{{- if eq .Values.cilium.cluster "hel1" }}
# TODO: Move to ListernerSets when those get Promoted to GA
# Resources:
# - https://gateway-api.sigs.k8s.io/geps/gep-1713/
# - https://github.com/kubernetes-sigs/gateway-api/issues/1713
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: shared-gateway
  namespace: kube-system
spec:
  infrastructure:
    annotations:
      load-balancer.hetzner.cloud/location: hel1
      load-balancer.hetzner.cloud/type: lb11
      load-balancer.hetzner.cloud/name: load-balancer-1
      load-balancer.hetzner.cloud/use-private-ip: "true"
      load-balancer.hetzner.cloud/uses-proxyprotocol: "true"
      load-balancer.hetzner.cloud/http-redirect-https: "false"
  gatewayClassName: cilium
  listeners:
    - name: http
      protocol: HTTP
      port: 80
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              shared-gateway-access: "true"
    - name: https
      protocol: HTTPS
      port: 443
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: wildcard-oceanbox-io
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              shared-gateway-access: "true"
    - name: https-hel1
      protocol: HTTPS
      port: 443
      hostname: "*.hel1.oceanbox.io"
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: wildcard-hel1-oceanbox-io
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              shared-gateway-access: "true"
    - name: https-internal
      protocol: HTTPS
      port: 443
      hostname: "*.adm.hel1.obx"
      tls:
        certificateRefs:
          - group: ''
            kind: Secret
            name: wildcard-adm-hel1-obx
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              shared-gateway-access: "true"
    - name: ssh
      protocol: TCP
      port: 22
      allowedRoutes:
        namespaces:
          from: Selector
          selector:
            matchLabels:
              shared-gateway-access: "true"
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-oceanbox-io
spec:
  secretName: wildcard-oceanbox-io
  commonName: oceanbox.io
  dnsNames:
    - oceanbox.io
    - "*.oceanbox.io"
  issuerRef:
    name: letsencrypt-prod-dns01
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-hel1-oceanbox-io
spec:
  secretName: wildcard-hel1-oceanbox-io
  dnsNames:
    - "*.hel1.oceanbox.io"
  issuerRef:
    name: letsencrypt-prod-dns01
    kind: ClusterIssuer
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: wildcard-adm-hel1-obx
spec:
  secretName: wildcard-adm-hel1-obx
  dnsNames:
    - "*.adm.hel1.obx"
  issuerRef:
    name: ca-issuer
    kind: ClusterIssuer
{{- end}}