2001
From: Trey t <treytartt@fastmail.com>
Date: Sun, 26 Apr 2026 23:44:21 -0500
Subject: [PATCH] deploy(ingress): drop obsolete scaffold ingress.yaml
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The directory had two ingress manifests that both define
honeydue-api and honeydue-admin:

  - ingress.yaml          (Mar 28, scaffold from `deploy-k3s/`
                           greenfield template)
  - ingress-simple.yaml   (Apr 24, corrected for our actual cluster
                           shape per MIGRATION_NOTES.md)

`kubectl apply -f manifests/ingress/` applies both, and ingress.yaml
happens to apply last alphabetically (`-` < `.` so `ingress-simple`
sorts before `ingress.yaml`), clobbering the corrected manifest.
That left the live cluster with two regressions:

  1. honeydue-admin had `admin-auth` Traefik middleware in its chain,
     referencing the `admin-basic-auth` secret. Per MIGRATION_NOTES
     basic auth is intentionally not applied on this cluster (admin
     uses in-app auth), so the secret was never created.  Traefik
     logs `secret 'honeydue/admin-basic-auth' not found` on every
     reconcile and refuses to materialize the admin router → 404.

  2. honeydue-api lost the apex `myhoneydue.com` rule that
     ingress-simple.yaml adds for the marketing landing page →
     apex 404.

`kubectl apply -f ingress-simple.yaml` against the live cluster
restored both routes (admin/apex back to 200). Removing the stale
file from the repo prevents the next deploy from regressing.

Refs: deploy-k3s/MIGRATION_NOTES.md ("Admin basic auth | Not applied
— in-app auth only").
---
 deploy-k3s/manifests/ingress/ingress.yaml | 54 -----------------------
 1 file changed, 54 deletions(-)
 delete mode 100644 deploy-k3s/manifests/ingress/ingress.yaml

diff --git a/deploy-k3s/manifests/ingress/ingress.yaml b/deploy-k3s/manifests/ingress/ingress.yaml
deleted file mode 100644
index e30bf31..0000000
--- a/deploy-k3s/manifests/ingress/ingress.yaml
+++ /dev/null
@@ -1,54 +0,0 @@
-# API Ingress — Cloudflare-only + security headers + rate limiting
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: honeydue-api
-  namespace: honeydue
-  labels:
-    app.kubernetes.io/part-of: honeydue
-  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: honeydue-cloudflare-only@kubernetescrd,honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
-spec:
-  tls:
-    - hosts:
-        - api.myhoneydue.com
-      secretName: cloudflare-origin-cert
-  rules:
-    - host: api.myhoneydue.com
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: api
-                port:
-                  number: 8000
-
----
-# Admin Ingress — Cloudflare-only + security headers + rate limiting + basic auth
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: honeydue-admin
-  namespace: honeydue
-  labels:
-    app.kubernetes.io/part-of: honeydue
-  annotations:
-    traefik.ingress.kubernetes.io/router.middlewares: honeydue-cloudflare-only@kubernetescrd,honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd,honeydue-admin-auth@kubernetescrd
-spec:
-  tls:
-    - hosts:
-        - admin.myhoneydue.com
-      secretName: cloudflare-origin-cert
-  rules:
-    - host: admin.myhoneydue.com
-      http:
-        paths:
-          - path: /
-            pathType: Prefix
-            backend:
-              service:
-                name: admin
-                port:
-                  number: 3000