# Core Services Ingress
# RFC 0040: Self-Hosted Core Services
#
# Routes traffic to Vault, Keycloak, and Forgejo via AWS ALB
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: core-services
  namespace: ingress
  labels:
    app.kubernetes.io/name: core-services-ingress
    app.kubernetes.io/part-of: core-services
  annotations:
    # AWS ALB Ingress Controller
    kubernetes.io/ingress.class: alb
    alb.ingress.kubernetes.io/scheme: internet-facing
    alb.ingress.kubernetes.io/target-type: ip
    alb.ingress.kubernetes.io/listen-ports: '[{"HTTPS":443}]'
    alb.ingress.kubernetes.io/ssl-policy: ELBSecurityPolicy-TLS13-1-2-2021-06
    alb.ingress.kubernetes.io/certificate-arn: ${ACM_CERT_ARN}
    alb.ingress.kubernetes.io/ssl-redirect: "443"
    # Health check settings
    alb.ingress.kubernetes.io/healthcheck-path: /health
    alb.ingress.kubernetes.io/healthcheck-interval-seconds: "15"
    alb.ingress.kubernetes.io/healthcheck-timeout-seconds: "5"
    alb.ingress.kubernetes.io/healthy-threshold-count: "2"
    alb.ingress.kubernetes.io/unhealthy-threshold-count: "3"
    # WAF integration (optional)
    # alb.ingress.kubernetes.io/wafv2-acl-arn: ${WAF_ACL_ARN}
    # Access logs
    alb.ingress.kubernetes.io/load-balancer-attributes: >-
      access_logs.s3.enabled=true,
      access_logs.s3.bucket=alignment-alb-logs,
      access_logs.s3.prefix=core-services
spec:
  ingressClassName: alb
  rules:
    # Vault
    - host: vault.beyondtheuniverse.superviber.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: vault
                port:
                  number: 8200
    # Keycloak
    - host: auth.beyondtheuniverse.superviber.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: keycloak
                port:
                  number: 8080
    # Forgejo
    - host: git.beyondtheuniverse.superviber.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: forgejo
                port:
                  number: 3000
---
# Cross-namespace service references
# These ExternalName services allow the ingress namespace to route to other namespaces
apiVersion: v1
kind: Service
metadata:
  name: vault
  namespace: ingress
spec:
  type: ExternalName
  externalName: vault.vault.svc.cluster.local
  ports:
    - port: 8200
---
apiVersion: v1
kind: Service
metadata:
  name: keycloak
  namespace: ingress
spec:
  type: ExternalName
  externalName: keycloak.keycloak.svc.cluster.local
  ports:
    - port: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: forgejo
  namespace: ingress
spec:
  type: ExternalName
  externalName: forgejo.forgejo.svc.cluster.local
  ports:
    - port: 3000