38 lines
1.3 KiB
YAML
38 lines
1.3 KiB
YAML
{{- if .Values.ingress.enabled }}
|
|
apiVersion: networking.k8s.io/v1
|
|
kind: Ingress
|
|
metadata:
|
|
name: pieced-threema-gateway
|
|
namespace: {{ .Values.namespace }}
|
|
annotations:
|
|
{{- if .Values.ingress.tls.enabled }}
|
|
cert-manager.io/cluster-issuer: {{ .Values.ingress.tls.issuer | quote }}
|
|
{{- end }}
|
|
# Threema's outbound webhook IPs are publicly documented as the
|
|
# standard Threema infrastructure. Lock down if you want to be strict;
|
|
# otherwise leave open since the MAC check is the real security gate.
|
|
nginx.ingress.kubernetes.io/proxy-body-size: "128k"
|
|
nginx.ingress.kubernetes.io/proxy-read-timeout: "30"
|
|
spec:
|
|
ingressClassName: {{ .Values.ingress.className }}
|
|
{{- if .Values.ingress.tls.enabled }}
|
|
tls:
|
|
- hosts:
|
|
- {{ .Values.ingress.host }}
|
|
secretName: {{ .Values.ingress.tls.secretName }}
|
|
{{- end }}
|
|
rules:
|
|
- host: {{ .Values.ingress.host }}
|
|
http:
|
|
paths:
|
|
# Threema's CDN only ever hits /webhooks/threema. Don't expose
|
|
# /admin or /api from the internet — those go cluster-internal only.
|
|
- path: /webhooks/threema
|
|
pathType: Exact
|
|
backend:
|
|
service:
|
|
name: pieced-threema-gateway
|
|
port:
|
|
number: {{ .Values.service.port }}
|
|
{{- end }}
|