apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
  name: traefik
  namespace: traefik
spec:
  interval: 5m
  chart:
    spec:
      chart: traefik
      version: '22.x.x'
      sourceRef:
        kind: HelmRepository
        name: traefik-charts
        namespace: flux-system
      interval: 1m
#      valuesFiles:
#      - ./traefik-values.yaml
  values:
    additionalArguments:
    - --certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare
    - --certificatesresolvers.cloudflare.acme.email=seanomik@gmail.com
    - --certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1
    - --certificatesresolvers.cloudflare.acme.storage=/ssl-certs/acme-cloudflare.json

    - --api.insecure
    - --providers.kubernetesingress

    logs:
      general:
        level: DEBUG

    ports:
      traefik:
        port: 9000
        expose: true
        exposedPort: 9000
        # The port protocol (TCP/UDP)
        protocol: TCP
      web:
        port: 8000
        expose: true
        exposedPort: 80
        # (optional) Permanent Redirect to HTTPS
        # redirectTo: websecure
        protocol: TCP
      websecure:
        port: 8443
        expose: true
        exposedPort: 443
        protocol: TCP
        tls:
          enabled: true
          certResolver: cloudflare
      metrics:
        port: 9100
        expose: true
        exposedPort: 9100
        protocol: TCP

#    service:
#      enabled: true
#      single: true
#      type: LoadBalancer
#      externalIPs:
#        - 192.168.87.10

    env:
    - name: CF_DNS_API_TOKEN
      valueFrom:
        secretKeyRef:
          key: apiToken
          name: cloudflare-credentials

    # Disable Dashboard
    ingressRoute:
      dashboard:
        enabled: true
        matchRule: Host(`k3st.***REMOVED***`) && (PathPrefix(`/dashboard/`) || PathPrefix(`/api`))
        entryPoints: ["websecure"]

    # Persistent Storage
    persistence:
      enabled: true
      name: ssl-certs
      size: 1Gi
      path: /ssl-certs

    #deployment:
    #  initContainers: 
    # The "volume-permissions" init container is required if you run into permission issues.
    # Related issue: https://github.com/containous/traefik/issues/6972
    #  - name: volume-permissions
    #    image: busybox:1.31.1
    #    command: ["sh", "-c", "chmod -Rv 600 /ssl-certs"]
    #    volumeMounts:
    #    - name: ssl-certs
    #      mountPath: /ssl-certs

    # Set Traefik as your default Ingress Controller, according to Kubernetes 1.19+ changes.
    ingressClass:
      enabled: true
      isDefaultClass: true

    metrics:
      prometheus:
        entryPoint: metrics

    namespaceOverride: traefik