{{- if (eq .Values.controller "traefik") }}
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: traefik
spec:
  chart:
    spec:
      sourceRef:
        kind: HelmRepository
        name: traefik
      chart: traefik
  install:
    {{- toYaml .Values.commons.helm.release.install | nindent 4 }}
  test:
    {{- toYaml .Values.commons.helm.release.test | nindent 4 }}
  upgrade:
    {{- toYaml .Values.commons.helm.release.upgrade | nindent 4 }}
  driftDetection:
    {{- toYaml .Values.commons.helm.release.driftDetection | nindent 4 }}
  interval: 10m
  values:
    globalArguments:
      - "--global.checknewversion=false"
      - "--global.sendanonymoususage=false"
    deployment:
      enabled: {{ toYaml (not .Values.external) }}
      kind: DaemonSet
    hostNetwork: {{ .Values.hostNetwork }}
    updateStrategy:
      rollingUpdate:
        maxUnavailable: 1
        maxSurge: 0

    service:
      enabled: false
      ipFamilyPolicy: PreferDualStack
      ipFamilies:
        - IPv6
        - IPv4

    {{- with .Values.traefik.additionalArguments }}
    additionalArguments:
      {{- toYaml . | nindent 6 }}
    {{- end }}

    tolerations:
      - key: "CriticalAddonsOnly"
        operator: "Exists"
      - key: "node-role.kubernetes.io/control-plane"
        operator: "Exists"
        effect: "NoSchedule"
      - key: "node-role.kubernetes.io/master"
        operator: "Exists"
        effect: "NoSchedule"

    priorityClassName: "system-cluster-critical"

    ports:
      metrics:
        port: 9111
      web:
        hostPort: 80
        {{- if .Values.hostNetwork }}
        port: 80
        {{- end }}
        asDefault: true
      websecure:
        hostPort: 443
        {{- if .Values.hostNetwork }}
        port: 443
        {{- end }}
        asDefault: true
        http3:
          enabled: true
      {{- with .Values.traefik.ports }}
      {{- toYaml . | nindent 6 }}
      {{- end }}
    {{- if .Values.hostNetwork }}
    podSecurityContext: null
    securityContext:
      capabilities:
        add:
          - "NET_BIND_SERVICE"
    {{- end }}

    providers:
      kubernetesIngress:
        publishedService:
          enabled: true

    ingressRoute:
      dashboard:
        enabled: {{ toYaml (not .Values.external) }}
        matchRule: Host(`lb.{{ .Values.commons.ingress.domain }}`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
        entryPoints:
          - "traefik"
          - "websecure"

    {{- if .Values.external }}
    hub:
      enabled: false
    ingressClass:
      enabled: false
      isDefaultClass: true
    rbac:
      enabled: false
    {{- end }}

    metrics:
      prometheus:
        {{- if (.Capabilities.APIVersions.Has "monitoring.coreos.com/v1/ServiceMonitor") }}
        service:
          enabled: true
        serviceMonitor:
          additionalLabels:
            {{- toYaml $.Values.commons.prometheus.monitor.labels | nindent 12 }}
        {{- end }}
{{- end }}