{{- /*
  Generate IngressRoute for Traefik for each PocketBase instance
*/ -}}
{{- $ingress := .Values.ingress }}
{{- range .Values.instances }}
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: pocketbase-{{ .id }}
  labels:
    app: pocketbase
    instance: {{ .id }}
    {{- include "pocketbase.labels" $ | nindent 4 }}
  {{- with $ingress.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  entryPoints:
    - web
    - websecure
  routes:
    - match: Host(`{{ .domain }}`)
      kind: Rule
      services:
        - name: pocketbase-{{ .id }}
          port: 80
      middlewares:
        - name: pocketbase-{{ .id }}-headers
          namespace: default
---
{{- /*
  Middleware for security headers
*/ -}}
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: pocketbase-{{ .id }}-headers
  labels:
    app: pocketbase
    instance: {{ .id }}
    {{- include "pocketbase.labels" $ | nindent 4 }}
spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true
    forceSTSHeader: true
    contentTypeNosniff: true
    browserXssFilter: true
    referrerPolicy: "strict-origin-when-cross-origin"
    customFrameOptionsValue: "SAMEORIGIN"
{{- end }}