feat(ingress): wire up max_body_size as Traefik buffering middleware

The max_body_size variable existed but was never used. Now creates a
per-ingress buffering middleware enforcing maxRequestBodyBytes (default 50MB).

[ci skip]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

modules/kubernetes/ingress_factory/main.tf

@@ -123,6 +123,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
         var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
+        "${var.namespace}-body-size-${var.name}@kubernetescrd",
       ], var.extra_middlewares)))
       "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
     }, var.extra_annotations)
@@ -203,3 +204,20 @@ resource "kubernetes_manifest" "custom_csp" {
     }
   }
 }
+
+# Max request body size middleware - enforces var.max_body_size per ingress
+resource "kubernetes_manifest" "body_size" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "body-size-${var.name}"
+      namespace = var.namespace
+    }
+    spec = {
+      buffering = {
+        maxRequestBodyBytes = parseint(replace(var.max_body_size, "m", ""), 10) * 1024 * 1024
+      }
+    }
+  }
+}