apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: traefik-ingress
  namespace: default  
  # This annotation is good practice to ensure it uses the right entrypoint
  annotations:
    traefik.ingress.kubernetes.io/router.entrypoints: websecure
spec:
  # This block is the key. It tells Ingress controllers like Traefik
  # to use the specified secret for TLS termination for the listed hosts.
  tls:
  - hosts:
    - "*.headshed.it" # Or a specific subdomain like test.headshed.it
    secretName: wildcard-headshed-it-tls # <-- The name of the secret you created
  
  rules:
  - host: nginx.headshed.it # The actual domain you will use to access the service
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: nginx-storage # The name of the k8s service for your app
            port:
              number: 80 # The port your service is listening on