traefik:
  additionalArguments:
    - --api.insecure=true
  ports:
    web:
      redirections:
        entryPoint:
          to: websecure
          scheme: https
          permanent: true
  deployment:
    replicas: 3
    additionalContainers:
    - name: cloudflared
      image: cloudflare/cloudflared:2025.2.1
      command:
        - cloudflared
        - tunnel
        - --no-autoupdate
        - --metrics
        - 0.0.0.0:2000
        - run
      env:
      - name: TUNNEL_TOKEN
        valueFrom:
          secretKeyRef:
            name: cloudflare-cred
            key: 7e903099-1fbe-48d1-93ac-0922859851a9.json
      livenessProbe:
        failureThreshold: 1
        httpGet:
          path: /ready
          port: 2000
          scheme: HTTP
        initialDelaySeconds: 10
        periodSeconds: 10
        successThreshold: 1
        timeoutSeconds: 1
  providers:
    file:
      enabled: true
      watch: true
      content: |
        http:
          middlewares:
            cloudflarewarp:
              plugin:
                cloudflarewarp:
                  disableDefault: false
  experimental:
    plugins:
      cloudflarewarp:
        moduleName: github.com/BetterCorp/cloudflarewarp
        version: v1.3.3
  extraObjects:
  - apiVersion: external-secrets.io/v1beta1
    kind: ExternalSecret
    metadata:
      name: cloudflare-cred
    spec:
      refreshInterval: 1h
      secretStoreRef:
        name: weyma-vault
        kind: ClusterSecretStore
      target:
        name: cloudflare-cred
        creationPolicy: Owner
      data:
      - secretKey: 7e903099-1fbe-48d1-93ac-0922859851a9.json
        remoteRef:
          key: traefik
          property: cloudflare-token