# Ingress — KeyCape OIDC server (namespace: sso)
#
# kc.coulomb.social — OIDC discovery, /authorize, /token, /jwks, /userinfo
#
# This hostname is public — applications redirect users here for login.
# The auth.coulomb.social hostname (Authelia login UI) is where users
# actually enter their passwords; browsers are redirected there by KeyCape.
#
# Config points (see CONFIG.md):
#   CP-NK-004  kc.coulomb.social

apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: keycape
  namespace: sso
  labels:
    app.kubernetes.io/name: keycape
    app.kubernetes.io/part-of: net-kingdom-sso-mfa
    net-kingdom/component: sso
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.middlewares: >-
      sso-keycape-rate-limit@kubernetescrd,
      sso-keycape-hsts@kubernetescrd
spec:
  ingressClassName: traefik
  rules:
    - host: kc.coulomb.social
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: keycape
                port:
                  number: 8080
  tls:
    - secretName: kc-tls
      hosts:
        - kc.coulomb.social