From 667c778f27b5460ffc07713f8639ff8b07a108f7 Mon Sep 17 00:00:00 2001
From: IvanHunters <xorokhotnikov@gmail.com>
Date: Tue, 4 Nov 2025 02:29:24 +0300
Subject: [PATCH] [ingress] Enforce HTTPS-only for API This patch updates the
 default API Ingress to add the nginx.ingress.kubernetes.io/force-ssl-redirect
 annotation, ensuring all HTTP traffic (port 80) is redirected to HTTPS (port
 443). This prevents unencrypted external access and improves security.

```release-note
[ingress] Force HTTPS access for api.dev3.infra.aenix.org and block direct HTTP.
```

Signed-off-by: IvanHunters <xorokhotnikov@gmail.com>
---
 packages/system/cozystack-api/templates/api-ingress.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/packages/system/cozystack-api/templates/api-ingress.yaml b/packages/system/cozystack-api/templates/api-ingress.yaml
index d7670e71..54fdf54b 100644
--- a/packages/system/cozystack-api/templates/api-ingress.yaml
+++ b/packages/system/cozystack-api/templates/api-ingress.yaml
@@ -10,6 +10,7 @@ metadata:
   annotations:
     nginx.ingress.kubernetes.io/backend-protocol: HTTPS
     nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
   name: kubernetes
   namespace: default
 spec: