image:
  registry: mirror.gcr.io/library
  tag: "3.1.0"
  pullPolicy: IfNotPresent

websecure:
  tls:
    enabled: true

providers:
  kubernetesCRD:
    enabled: true
    allowEmptyServices: true
    allowExternalNameServices: true

  kubernetesIngress:
    allowEmptyServices: true
    allowExternalNameServices: true
    publishedService:
      enabled: true

deployment:
  replicas: 4

  annotations:
    keel.sh/policy: minor
    keel.sh/trigger: patch
    keel.sh/pollSchedule: "@midnight"

accessLog:
  format: json

# Globally redirect to https://
globalArguments:
 - --entryPoints.web.http.redirections.entryPoint.to=:443
 - --entryPoints.web.http.redirections.entryPoint.scheme=https

service:
  annotations:
    external-dns.alpha.kubernetes.io/hostname: traefik.k-space.ee
  spec:
    externalTrafficPolicy: Local

ingressRoute:
  dashboard:
    enabled: true
    domain: traefik.k-space.ee
    matchRule: Host(`traefik.k-space.ee`) && (PathPrefix(`/api`) || PathPrefix(`/dashboard`))
    entryPoints: ["websecure"]
    middlewares: 
      - name: "dashboard"
      - name: "dashboard-redirect"

tlsOptions:
  default:
    minVersion: VersionTLS12
    cipherSuites:
      # TLS 1.1 and 1.2 ciphers
      - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
      - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
      - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
      - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
      # TLS 1.3 ciphers
      - TLS_AES_128_GCM_SHA256
      - TLS_AES_256_GCM_SHA384
      - TLS_CHACHA20_POLY1305_SHA256