# Ingress — Authelia login portal (namespace: sso)
#
# auth.coulomb.social — Authelia login page; browsers are redirected here
#                       by KeyCape during the OIDC authorization flow.
#
# This hostname MUST be publicly reachable: users' browsers redirect here
# to enter their password. (MFA happens at the KeyCape layer, not here.)
#
# Config points (see CONFIG.md):
#   CP-NK-005  auth.coulomb.social

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: authelia
  namespace: sso
  labels:
    app.kubernetes.io/name: authelia
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: traefik
  rules:
    - host: auth.coulomb.social
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: authelia
                port:
                  number: 9091
  tls:
    - secretName: auth-tls
      hosts:
        - auth.coulomb.social