# Traefik IngressRoute for muffinlabs.ai with TLS
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: muffinlabs-web
  namespace: muffinlabs
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`muffinlabs.ai`)
      kind: Rule
      services:
        - name: muffinlabs-web
          port: 80
    - match: Host(`www.muffinlabs.ai`)
      kind: Rule
      middlewares:
        - name: www-to-apex
          namespace: muffinlabs
      services:
        - name: muffinlabs-web
          port: 80
  tls:
    secretName: muffinlabs-ai-tls
---
# HTTP to HTTPS redirect
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: muffinlabs-web-http
  namespace: muffinlabs
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`muffinlabs.ai`) || Host(`www.muffinlabs.ai`)
      kind: Rule
      middlewares:
        - name: https-redirect
          namespace: muffinlabs
      services:
        - name: muffinlabs-web
          port: 80
---
# Middleware: www to apex redirect
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: www-to-apex
  namespace: muffinlabs
spec:
  redirectRegex:
    regex: ^https://www\.muffinlabs\.ai/(.*)
    replacement: https://muffinlabs.ai/${1}
    permanent: true
---
# Middleware: HTTP to HTTPS redirect
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: https-redirect
  namespace: muffinlabs
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
# Service (placeholder - will redirect to Amplify once deployed)
apiVersion: v1
kind: Service
metadata:
  name: muffinlabs-web
  namespace: muffinlabs
spec:
  type: ExternalName
  externalName: muffinlabs.ai.amplifyapp.com
  ports:
    - port: 80
      targetPort: 443