---
apiVersion: gateway.networking.k8s.io/v1
kind: Gateway
metadata:
  name: shared-gateway
  namespace: default
  labels:
    bgp.cilium.io/ip-pool: default  # Damit bekommt das Gateway eine IP aus deinem Pool
  annotations:
    # Damit external-dns diesen Gateway findet und einen DNS-Eintrag erstellt
    # (falls external-dns Gateway API unterstützt, was es tut)
    cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
spec:
  gatewayClassName: envoy-gateway-class
  listeners:
    - name: https
      hostname: "*.k8s.hnrx.net"
      protocol: HTTPS
      port: 443
      allowedRoutes:
        namespaces:
          from: All
      tls:
        mode: Terminate
        certificateRefs:
          - name: shared-gateway-tls

---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: shared-gateway-tls
  namespace: default
spec:
  secretName: shared-gateway-tls
  dnsNames:
  - '*.k8s.hnrx.net'
  issuerRef:
    name: cloudflare-cluster-issuer
    kind: ClusterIssuer