---
# /app/* — Zitadel Auth via oauth2-proxy (beide Domains)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: erpnext-app-auth
  namespace: erpnext
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.priority: "100"
spec:
  ingressClassName: traefik
  rules:
    - host: expertfab.de
      http:
        paths:
          - path: /app
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
    - host: www.expertfab.de
      http:
        paths:
          - path: /app
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
  tls:
    - hosts:
        - expertfab.de
        - www.expertfab.de
      secretName: expertfab-tls
---
# /oauth2/* — OIDC Callback-Handling (beide Domains)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: erpnext-oauth2
  namespace: erpnext
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
    traefik.ingress.kubernetes.io/router.priority: "100"
spec:
  ingressClassName: traefik
  rules:
    - host: expertfab.de
      http:
        paths:
          - path: /oauth2
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
    - host: www.expertfab.de
      http:
        paths:
          - path: /oauth2
            pathType: Prefix
            backend:
              service:
                name: oauth2-proxy
                port:
                  number: 4180
  tls:
    - hosts:
        - expertfab.de
        - www.expertfab.de
      secretName: expertfab-tls