{{- if and .Values.ingressController.enabled (not .Values.ingressController.config.operatorMode) -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: {{ include "pomerium.authenticate.fullname" . }}
  labels:
    app.kubernetes.io/name: {{ include "pomerium.name" . }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/managed-by: {{ .Release.Service }}
    helm.sh/chart: {{ include "pomerium.chart" . }}
  annotations:
    ingress.pomerium.io/allow_public_unauthenticated_access: "true"
{{- if not .Values.config.insecure }}
    ingress.pomerium.io/secure_upstream: "true"
{{- end }}
{{- with .Values.authenticate.ingress.annotations }}
{{ toYaml . | indent 4 }}
{{- end }}
spec:
  ingressClassName: {{ .Values.ingressController.ingressClassResource.name }}
  tls:
    - secretName: {{ default (include "pomerium.authenticate.tlsSecret.name" .) .Values.authenticate.ingress.tls.secretName }}
      hosts:
        - {{ include "pomerium.authenticate.hostname" . }}
  rules:
    - host: {{ template "pomerium.authenticate.hostname" . }}
      http:
        paths:
          - backend:
              service:
                name: {{ template "pomerium.authenticate.fullname" $ }}
                port:
                  name: {{ template "pomerium.httpTrafficPort.name" $ }}
            pathType: Prefix
            path: /
{{- end }}