apiVersion: extensions/v1beta1
kind: Ingress
metadata:
  annotations:
    # OAI-PMH uses HTTP transport, ie. we can't redirect *all* traffic to https.
    # However, we need to make sure that 'our internal' nginx redirects http:// -> https://
    # (except for /repository/oai).
    ingress.kubernetes.io/ssl-redirect: "false"
    # But just to be sure, we are /also/ redirecting here.
    ingress.kubernetes.io/configuration-snippet: |
      if ($scheme != "https") {
        set $rewrite_https 1;
      }
      if ($request_uri ~ "^/repository/oai") {
        set $rewrite_https 0;
      }
      if ($rewrite_https = 1) {
        return 301 https://$server_name$request_uri;
      }
    kubernetes.io/tls-acme: "true"
  name: dspace-ingress
  namespace: dspace
spec:
  rules:
  - host: clarin.eurac.edu
    http:
      paths:
      - backend:
        # we are deliberately misusing port:443 *without* SSL, i.e. *NO*
        # ingress.kubernetes.io/secure-backends: "true"
        # This will result in https:// redirectes generated from shibboleth
        # later on (without the need to change http:// to https://)
        # see https://github.com/nginx-shib/nginx-http-shibboleth/issues/22
        #
        # However, make sure to disable all enforce-SSL settings, for example
        # for the [dspace REST
        # API](https://wiki.duraspace.org/display/DSDOC5x/REST+API).
        #
        # For a general overview for SP reverse proxy-ing
        # see https://wiki.shibboleth.net/confluence/display/SHIB2/SPReverseProxy
        #
          serviceName: nginx
          servicePort: 443
        path: /
  tls:
  - hosts:
    - clarin.eurac.edu
    secretName: clarin-eurac-edu-tls