# Internal registry access - no mTLS, Forgejo handles auth via imagePullSecret
# Only accessible via cluster-internal DNS (no external-dns annotation)
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: registry-internal-certificate
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: cert-manager.io/v1
      kind: Certificate
      metadata:
        name: registry-internal-tls
        namespace: emissary
      spec:
        secretName: registry-internal-tls
        issuerRef:
          name: letsencrypt-dns
          kind: ClusterIssuer
        dnsNames:
          - registry-internal.nge6.com
---
# Host without external-dns - only reachable if you know the IP
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: registry-internal-host
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: getambassador.io/v2
      kind: Host
      metadata:
        name: registry-internal-host
        namespace: emissary
        annotations:
          external-dns.ambassador-service: emissary-ingress.emissary.svc.cluster.local
          external-dns.alpha.kubernetes.io/target: 212.2.241.28
      spec:
        hostname: registry-internal.nge6.com
        tlsSecret:
          name: registry-internal-tls
---
# Mapping direct to Forgejo - no Pomerium, no mTLS
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: registry-internal-mapping
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: getambassador.io/v2
      kind: Mapping
      metadata:
        name: registry-internal-mapping
        namespace: emissary
      spec:
        host: registry-internal.nge6.com
        prefix: /
        service: http://forgejo-http.forgejo.svc.cluster.local:3000
        timeout_ms: 300000
        connect_timeout_ms: 10000
---
# imagePullSecret for argo namespace
apiVersion: kubernetes.crossplane.io/v1alpha2
kind: Object
metadata:
  name: argo-registry-pull-secret
  namespace: crossplane-system
spec:
  providerConfigRef:
    name: kubernetes-provider
  forProvider:
    manifest:
      apiVersion: v1
      kind: Secret
      metadata:
        name: forgejo-registry
        namespace: argo
      type: kubernetes.io/dockerconfigjson
      stringData:
        .dockerconfigjson: |
          {"auths":{"registry-internal.nge6.com":{"username":"eemoore","password":"testpassword123!","auth":"ZWVtb29yZTp0ZXN0cGFzc3dvcmQxMjMh"}}}