# Customise the k3s-bundled Traefik.
#
# k3s manages Traefik via a HelmChart named 'traefik' in kube-system; a
# HelmChartConfig of the same name MERGES these values into it (k3s re-runs the
# install).
#
# HTTP→HTTPS redirect is deliberately NOT done here at the entrypoint level.
# A global `entrypoints.web.http.redirections` is a catch-all that runs BEFORE
# any router, so it 301s the ACME HTTP-01 challenge (:80 /.well-known/
# acme-challenge/...) to HTTPS before cert-manager's solver can answer — and the
# solver isn't served on the websecure-only app ingresses, so the challenge
# 404s and Let's Encrypt issuance fails. Instead each app Ingress carries a
# `redirectScheme` Middleware (see apps/redirect-middleware.yaml +
# authentik/redirect-middleware.yaml): real traffic still gets 301'd to HTTPS,
# but port 80 stays open so the cert-manager solver (a separate, more-specific
# router with no middleware) can complete the challenge.
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
  name: traefik
  namespace: kube-system
spec:
  valuesContent: |-
    additionalArguments: []