# API Ingress — TLS via Let's Encrypt (default) or Cloudflare origin cert
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-api
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    # TLS_ANNOTATIONS_PLACEHOLDER — replaced by 03-deploy.sh based on tls.mode
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  tls:
    - hosts:
        - API_DOMAIN_PLACEHOLDER
      secretName: TLS_SECRET_PLACEHOLDER
  rules:
    - host: API_DOMAIN_PLACEHOLDER
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000

---
# Admin Ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-admin
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    # TLS_ANNOTATIONS_PLACEHOLDER — replaced by 03-deploy.sh based on tls.mode
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd,honeydue-admin-auth@kubernetescrd
spec:
  tls:
    - hosts:
        - ADMIN_DOMAIN_PLACEHOLDER
      secretName: TLS_SECRET_PLACEHOLDER
  rules:
    - host: ADMIN_DOMAIN_PLACEHOLDER
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: admin
                port:
                  number: 3000