# Public ingress for Ory Kratos — auth.myhoneydue.com → Kratos public API :4433.
#
# Chains the same edge middlewares as the honeyDue API ingress: cloudflare-only
# (reject non-Cloudflare source IPs), security-headers, and the general
# rate-limit. Kratos's self-service flows are multi-request, so the strict
# auth-rate-limit (5/min) is intentionally NOT used here — Kratos applies its
# own per-flow protections.
#
# OPERATOR: confirm the cloudflare-origin-cert TLS secret covers
# auth.myhoneydue.com (apex + wildcard origin cert), and add the
# auth.myhoneydue.com DNS record in Cloudflare (proxied) → cluster ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-auth
  namespace: honeydue
  labels:
    app.kubernetes.io/name: kratos
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-cloudflare-only@kubernetescrd,honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - auth.myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: auth.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kratos
                port:
                  number: 4433