# 03-03 Traefik Dashboard + ACME 合并配置（HelmChartConfig）
# 含：Dashboard、ACME（Cloudflare DNS-01）、ping、PROXY protocol（与 03-02 一致）
# 使用前：替换 <YOUR_REAL_EMAIL>，创建 cloudflare-api-token Secret，按实际修改 nodeSelector/trustedIPs
# 部署：kubectl apply -f traefik-dashboard-acme.yaml
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    ports:
      web:
        expose: true
      websecure:
        expose: true

    additionalArguments:
      - "--api.dashboard=true"
      - "--api.insecure=true"

      - "--log.level=INFO"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
      - "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
      # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"  # 测试用，上线前删除
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"

      - "--ping=true"
      - "--ping.entryPoint=websecure"

      - "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
      - "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"

    env:
      - name: CF_DNS_API_TOKEN
        valueFrom:
          secretKeyRef:
            name: cloudflare-api-token
            key: api-token

    nodeSelector:
      kubernetes.io/hostname: ylc61

---
# 显式 IngressRoute（与 03-01 一致，确保 /dashboard 可达； Helm ingressRoute.dashboard 在 K3s chart 中未必生效）
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService