apiVersion: v1
kind: Service
metadata:
  name: guildhall
  namespace: guildhall
  labels:
    app.kubernetes.io/name: guildhall
    app.kubernetes.io/part-of: guildhouse
    app.kubernetes.io/component: web
    app.kubernetes.io/managed-by: manual
  # Hetzner Cloud Controller Manager annotations. Matches the exact
  # annotation set used by keycloak/keycloak (verified from the cluster
  # on 2026-04-21): location / name / type / use-private-ip. No
  # algorithm-type, no uses-proxyprotocol — the cluster's convention
  # is the minimal set.
  annotations:
    load-balancer.hetzner.cloud/location: nbg1
    load-balancer.hetzner.cloud/name: guildhall
    load-balancer.hetzner.cloud/type: lb11
    load-balancer.hetzner.cloud/use-private-ip: "false"
spec:
  type: LoadBalancer
  # TLS terminates at Cloudflare (orange cloud); origin is plain HTTP
  # on port 80 → app's 4000. This matches forgejo/keycloak. Upgrading
  # to in-cluster TLS via cert-manager is hygiene follow-up, not v0.1.
  ports:
    - port: 80
      targetPort: http
      protocol: TCP
      name: http
  selector:
    app: guildhall