deployment:
  kind: DaemonSet
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
        - matchExpressions:
            - key: node-role.kubernetes.io/master
              operator: Exists
        - matchExpressions:
            - key: node-role.kubernetes.io/control-plane
              operator: Exists
ports:
  web:
    redirectTo:
      port: websecure
  websecure:
    middlewares:
      - traefik-default-headers@kubernetescrd

providers:
  kubernetesCRD:
    allowCrossNamespace: true

ingressRoute:
  dashboard:
    enabled: true
    entryPoints:
      - websecure
    matchRule: Host(`traefik.${domain}`)
    middlewares:
      - name: forwardauth-authelia
        namespace: authelia
    tls:
      secretName: ${domain//./-}-tls

service:
  annotations:
    kube-vip.io/loadbalancerIPs: 10.0.2.2
  spec:
    externalTrafficPolicy: Local