apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: traefik
  namespace: traefik
spec:
  chart:
    spec:
      chart: traefik
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: traefik
      version: 31.1.1
  interval: 15m
  timeout: 5m
  values:
    deployment:
      kind: DaemonSet
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
            - matchExpressions:
                - key: node-role.kubernetes.io/master
                  operator: Exists
            - matchExpressions:
                - key: node-role.kubernetes.io/control-plane
                  operator: Exists
    ports:
      web:
        redirectTo:
          port: websecure
      websecure:
        middlewares:
          - traefik-default-headers@kubernetescrd

    providers:
      kubernetesCRD:
        allowCrossNamespace: true

    ingressRoute:
      dashboard:
        enabled: true
        entryPoints:
          - websecure
        matchRule: Host(`traefik.${domain}`)
        middlewares:
          - name: forwardauth-authelia
            namespace: authelia
        tls:
          secretName: ${domain//./-}-tls

    service:
      annotations:
        kube-vip.io/loadbalancerIPs: 10.0.2.2
      spec:
        externalTrafficPolicy: Local