# Customise the k3s-bundled Traefik: redirect ALL HTTP (:80) → HTTPS (:443)
# globally, for every Ingress on the cluster.
#
# k3s manages Traefik via a HelmChart named 'traefik' in kube-system; a
# HelmChartConfig of the same name MERGES these values into it (k3s re-runs the
# install). We inject the redirect as Traefik static-config args
# (additionalArguments) — version-independent, unlike the chart's
# ports.web.redirectTo value which didn't render on this chart version.
#
# HTTP-01 ACME is unaffected: Let's Encrypt follows the 308 to HTTPS, so
# cert-manager challenges still validate.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    additionalArguments:
      # to=:443 (NOT 'websecure') — the websecure entrypoint listens on :8443
      # internally, which isn't exposed; redirect to the public 443 instead.
      - "--entrypoints.web.http.redirections.entrypoint.to=:443"
      - "--entrypoints.web.http.redirections.entrypoint.scheme=https"
      - "--entrypoints.web.http.redirections.entrypoint.permanent=true"