{{- /* ================================================================== */ -}}
{{- /* Istio Gateway Configuration for ntfy                             */ -}}
{{- /* ================================================================== */ -}}
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "ntfy.fullname" . -}}
{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}}
{{- $gatewayName := $fullName -}} {{/* Using the same name for simplicity */}}

apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: {{ $gatewayName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "ntfy.labels" . | nindent 4 }}
    {{- /* Add extra labels specific to Istio Gateway if needed */}}
    {{- with .Values.istio.gateway.extraLabels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- /* Annotations from K8s Ingress often don't apply directly */}}
  {{- /* Add Istio specific annotations if required */}}
  {{- with .Values.istio.gateway.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  # Selector targets the Istio ingress gateway pods.
  # Adjust if your Istio installation uses different labels.
  selector:
    {{- .Values.istio.gateway.selector | default (dict "istio" "ingressgateway") | toYaml | nindent 4 }}
  servers:
    # HTTP Server entry (Port 80)
    - port:
        number: 80
        name: http-{{ $fullName }} # Name must be unique per Gateway
        protocol: HTTP
      # Listen on hosts defined in ingress rules
      hosts:
        {{- range .Values.ingress.hosts }}
        - {{ .host | quote }}
        {{- end }}
      {{- /* Optional: Add HTTP->HTTPS redirect if TLS is enabled */}}
      {{- if and .Values.ingress.tls .Values.istio.gateway.httpRedirect }}
      tls:
        httpsRedirect: true
      {{- end }}

    {{- /* HTTPS Server entry (Port 443) - Only if TLS is configured */}}
    {{- if .Values.ingress.tls }}
    - port:
        number: 443
        name: https-{{ $fullName }} # Name must be unique per Gateway
        protocol: HTTPS
      # Use hosts defined in the TLS section
      hosts:
        {{- range .Values.ingress.tls }}
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
        {{- end }}
      tls:
        mode: SIMPLE # Terminate TLS at the gateway
        # Reference secrets from the TLS config. Secrets must be in the same namespace as the Gateway.
        # This simple example uses the *first* secret found if multiple are defined in values.yaml.
        # For multiple certs on the same port, consider multiple server blocks or advanced SNI.
        {{- range .Values.ingress.tls }}
        credentialName: {{ .secretName }}
        {{- break }} {{/* Use only the first secret defined */}}
        {{- end }}
    {{- end }}
---
{{- /* ================================================================== */ -}}
{{- /* Istio VirtualService Configuration for ntfy                        */ -}}
{{- /* ================================================================== */ -}}
{{- $fullName := include "ntfy.fullname" . -}}
{{- $namespace := include "ntfy.namespace" . -}} {{/* Or use .Release.Namespace */}}
{{- $svcPort := .Values.service.port -}}
{{- $gatewayName := $fullName -}} {{/* Must match the Gateway name defined above */}}

apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: {{ $fullName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "ntfy.labels" . | nindent 4 }}
    {{- /* Add extra labels specific to Istio VirtualService if needed */}}
    {{- with .Values.istio.virtualService.extraLabels }}
      {{- toYaml . | nindent 4 }}
    {{- end }}
  {{- with .Values.istio.virtualService.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  # Apply rules to traffic coming through the specified gateway(s)
  gateways:
  - {{ $gatewayName }}
  # Apply rules for requests targeting the specified host(s)
  hosts:
    {{- range .Values.ingress.hosts }}
    - {{ .host | quote }}
    {{- end }}
  http:
    {{- /* Create a route rule for each host/path combination from the ingress spec */}}
    {{- range .Values.ingress.hosts }}
      {{- range .paths }}
    - match:
      - uri:
          # Map pathType from Ingress to Istio URI match types
          {{- if eq .pathType "Prefix" }}
          prefix: {{ .path }}
          {{- else if eq .pathType "Exact" }}
          exact: {{ .path }}
          {{- else }}
          # Default or fallback, usually Prefix is safest assumption for ImplementationSpecific
          prefix: {{ .path }}
          {{- end }}
      # Define where to route the traffic
      route:
      - destination:
          # Route to the internal Kubernetes Service
          host: {{ $fullName }} # The name of the ntfy Kubernetes Service
          port:
            number: {{ $svcPort }} # The port the ntfy Service listens on
      {{- /* Add other Istio features like rewrite, headers, retries, timeouts here if needed */}}
      {{- end }} {{- /* end range .paths */}}
    {{- end }} {{- /* end range .Values.ingress.hosts */}}
{{- end }} {{/* End if .Values.ingress.enabled */}}