---
# Middleware para redirección HTTP → HTTPS
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: student-enrollment
spec:
  redirectScheme:
    permanent: true
    scheme: https
---
# Middleware para security headers
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: security-headers
  namespace: student-enrollment
spec:
  headers:
    frameDeny: true
    contentTypeNosniff: true
    browserXssFilter: true
    referrerPolicy: "strict-origin-when-cross-origin"
    customResponseHeaders:
      X-Robots-Tag: "noindex, nofollow"
---
# IngressRoute HTTP - Redirección a HTTPS
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: academia-http-redirect
  namespace: student-enrollment
spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`academia.ingeniumcodex.com`)
      middlewares:
        - name: redirect-https
          namespace: student-enrollment
      services:
        - name: student-frontend
          port: 80
---
# IngressRoute HTTPS - Principal con TLS
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: academia-https
  namespace: student-enrollment
spec:
  entryPoints:
    - websecure
  routes:
    # API GraphQL
    - kind: Rule
      match: Host(`academia.ingeniumcodex.com`) && PathPrefix(`/graphql`)
      middlewares:
        - name: security-headers
          namespace: student-enrollment
      services:
        - name: student-api
          port: 8080
    # Health check
    - kind: Rule
      match: Host(`academia.ingeniumcodex.com`) && PathPrefix(`/health`)
      services:
        - name: student-api
          port: 8080
    # Frontend (catch-all)
    - kind: Rule
      match: Host(`academia.ingeniumcodex.com`)
      middlewares:
        - name: security-headers
          namespace: student-enrollment
      services:
        - name: student-frontend
          port: 80
  tls:
    certResolver: letsencrypt