From 8c4942779f2f1bdd2c7182d6d3b6fd895edbfccc Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Wed, 18 Mar 2026 08:36:01 +0000
Subject: [PATCH] feat(ingress): wire up max_body_size as Traefik buffering
 middleware

The max_body_size variable existed but was never used. Now creates a
per-ingress buffering middleware enforcing maxRequestBodyBytes (default 50MB).

[ci skip]

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 modules/kubernetes/ingress_factory/main.tf | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf
index 9a86a429..b25eb465 100644
--- a/modules/kubernetes/ingress_factory/main.tf
+++ b/modules/kubernetes/ingress_factory/main.tf
@@ -123,6 +123,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
         var.rybbit_site_id != null ? "traefik-strip-accept-encoding@kubernetescrd" : null,
         var.rybbit_site_id != null ? "${var.namespace}-rybbit-analytics-${var.name}@kubernetescrd" : null,
         var.custom_content_security_policy != null ? "${var.namespace}-custom-csp-${var.name}@kubernetescrd" : null,
+        "${var.namespace}-body-size-${var.name}@kubernetescrd",
       ], var.extra_middlewares)))
       "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
     }, var.extra_annotations)
@@ -203,3 +204,20 @@ resource "kubernetes_manifest" "custom_csp" {
     }
   }
 }
+
+# Max request body size middleware - enforces var.max_body_size per ingress
+resource "kubernetes_manifest" "body_size" {
+  manifest = {
+    apiVersion = "traefik.io/v1alpha1"
+    kind       = "Middleware"
+    metadata = {
+      name      = "body-size-${var.name}"
+      namespace = var.namespace
+    }
+    spec = {
+      buffering = {
+        maxRequestBodyBytes = parseint(replace(var.max_body_size, "m", ""), 10) * 1024 * 1024
+      }
+    }
+  }
+}