Fix: align ingress base and overlays - single host per environment

infrastructure/platform/networking/ingress/base/ingress.yaml

@@ -32,9 +32,6 @@ spec:
   tls:
   - hosts:
     - DOMAIN_PLACEHOLDER  # To be replaced by kustomize
-    - gitea.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
-    - registry.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
-    - mail.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
     secretName: TLS_SECRET_PLACEHOLDER  # To be replaced by kustomize
   rules:
   # Main application routes
@@ -55,38 +52,7 @@ spec:
             name: gateway-service
             port:
               number: 8000
-  # Gitea CI/CD route
+  # NOTE: Gitea and Registry ingresses are managed by Gitea Helm chart
-  - host: gitea.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
+  # See infrastructure/cicd/gitea/values.yaml for ingress configuration
-    http:
+  # NOTE: Mail ingress is deployed separately via mailu-helm resource
-      paths:
+  # to avoid 503 errors when Mailu is not running
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: gitea-http
-            port:
-              number: 3000
-  # Gitea Container Registry route
-  # NOTE: Gitea's container registry is served on the same HTTP port (3000) under /v2/
-  # It does NOT run on a separate port - the registry.PORT config is not used for external access
-  - host: registry.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: gitea-http  # Service created by Gitea Helm chart
-            port:
-              number: 3000  # Same as HTTP port - registry is at /v2/ path
-  # Mail server web interface (webmail and admin)
-  - host: mail.DOMAIN_PLACEHOLDER  # To be replaced by kustomize
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: mailu-front
-            port:
-              number: 80

infrastructure/platform/networking/ingress/overlays/prod/kustomization.yaml

@@ -3,7 +3,6 @@ kind: Kustomization
 
 resources:
   - ../../base
-  - gitea-service.yaml
 
 namePrefix: prod-
 
@@ -15,26 +14,12 @@ patches:
       - op: replace
         path: /spec/tls/0/hosts/0
         value: bakewise.ai
-      - op: replace
-        path: /spec/tls/0/hosts/1
-        value: gitea.bakewise.ai
-      - op: replace
-        path: /spec/tls/0/hosts/2
-        value: registry.bakewise.ai
-      # NOTE: mail.bakewise.ai TLS is handled by separate mailu ingress
       - op: replace
         path: /spec/tls/0/secretName
         value: bakery-ia-prod-tls-cert
       - op: replace
         path: /spec/rules/0/host
         value: bakewise.ai
-      - op: replace
-        path: /spec/rules/1/host
-        value: gitea.bakewise.ai
-      - op: replace
-        path: /spec/rules/2/host
-        value: registry.bakewise.ai
-      # Mail rule removed - mail ingress is deployed separately via mailu-helm
       - op: add
         path: /metadata/annotations/nginx.ingress.kubernetes.io~1cors-allow-origin
         value: "https://bakewise.ai,https://www.bakewise.ai,https://mail.bakewise.ai,https://registry.bakewise.ai,https://gitea.bakewise.ai"
@@ -49,4 +34,7 @@ patches:
         value: "letsencrypt-production"
       - op: add
         path: /metadata/annotations/cert-manager.io~1acme-challenge-type
-        value: "http01"
+        value: "http01"
+# NOTE: Gitea and Registry ingresses are managed by Gitea Helm chart
+# See infrastructure/cicd/gitea/values-prod.yaml for production ingress configuration
+# NOTE: mail.bakewise.ai is handled by separate mailu ingress