apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: vaultwarden
  namespace: default
  annotations:
    # 1. Enable cert-manager to automatically get a TLS certificate
    cert-manager.io/cluster-issuer: "letsencrypt-prod"

    # 2. NGINX annotations crucial for Vaultwarden/Bitwarden:
    #    WebSockets (ws://) and WebSocket Secure (wss://) support.
    nginx.ingress.kubernetes.io/websocket-services: "vaultwarden"
    
    # 3. Increase timeouts for long-lived WebSocket connections (optional, but recommended)
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
spec:
  # Ensure this matches the ingress class name of your running NGINX controller
  ingressClassName: nginx 
  
  # TLS configuration: Instruct NGINX to use the secret created by cert-manager
  tls:
    - hosts:
        - vaultwarden.sebastians-co.de
      secretName: vaultwarden-tls # cert-manager will create this secret
  
  # Routing rules
  rules:
    - host: vaultwarden.sebastians-co.de
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: vaultwarden # Name of the Service above
                port:
                  number: 80 # The port the Service exposes (targetPort 80 to the pod)