# Hostname-based Ingress with TLS terminated at Traefik using the
# Cloudflare Origin CA cert (secret/cloudflare-origin-cert). CF→origin
# encryption enables CF SSL mode "Full (strict)".
#
# Middleware chain (security headers, rate limit, CF-only allowlist, admin
# basic auth) is defined in `middleware.yaml`. security-headers + rate-limit
# are attached below via annotation.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-api
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - api.myhoneydue.com
        - myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: api.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
    # Root domain serves the marketing landing page from the Go API's
    # STATIC_DIR. ALLOWED_HOSTS in honeydue-config includes myhoneydue.com.
    - host: myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-admin
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    # cloudflare-only + admin-auth wired in (audit F2/F3/CODE-L6). Order
    # matters: reject non-Cloudflare IPs, then basic auth, then headers,
    # then rate limit. The admin-basic-auth secret is created by
    # 02-setup-secrets.sh from config.yaml admin.basic_auth_* — that runs
    # before 03-deploy.sh, so the middleware always has its secret.
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-cloudflare-only@kubernetescrd,honeydue-admin-auth@kubernetescrd,honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - admin.myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: admin.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: admin
                port:
                  number: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-web
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - app.myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: app.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 3000
---
# Auth-endpoint Ingress (audit F10 / LIVE-L12). A dedicated Ingress for the
# auth paths so Traefik gives their longer path-prefix routers a higher
# priority than honeydue-api's "/" router — these paths then get
# auth-rate-limit (5/min) instead of the general rate-limit (100/min).
# Anything not matched here falls through to honeydue-api unchanged.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-api-auth
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-auth-rate-limit@kubernetescrd,honeydue-security-headers@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - api.myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: api.myhoneydue.com
      http:
        paths:
          - path: /api/auth/login
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/register
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/forgot-password
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/reset-password
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/residences/join-with-code
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/verify-reset-code
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/apple-sign-in
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/google-sign-in
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/refresh
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
          - path: /api/auth/account
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000