apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: cog-runtime
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
    traefik.ingress.kubernetes.io/router.tls: "true"
spec:
  ingressClassName: traefik
  tls:
    - secretName: cog-tls
      hosts:
        - cog.loop42.de
  rules:
    - host: cog.loop42.de
      http:
        paths:
          # MCP SSE — separate pod, survives runtime restarts
          - path: /mcp
            pathType: Prefix
            backend:
              service:
                name: cog-mcp
                port:
                  number: 80
          # WebSocket + REST API — runtime pod
          - path: /ws
            pathType: Prefix
            backend:
              service:
                name: cog-runtime
                port:
                  number: 80
          - path: /api
            pathType: Prefix
            backend:
              service:
                name: cog-runtime
                port:
                  number: 80
          - path: /health
            pathType: Prefix
            backend:
              service:
                name: cog-runtime
                port:
                  number: 80
          - path: /auth
            pathType: Prefix
            backend:
              service:
                name: cog-runtime
                port:
                  number: 80
          # Frontend — nginx, catch-all (must be last)
          - path: /
            pathType: Prefix
            backend:
              service:
                name: cog-frontend
                port:
                  number: 80