---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: bookwyrm-ingress
  namespace: bookwyrm-application
  labels:
    app: bookwyrm
  annotations:
    # NGINX Ingress Configuration - Zero Trust Mode
    kubernetes.io/ingress.class: nginx
    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
    nginx.ingress.kubernetes.io/client-max-body-size: "50m"
    # BookWyrm specific optimizations
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS"
    nginx.ingress.kubernetes.io/cors-allow-headers: "DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range,Authorization"
    
    # ActivityPub federation rate limiting - Light federation traffic for book reviews/reading
    # Uses real client IPs from CF-Connecting-IP header (configured in nginx ingress controller)
    nginx.ingress.kubernetes.io/limit-rps: "10"
    nginx.ingress.kubernetes.io/limit-burst-multiplier: "5"  # 50 burst capacity (10*5) for federation bursts
spec:
  ingressClassName: nginx
  tls: []  # Empty - TLS handled by Cloudflare Zero Trust
  rules:
  - host: bookwyrm.keyboardvagabond.com
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: bookwyrm-web
            port:
              number: 80