# =============================================================================
# GAMILIT Backend - Ingress
# =============================================================================
# Purpose: Exposes backend API to the internet via HTTPS
# Domain: api.gamilit.com
# TLS: Enabled with Let's Encrypt
# Annotations: nginx ingress controller
# =============================================================================

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gamilit-backend-ingress
  namespace: gamilit-production
  labels:
    app: gamilit
    component: backend
  annotations:
    # Ingress controller
    kubernetes.io/ingress.class: "nginx"

    # TLS/SSL
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"

    # CORS
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://gamilit.com,https://www.gamilit.com"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, PATCH, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,X-CustomHeader,Keep-Alive,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Authorization"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"

    # Rate limiting
    nginx.ingress.kubernetes.io/limit-rps: "100"
    nginx.ingress.kubernetes.io/limit-connections: "50"

    # Timeouts
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "30"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "60"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "60"

    # Request size
    nginx.ingress.kubernetes.io/proxy-body-size: "10m"

    # Security headers
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-Frame-Options: SAMEORIGIN";
      more_set_headers "X-Content-Type-Options: nosniff";
      more_set_headers "X-XSS-Protection: 1; mode=block";
      more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";
      more_set_headers "Permissions-Policy: geolocation=(), microphone=(), camera=()";

spec:
  tls:
    - hosts:
        - api.gamilit.com
      secretName: gamilit-backend-tls

  rules:
    - host: api.gamilit.com
      http:
        paths:
          # API routes
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: gamilit-backend
                port:
                  number: 3006

          # Health check
          - path: /health
            pathType: Prefix
            backend:
              service:
                name: gamilit-backend
                port:
                  number: 3006

          # Metrics (optional, restrict access)
          - path: /metrics
            pathType: Prefix
            backend:
              service:
                name: gamilit-backend
                port:
                  number: 9090