# https://kubernetes.io/docs/concepts/services-networking/ingress
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: webhook-flux-receiver
  namespace: flux-system
  annotations:
    # https://cert-manager.io/docs/usage/ingress/#supported-annotations
    # https://github.com/cert-manager/cert-manager/issues/2239
    cert-manager.io/cluster-issuer: letsencrypt-http
    cert-manager.io/private-key-algorithm: ECDSA
    cert-manager.io/private-key-size: 384
    kubernetes.io/ingress.class: traefik
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  tls:
  - hosts:
      - flux.k8s.forgejo.org
    secretName: tls-forgejo-flux-ingress-http
  rules:
  - host: flux.k8s.forgejo.org
    http:
      paths:
      - pathType: Prefix
        path: /
        backend:
          service:
            # pre-defined by flux
            name: webhook-receiver
            port:
              name: http
---
apiVersion: notification.toolkit.fluxcd.io/v1
kind: Receiver
metadata:
  name: forgejo-flux-receiver
  namespace: flux-system
spec:
  type: github
  events:
    - "ping"
    - "push"
  secretRef:
    name: webhook-flux-token
  resources:
    - apiVersion: source.toolkit.fluxcd.io/v1
      kind: GitRepository
      # matching the GitRepository in gotk-sync.yaml
      name: flux-system
---
#
# The discussion that led to adding the following is
# https://matrix.to/#/!NdTYAXrlSgIkGNiPgQ:matrix.org/$fUvRAhXEnubBTxbads0unHm7UWUGfciX_3TcoIv7xKc?via=schinas.net&via=matrix.org&via=mozilla.org
#
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: cert-manager-acme-http-solver
  namespace: flux-system
spec:
  podSelector:
    matchLabels:
      acme.cert-manager.io/http01-solver: 'true'
  ingress:
    - {}
  policyTypes:
    - Ingress