{{- if .Values.ingress.enabled }}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: pieced-threema-gateway
  namespace: {{ .Values.namespace }}
  annotations:
    {{- if .Values.ingress.tls.enabled }}
    cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.issuer | quote }}
    {{- end }}
    # Threema's outbound webhook IPs are publicly documented as the
    # standard Threema infrastructure. Lock down if you want to be strict;
    # otherwise leave open since the MAC check is the real security gate.
    nginx.ingress.kubernetes.io/proxy-body-size: "128k"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
spec:
  ingressClassName: {{ .Values.ingress.className }}
  {{- if .Values.ingress.tls.enabled }}
  tls:
    - hosts:
        - {{ .Values.ingress.host }}
      secretName: {{ .Values.ingress.tls.secretName }}
  {{- end }}
  rules:
    - host: {{ .Values.ingress.host }}
      http:
        paths:
          # Threema's CDN only ever hits /webhooks/threema. Don't expose
          # /admin or /api from the internet — those go cluster-internal only.
          - path: /webhooks/threema
            pathType: Exact
            backend:
              service:
                name: pieced-threema-gateway
                port:
                  number: {{ .Values.service.port }}
{{- end }}