# K8s Ingress for jacob.fetcherpay.com
# Option A: Route through existing nginx-ingress-controller (hostNetwork :443)
# Applies to namespace: fetcherpay (same as hermes)
#
# Prerequisites:
#   - DeerFlow nginx must be reachable from the host network on port 2026
#     (docker-compose already binds host:2026 → container:2026)
#   - cert-manager with ClusterIssuer "letsencrypt-prod" (same as hermes)
#   - microk8s kubectl apply -f jacob-k8s-ingress.yaml
#
# After apply, cert-manager will issue a new LE cert for jacob.fetcherpay.com
# and nginx-ingress will serve it instead of the fake cert.

---
# External Service pointing to DeerFlow nginx on the host
# Since DeerFlow runs in Docker (not K8s), we use a headless Service + Endpoints
# to target localhost:2026. This works because nginx-ingress runs with hostNetwork.
apiVersion: v1
kind: Service
metadata:
  name: jacob-deerflow
  namespace: fetcherpay
spec:
  ports:
    - port: 80
      targetPort: 2026
      protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
  name: jacob-deerflow
  namespace: fetcherpay
subsets:
  - addresses:
      - ip: 104.190.60.129
    ports:
      - port: 2026

---
# Basic auth secret for nginx-ingress
# Generate with: htpasswd -nbB boaz strength | base64
# Then paste the base64 string under data.auth
apiVersion: v1
kind: Secret
metadata:
  name: jacob-basic-auth
  namespace: fetcherpay
type: Opaque
data:
  # boaz:strength  (bcrypt $2y$ for nginx compat)
  auth: "Ym9hejokMnkkMDUkMU01MUkyMXhPWWU5aU14QUFmaGhHTzZza1NrUE0uVm9LemF4cFBLbzBva1A2TkRrOUI5ZGk="

---
# Ingress resource
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: jacob-ingress
  namespace: fetcherpay
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    nginx.ingress.kubernetes.io/auth-type: basic
    nginx.ingress.kubernetes.io/auth-secret: jacob-basic-auth
    nginx.ingress.kubernetes.io/auth-realm: "Jacob - Authentication Required"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-buffering: "off"
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
spec:
  ingressClassName: nginx
  tls:
    - hosts:
        - jacob.fetcherpay.com
      secretName: jacob-fetcherpay-tls
  rules:
    - host: jacob.fetcherpay.com
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: jacob-deerflow
                port:
                  number: 80