{{- /* ================================================================== */ -}}
{{- /* Istio Gateway Configuration                                          */ -}}
{{- /* ================================================================== */ -}}
{{- if .Values.ingress.enabled -}}
{{- $fullName := include "uptime-kuma.fullname" . -}}
{{- $namespace := include "uptime-kuma.namespace" . -}}
{{- $gatewayName := $fullName -}} {{/* Use the same name for simplicity, or define a new one */}}
apiVersion: networking.istio.io/v1beta1
kind: Gateway
metadata:
  name: {{ $gatewayName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "uptime-kuma.labels" . | nindent 4 }}
    {{- /* You might want specific labels for Istio resources */}}
    {{- if .Values.istio.gateway.extraLabels }}
      {{- toYaml .Values.istio.gateway.extraLabels | nindent 4 }}
    {{- end }}
  {{- /* Annotations from Ingress might not apply directly, review if needed */}}
  {{- /* Add Istio specific annotations if required */}}
  {{- with .Values.istio.gateway.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  # This selector usually targets the default Istio ingress gateway pods
  # Adjust if your Istio installation uses different labels
  selector:
    {{- /* Make this configurable, e.g., .Values.istio.gateway.selector */}}
    {{- .Values.istio.gateway.selector | default (dict "istio" "ingressgateway") | toYaml | nindent 4 }}
  servers:
    # HTTP Server entry
    - port:
        number: 80
        name: http-{{ $fullName }} # Name must be unique per Gateway
        protocol: HTTP
      # Listen on the hosts defined in the ingress rules
      hosts:
        {{- range .Values.ingress.hosts }}
        - {{ .host | quote }}
        {{- end }}
      {{- /* Optional: Add default http->https redirect */}}
      {{- if and .Values.ingress.tls .Values.istio.gateway.httpRedirect }}
      tls:
        httpsRedirect: true
      {{- end }}

    {{- /* HTTPS Server entry - only if TLS is configured */}}
    {{- if .Values.ingress.tls }}
    - port:
        number: 443
        name: https-{{ $fullName }} # Name must be unique per Gateway
        protocol: HTTPS
      # Use hosts defined in the TLS section
      hosts:
        {{- range .Values.ingress.tls }}
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
        {{- end }}
      tls:
        mode: SIMPLE # Terminate TLS at the gateway
        # Reference secrets from the TLS config. Assumes secrets are in the same namespace as the Gateway.
        {{- range .Values.ingress.tls }}
        credentialName: {{ .secretName }}
        {{- /* Note: Istio Gateway only supports one credentialName per server block directly. */}}
        {{- /* If multiple TLS secrets are needed for different hosts on port 443, */}}
        {{- /* you might need multiple server blocks or rely on SNI matching if your */}}
        {{- /* Istio version/setup supports it implicitly based on VirtualService hosts. */}}
        {{- /* For simplicity, this example assumes the *first* secret applies if multiple are listed */}}
        {{- /* under .Values.ingress.tls and you only have one https server block. */}}
        {{- /* A more robust solution might generate multiple HTTPS server blocks if needed. */}}
        {{- break }} {{/* Only use the first secret for this simple server block */}}
        {{- end }}
    {{- end }}
---
{{- /* ================================================================== */ -}}
{{- /* Istio VirtualService Configuration                                   */ -}}
{{- /* ================================================================== */ -}}
{{- $fullName := include "uptime-kuma.fullname" . -}}
{{- $namespace := include "uptime-kuma.namespace" . -}}
{{- $svcPort := .Values.service.port -}}
{{- $gatewayName := $fullName -}} {{/* Must match the Gateway name defined above */}}
apiVersion: networking.istio.io/v1beta1
kind: VirtualService
metadata:
  name: {{ $fullName }}
  namespace: {{ $namespace }}
  labels:
    {{- include "uptime-kuma.labels" . | nindent 4 }}
    {{- if .Values.istio.virtualService.extraLabels }}
      {{- toYaml .Values.istio.virtualService.extraLabels | nindent 4 }}
    {{- end }}
  {{- with .Values.istio.virtualService.annotations }}
  annotations:
    {{- toYaml . | nindent 4 }}
  {{- end }}
spec:
  # Apply these rules to traffic coming through the specified gateway(s)
  gateways:
  - {{ $gatewayName }}
  # Apply these rules for requests targeting the specified host(s)
  hosts:
    {{- range .Values.ingress.hosts }}
    - {{ .host | quote }}
    {{- end }}
  http:
    {{- range .Values.ingress.hosts }}
      {{- range .paths }}
    - match:
      - uri:
          # Map pathType to Istio's match types
          {{- $pathType := .pathType | default "Prefix" -}} {{/* Default to Prefix if not specified */}}
          {{- if or (eq $pathType "Prefix") (eq $pathType "ImplementationSpecific") }}
          prefix: {{ .path }}
          {{- else if eq $pathType "Exact" }}
          exact: {{ .path }}
          {{- end }}
      # Define where to route the traffic
      route:
      - destination:
          # Route to the internal Kubernetes Service
          host: {{ $fullName }}
          port:
            number: {{ $svcPort }}
      {{- /* Add other Istio features like rewrite, headers, retries, timeouts here if needed */}}
      {{- end }} {{- /* end range .paths */}}
    {{- end }} {{- /* end range .Values.ingress.hosts */}}
{{- end }} {{/* End if .Values.ingress.enabled */}}