apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: mailu-ingress
  namespace: bakery-ia
  labels:
    app.kubernetes.io/name: mailu
    app.kubernetes.io/component: ingress
    environment: production
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    # CRITICAL: Headers for Mailu compatibility to fix webmail redirect loop
    nginx.ingress.kubernetes.io/configuration-snippet: |
      # Set proper headers for Mailu
      more_set_headers "X-Forwarded-Proto $scheme";
      more_set_headers "X-Forwarded-Port $server_port";
      more_set_headers "X-Original-Forwarded-For $http_x_forwarded_for";

      # Handle redirects properly to prevent loops for webmail
      proxy_redirect https://$host https://$host;
      proxy_redirect http://$host https://$host;

      # Ensure proper host header
      proxy_set_header Host $host;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header X-Forwarded-Proto $scheme;
    # Additional proxy settings for Mailu
    nginx.ingress.kubernetes.io/proxy-set-headers: "X-Forwarded-Proto https"
spec:
  ingressClassName: nginx
  tls:
  - hosts:
    - mail.bakewise.ai
    secretName: bakery-ia-prod-tls-cert
  rules:
  - host: mail.bakewise.ai
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: mailu-front
            port:
              number: 80