apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      web:
        exposedPort: 8080
      websecure:
        exposedPort: 8443

    additionalArguments:
      - "--entrypoints.websecure.proxyProtocol.trustedIPs=127.0.0.1/32,10.0.0.0/24"
      - "--entrypoints.web.http.redirections.entryPoint.to=:8443"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=0s"

      # Auto cert renewal via cloudflare
      - "--certificatesresolvers.letsencrypt.acme.email=joshbicking@comcast.net"
      - "--certificatesresolvers.letsencrypt.acme.storage=/data/acme.json"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.letsencrypt.acme.dnschallenge.resolvers=1.1.1.1:53,8.8.8.8:53"
      - "--entrypoints.websecure.http.tls.certResolver=letsencrypt"

      
      # Main
      - "--entrypoints.websecure.http.tls.domains[0].main=bnuuy.org"
      - "--entrypoints.websecure.http.tls.domains[0].sans=*.bnuuy.org"
      # LAN-only
      - "--entrypoints.websecure.http.tls.domains[1].main=lan.bnuuy.org"
      - "--entrypoints.websecure.http.tls.domains[1].sans=*.lan.bnuuy.org"

      # debug, uncomment for testing
      # - "--log.level=DEBUG"
      # - "--certificatesresolvers.letsencrypt.acme.caServer=https://acme-staging-v02.api.letsencrypt.org/directory"


    env:
      - name: CLOUDFLARE_EMAIL
        valueFrom:
          secretKeyRef:
            name: cloudflare-secrets
            key: email
            optional: false
      - name: CLOUDFLARE_API_KEY
        valueFrom:
          secretKeyRef:
            name: cloudflare-secrets
            key: api-key
            optional: false

    persistence:
      enabled: true
      storageClass: local-path

    # Fix for acme.json file being changed to 660 from 600
    # This can manifest as the incredibly unhelpful "the router <router name> uses a non-existent resolver: <resolver name>"
    # https://github.com/traefik/traefik/issues/10241
    podSecurityContext:
      fsGroup: 65532
    deployment:
      initContainers:
      # The "volume-permissions" init container is required if you run into permission issues.
      # Related issue: https://github.com/traefik/traefik-helm-chart/issues/396
      - name: volume-permissions
        image: busybox:latest
        command: ["sh", "-c", "touch /data/acme.json; chmod -v 600 /data/acme.json"]
        securityContext:
          runAsNonRoot: true
          runAsGroup: 65532
          runAsUser: 65532
        volumeMounts:
          - name: data
            mountPath: /data

    service:
      spec:
        externalTrafficPolicy: Local

    providers:
      kubernetesCRD:
        # Allows IngressRoutes to use middleware from a different namespace
        allowCrossNamespace: true