{{- if (eq .Values.controller "traefik") }}
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: traefik
spec:
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: traefik
      chart: traefik
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    globalArguments:
      - "--global.checknewversion=false"
      - "--global.sendanonymoususage=false"
    deployment:
      enabled: {{ toYaml (not .Values.external) }}
      kind: DaemonSet
      {{- if .Values.hostNetwork }}
      dnsPolicy: ClusterFirstWithHostNet
      {{- end }}
      podAnnotations:
      {{- if .Values.traefik.logs.metrics }}
        checksum/vector-config: {{ include (print $.Template.BasePath "/traefik/vector/configmap.yaml") $ | sha256sum }}
      {{- if .Values.traefik.logs.geoip.enabled }}
      initContainers:
        - name: "download-geoip"
          image: "alpine"
          command:
            - sh
            - -c
            - |
              cd /usr/share/GeoIP
              wget -O geoip-db.mmdb {{ .Values.traefik.logs.geoip.url | quote}}
              # gunzip geoip-db.mmdb.gz
          volumeMounts:
            - mountPath: "/usr/share/GeoIP"
              name: geoip
      {{- end }}
      additionalContainers:
        - name: "vector"
          image: docker.io/timberio/vector:0.45.0-debian
          args:
            - --watch-config
            - --watch-config-method
            - poll
          livenessProbe:
            httpGet:
              path: /health
              port: vector-api
          volumeMounts:
            - mountPath: "/etc/vector/vector.yaml"
              subPath: "vector.yaml"
              name: vector-config
              readOnly: true
          {{- if .Values.traefik.logs.geoip.enabled }}
            - mountPath: "/usr/share/GeoIP"
              name: geoip
          {{- end }}
          ports:
            - name: vector-api
              containerPort: 8686
              protocol: TCP
            - name: vector-metrics
              containerPort: 9116
              protocol: TCP
      additionalVolumes:
        - name: vector-config
          configMap:
            name: traefik-vector
        {{- if .Values.traefik.logs.geoip.enabled }}
        - name: geoip
          empty: {}
        {{- end }}
      {{- end }}
    hostNetwork: {{ .Values.hostNetwork }}
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
        maxSurge: 0

    service:
      enabled: false
      ipFamilyPolicy: PreferDualStack
      ipFamilies:
        - IPv6
        - IPv4

    additionalArguments:
      {{- with .Values.traefik.additionalArguments }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
      {{- if .Values.traefik.logs.metrics }}
      - --experimental.otlpLogs=true
      - --accesslog=true
      - --accesslog.otlp=true
      - --accesslog.otlp.grpc=true
      - --accesslog.otlp.grpc.endpoint=localhost:4317
      - --accesslog.otlp.grpc.insecure=true
      {{- end }}

    tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
      - key: "node-role.kubernetes.io/control-plane"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node-role.kubernetes.io/master"
        operator: "Exists"
        effect: "NoSchedule"

    priorityClassName: "system-cluster-critical"


    ports:
      metrics:
        port: 9111
      web:
        hostPort: 80
        {{- if .Values.hostNetwork }}
        port: 80
        {{- end }}
        asDefault: true
      websecure:
        hostPort: 443
        {{- if .Values.hostNetwork }}
        port: 443
        {{- end }}
        asDefault: true
        http3:
          enabled: true
      {{- with .Values.traefik.ports }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
    gateway:
      listeners:
        web:
          port: 80
    {{- if .Values.hostNetwork }}
    podSecurityContext: null
    securityContext:
      capabilities:
        add:
          - "NET_BIND_SERVICE"
    {{- end }}

    providers:
      kubernetesIngress:
        publishedService:
          enabled: true
      kubernetesGateway:
        enabled: true

    ingressRoute:
      dashboard:
        enabled: {{ toYaml (not .Values.external) }}
        matchRule: Host(`lb.{{ .Values.commons.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
        entryPoints:
          - "traefik"
          - "websecure"

    {{- if .Values.external }}
    hub:
      enabled: false
    ingressClass:
      enabled: false
      isDefaultClass: true
    rbac:
      enabled: false
    {{- else }}
    logs:
      general:
        format: "json"
        level: WARN
      access:
        enabled: {{ toYaml (and .Values.logs.access (not .Values.traefik.logs.metrics)) }}
        format: "json"
    {{- end }}

    metrics:
      prometheus:
        {{- if (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        service:
          enabled: true
        serviceMonitor:
          enabled: true
          additionalLabels:
            {{- toYaml $.Values.commons.prometheus.monitor.labels | nindent 12 }}
        {{- end }}
    {{- if .Values.commons.tracing.enabled }}
    tracing:
      otlp:
        enabled: true
        {{- if .Values.commons.tracing.grpc.enabled }}
        grpc:
          enabled: true
          insecure: {{ .Values.commons.tracing.grpc.insecure }}
          endpoint: {{ .Values.commons.tracing.grpc.endpoint }}
        {{- else }}
        http:
          enabled: true
          endpoint: {{ .Values.commons.tracing.http.endpoint }}
        {{- end }}
    {{- end }}
{{- end }}