# Hostname-based Ingress with TLS terminated at Traefik using the
# Cloudflare Origin CA cert (secret/cloudflare-origin-cert). CF→origin
# encryption enables CF SSL mode "Full (strict)".
#
# Middleware chain (security headers, rate limit, CF-only allowlist, admin
# basic auth) is defined in `middleware.yaml`. security-headers + rate-limit
# are attached below via annotation.
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-api
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - api.myhoneydue.com
        - myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: api.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
    # Root domain serves the marketing landing page from the Go API's
    # STATIC_DIR. ALLOWED_HOSTS in honeydue-config includes myhoneydue.com.
    - host: myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: api
                port:
                  number: 8000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-admin
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - admin.myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: admin.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: admin
                port:
                  number: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: honeydue-web
  namespace: honeydue
  labels:
    app.kubernetes.io/part-of: honeydue
  annotations:
    traefik.ingress.kubernetes.io/router.middlewares: honeydue-security-headers@kubernetescrd,honeydue-rate-limit@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - app.myhoneydue.com
      secretName: cloudflare-origin-cert
  rules:
    - host: app.myhoneydue.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: web
                port:
                  number: 3000