# Zero Trust Ingress Template
# Use this template for all new applications deployed via Cloudflare tunnels

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: app-ingress
  namespace: app-namespace
  annotations:
    # Basic NGINX Configuration only - no cert-manager or external-dns
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    
    # Optional: Extended timeouts for long-running requests
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    
    # Optional: ActivityPub rate limiting for fediverse applications
    nginx.ingress.kubernetes.io/server-snippet: |
      limit_req_zone $binary_remote_addr zone=app_inbox:100m rate=10r/s;
    nginx.ingress.kubernetes.io/configuration-snippet: |
      location ~* ^/(inbox|users/.*/inbox) {
        limit_req zone=app_inbox burst=300;
      }

spec:
  ingressClassName: nginx
  tls: []  # Empty - TLS handled by Cloudflare edge
  rules:
  - host: app.keyboardvagabond.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: app-service
            port:
              number: 80

---
# Service template
apiVersion: v1
kind: Service
metadata:
  name: app-service
  namespace: app-namespace
spec:
  selector:
    app: app-name
  ports:
  - name: http
    port: 80
    targetPort: 8080