flux-infra/infra/traefik/helm-release.yaml

apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: traefik
  namespace: traefik
spec:
  chart:
    spec:
      chart: traefik
      reconcileStrategy: ChartVersion
      sourceRef:
        kind: HelmRepository
        name: traefik
      version: 31.1.1
  interval: 1m0s
  values:
    deployment:
      kind: DaemonSet
    affinity:
      nodeAffinity:
        requiredDuringSchedulingIgnoredDuringExecution:
          nodeSelectorTerms:
            - matchExpressions:
                - key: node-role.kubernetes.io/master
                  operator: Exists
            - matchExpressions:
                - key: node-role.kubernetes.io/control-plane
                  operator: Exists
    ports:
      web:
        redirectTo:
          port: websecure
      websecure:
        middlewares:
          - traefik-default-headers@kubernetescrd

    providers:
      kubernetesCRD:
        allowCrossNamespace: true

    ingressRoute:
      dashboard:
        enabled: true
        entryPoints:
          - websecure
        matchRule: Host(`traefik.${domain}`)
        middlewares:
          - name: forwardauth-authelia
            namespace: authelia
        tls:
          secretName: ${domain//./-}-tls

    # This is needed in order to properly forward the real ip to each service
    # There are likely better ways of handling that, but for now this works
    # TODO(Tim): Figure out how to properly forward the IP
    # hostNetwork: true
    service:
      spec:
        externalTrafficPolicy: Local
    # updateStrategy:
    #   rollingUpdate:
    #     maxUnavailable: 2
    #     maxSurge: 0