autojanet/k8s/manifests/intake-ingress.yaml

---
# IngressRoute: janet.ctz.fyi → intake service
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: intake
  namespace: autojanet
  annotations:
    external-dns/internal: "true"
    external-dns.alpha.kubernetes.io/hostname: janet.ctz.fyi
spec:
  entryPoints:
    - websecure
  routes:
    - match: Host(`janet.ctz.fyi`)
      kind: Rule
      services:
        - name: intake
          port: 80
  tls:
    secretName: janet-ctz-fyi-tls
---
# Companion Ingress — cert-manager issues the cert, external-dns picks up the hostname
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: intake-dns
  namespace: autojanet
  annotations:
    external-dns/internal: "true"
    external-dns.alpha.kubernetes.io/hostname: janet.ctz.fyi
    cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - janet.ctz.fyi
      secretName: janet-ctz-fyi-tls
  rules:
    - host: janet.ctz.fyi