# 03-03 Traefik Dashboard + ACME（合并版 HelmChartConfig）
# 说明：同一 chart 只能有一份 HelmChartConfig（name: traefik），所以 Dashboard 与 ACME 必须合并。
# 使用前：替换 <YOUR_REAL_EMAIL>；创建 cloudflare-api-token Secret；按实际修改 nodeSelector/trustedIPs/hosts。
---
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    # chart 39.x：expose 须为表，布尔会与默认 values 合并冲突并导致 helm upgrade 模板失败
    ports:
      web:
        expose:
          default: true
      websecure:
        expose:
          default: true
      traefik:
        expose:
          default: true

    additionalArguments:
      # Dashboard
      - "--api.dashboard=true"
      - "--api.insecure=true"

      # ACME（Cloudflare DNS-01）
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.resolvers=1.1.1.1:53,1.0.0.1:53"
      - "--certificatesresolvers.cloudflare.acme.email=<YOUR_REAL_EMAIL>"
      - "--certificatesresolvers.cloudflare.acme.storage=/data/acme.json"
      # - "--certificatesresolvers.cloudflare.acme.caserver=https://acme-staging-v02.api.letsencrypt.org/directory"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.provider=cloudflare"
      - "--certificatesresolvers.cloudflare.acme.dnschallenge.propagation.delayBeforeChecks=600"

      # 健康检查：/ping 走 443（给 HAProxy https httpchk 用）
      - "--ping=true"
      - "--ping.entryPoint=websecure"

      # PROXY protocol（HAProxy 前置时需要）
      - "--entrypoints.web.proxyProtocol.trustedIPs=192.168.2.0/24"
      - "--entrypoints.websecure.proxyProtocol.trustedIPs=192.168.2.0/24"

    env:
      - name: CF_DNS_API_TOKEN
        valueFrom:
          secretKeyRef:
            name: cloudflare-api-token
            key: api-token

    nodeSelector:
      kubernetes.io/hostname: ylc61

    # ping 绑定 websecure 时，chart 默认仍对 traefik(8080) 做 HTTP /ping → 404；与 chart 39 对齐探针
    deployment:
      healthchecksPort: 8443
      healthchecksScheme: HTTPS

    # persistence：将 /data 持久化，保证 acme.json 落盘
    # 显式 local-path：避免集群默认 StorageClass 为 longhorn 等未就绪时 Pod 长期 Pending
    persistence:
      enabled: true
      name: data
      accessMode: ReadWriteOnce
      size: 128Mi
      path: /data
      storageClass: local-path

---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: PathPrefix(`/dashboard`) || PathPrefix(`/api`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService