apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: arti-api
  namespace: {{ .Values.global.Category }}--{{ .Values.global.Name }}--{{ .Values.global.Type }}
spec:
  entryPoints:
    - websecure
  routes:
  # Internal network gets full access
  - match: Host(`{{ .Values.global.Api.Url }}`) && ClientIP(`192.168.100.0/24`)
    kind: Rule
    priority: 1000
    services:
    - name: api
      port: 8000

  # External users only get root path
  - match: Host(`{{ .Values.global.Api.Url }}`) && Path(`/`)
    kind: Rule
    priority: 500
    services:
    - name: api
      port: 8000

  # Block all other external access
  - match: Host(`{{ .Values.global.Api.Url }}`)
    kind: Rule
    priority: 100
    services:
    - name: blocked-service
      port: 80

  tls:
    certResolver: letsencrypt
---
# Service for blocked requests
apiVersion: v1
kind: Service
metadata:
  name: blocked-service
  namespace: {{ .Values.global.Category }}--{{ .Values.global.Name }}--{{ .Values.global.Type }}
spec:
  selector:
    app: blocked-nginx
  ports:
  - port: 80
    targetPort: 80
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: blocked-nginx
  namespace: {{ .Values.global.Category }}--{{ .Values.global.Name }}--{{ .Values.global.Type }}
spec:
  replicas: 1
  selector:
    matchLabels:
      app: blocked-nginx
  template:
    metadata:
      labels:
        app: blocked-nginx
    spec:
      containers:
      - name: nginx
        image: nginx:alpine
        ports:
        - containerPort: 80
        volumeMounts:
        - name: nginx-config
          mountPath: /etc/nginx/conf.d
        - name: nginx-html
          mountPath: /usr/share/nginx/html
      volumes:
      - name: nginx-config
        configMap:
          name: blocked-nginx-config
      - name: nginx-html
        configMap:
          name: blocked-nginx-html
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: blocked-nginx-config
  namespace: {{ .Values.global.Category }}--{{ .Values.global.Name }}--{{ .Values.global.Type }}
data:
  default.conf: |
    server {
        listen 80;
        server_name _;
        root /usr/share/nginx/html;
        index index.html;
        
        location / {
            try_files $uri $uri/ /index.html;
        }
        
        # Ensure all requests serve the index.html
        error_page 404 /index.html;
    }
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: blocked-nginx-html
  namespace: {{ .Values.global.Category }}--{{ .Values.global.Name }}--{{ .Values.global.Type }}
data:
  index.html: |
    <!DOCTYPE html>
    <html>
    <head>
        <title>Access Denied - Artifactory</title>
        <style>
            body { 
                font-family: Arial, sans-serif; 
                text-align: center; 
                padding: 50px;
                background-color: #f8f9fa;
            }
            .container {
                max-width: 600px;
                margin: 0 auto;
                background: white;
                padding: 40px;
                border-radius: 8px;
                box-shadow: 0 2px 10px rgba(0,0,0,0.1);
            }
            .error-code {
                font-size: 4em;
                color: #dc3545;
                margin-bottom: 20px;
            }
            .error-message {
                font-size: 1.5em;
                color: #333;
                margin-bottom: 20px;
            }
            .error-description {
                color: #666;
                margin-bottom: 30px;
            }
            .access-info {
                background: #e3f2fd;
                padding: 20px;
                border-radius: 4px;
                border-left: 4px solid #2196f3;
            }
        </style>
    </head>
    <body>
        <div class="container">
            <div class="error-code">403</div>
            <div class="error-message">Access Denied</div>
            <div class="error-description">
                This endpoint is only accessible from the internal network.
            </div>
        </div>
    </body>
    </html>