---
# SigNoz Ingress for Production
# SigNoz is deployed via Helm in the 'signoz' namespace
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: signoz-ingress-prod
  namespace: signoz
  labels:
    app.kubernetes.io/name: signoz
    app.kubernetes.io/component: ingress
  annotations:
    # Nginx ingress controller annotations
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
    nginx.ingress.kubernetes.io/proxy-connect-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
    nginx.ingress.kubernetes.io/rewrite-target: /$2
    nginx.ingress.kubernetes.io/use-regex: "true"

    # CORS configuration
    nginx.ingress.kubernetes.io/enable-cors: "true"
    nginx.ingress.kubernetes.io/cors-allow-origin: "https://bakewise.ai,https://monitoring.bakewise.ai"
    nginx.ingress.kubernetes.io/cors-allow-methods: "GET, POST, PUT, DELETE, OPTIONS, PATCH"
    nginx.ingress.kubernetes.io/cors-allow-headers: "Content-Type, Authorization, X-Requested-With, Accept, Origin"
    nginx.ingress.kubernetes.io/cors-allow-credentials: "true"

    # Security headers
    nginx.ingress.kubernetes.io/configuration-snippet: |
      more_set_headers "X-Frame-Options: SAMEORIGIN";
      more_set_headers "X-Content-Type-Options: nosniff";
      more_set_headers "X-XSS-Protection: 1; mode=block";
      more_set_headers "Referrer-Policy: strict-origin-when-cross-origin";

    # Rate limiting
    nginx.ingress.kubernetes.io/limit-rps: "100"
    nginx.ingress.kubernetes.io/limit-connections: "50"

    # Cert-manager annotations for automatic certificate issuance
    cert-manager.io/cluster-issuer: "letsencrypt-production"
    cert-manager.io/acme-challenge-type: http01

spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - monitoring.bakewise.ai
    secretName: signoz-prod-tls-cert
  rules:
  - host: monitoring.bakewise.ai
    http:
      paths:
      # SigNoz Frontend UI
      - path: /signoz(/|$)(.*)
        pathType: ImplementationSpecific
        backend:
          service:
            name: signoz-frontend
            port:
              number: 3301
      # SigNoz Query Service API
      - path: /signoz-api(/|$)(.*)
        pathType: ImplementationSpecific
        backend:
          service:
            name: signoz-query-service
            port:
              number: 8080
      # SigNoz AlertManager
      - path: /signoz-alerts(/|$)(.*)
        pathType: ImplementationSpecific
        backend:
          service:
            name: signoz-alertmanager
            port:
              number: 9093