# Dedicated DNS-only hostname for the Gitea container registry.
#
# WHY: Docker registry pushes can't go through the Cloudflare proxy, which caps
# request bodies at 100 MB (413 Payload Too Large). `registry.rogi.casa` is a
# DNS-only (grey-cloud) record in Cloudflare pointing straight at the cluster,
# so Traefik serves it directly with a Let's Encrypt cert (HTTP-01). Git traffic
# on `git.rogi.casa` stays behind the Cloudflare proxy untouched.
#
# Cloudflare setup:
#   A    registry.rogi.casa   <cluster-public-IP>   DNS-only (grey cloud)
#
# Push with:
#   docker login registry.rogi.casa -u <gitea-user>
#   docker tag git.rogi.casa/roger/hermes-agent:v1.35-1 registry.rogi.casa/roger/hermes-agent:v1.35-1
#   docker push registry.rogi.casa/roger/hermes-agent:v1.35-1
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: gitea-registry
  namespace: gitea
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    # Allow large docker layer uploads (no upstream body-size cap from Traefik).
    traefik.ingress.kubernetes.io/buffering: |
      maxRequestBodyBytes: 0
spec:
  ingressClassName: traefik
  tls:
  - hosts:
    - registry.rogi.casa
    secretName: gitea-registry-tls
  rules:
  - host: registry.rogi.casa
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: gitea
            port:
              number: 80