# Public ingress for Ory Kratos — auth.myhoneydue.com → Kratos public API :4433.
#
# Middlewares match the honeyDue API ingress (security-headers + rate-limit).
# The cloudflare-only middleware is intentionally NOT applied here: on this
# cluster, klipper-lb SNATs the source IP before Traefik sees it, so
# cloudflare-only's IP allowlist rejects every legitimate Cloudflare request
# (verified 2026-06-03 — iOS Apple Sign In failed silently because Kratos
# never received the request). The api ingress doesn't use cloudflare-only
# for the same reason. DDoS protection still rides on Cloudflare's edge.
#
# Kratos's self-service flows are multi-request, so the strict auth-rate-limit
# (5/min) is intentionally NOT used here — Kratos applies its own per-flow
# protections.
#
# OPERATOR: confirm the cloudflare-origin-cert TLS secret covers
# auth.myhoneydue.com (apex + wildcard origin cert), and add the
# auth.myhoneydue.com DNS record in Cloudflare (proxied) → cluster ingress.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-auth
  namespace: honeydue
  labels:
    app.kubernetes.io/name: kratos
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - auth.myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: auth.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: kratos
                port:
                  number: 4433