Sync chart from pieced-threema-gateway 0.1.1

deploy/helm/pieced-threema-gateway/templates/ingress.yaml

@@ -0,0 +1,37 @@
+{{- if .Values.ingress.enabled }}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pieced-threema-gateway
+  namespace: {{ .Values.namespace }}
+  annotations:
+    {{- if .Values.ingress.tls.enabled }}
+    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.issuer | quote }}
+    {{- end }}
+    # Threema's outbound webhook IPs are publicly documented as the
+    # standard Threema infrastructure. Lock down if you want to be strict;
+    # otherwise leave open since the MAC check is the real security gate.
+    nginx.ingress.kubernetes.io/proxy-body-size: "128k"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
+spec:
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- if .Values.ingress.tls.enabled }}
+  tls:
+    - hosts:
+        - {{ .Values.ingress.host }}
+      secretName: {{ .Values.ingress.tls.secretName }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.ingress.host }}
+      http:
+        paths:
+          # Threema's CDN only ever hits /webhooks/threema. Don't expose
+          # /admin or /api from the internet — those go cluster-internal only.
+          - path: /webhooks/threema
+            pathType: Exact
+            backend:
+              service:
+                name: pieced-threema-gateway
+                port:
+                  number: {{ .Values.service.port }}
+{{- end }}