# Apply: kubectl apply -f manifests/network/traefik-dashboard-ingress.yaml
# Delete: kubectl delete -f manifests/network/traefik-dashboard-ingress.yaml
# Description: Traefik dashboard IngressRoute with Authentik auth, root redirect, and TLS certificate.
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard
  namespace: traefik
spec:
  entryPoints:
    - websecure
    - traefik
  routes:
    - match: Host(`traefik.home.arpa`) && PathPrefix(`/outpost.goauthentik.io`)
      kind: Rule
      services:
        - name: authentik-proxy-outpost
          namespace: authentik
          port: 9000
    - match: Host(`traefik.home.arpa`) && Path(`/`)
      kind: Rule
      middlewares:
        - name: redirect-to-dashboard
          namespace: traefik
      services:
        - name: api@internal
          kind: TraefikService
    - match: Host(`traefik.home.arpa`) && PathPrefix(`/dashboard`)
      kind: Rule
      middlewares:
        - name: authentik-auth
          namespace: authentik
      services:
        - name: api@internal
          kind: TraefikService
    - match: Host(`traefik.home.arpa`) && PathPrefix(`/api`)
      kind: Rule
      middlewares:
        - name: authentik-auth
          namespace: authentik
      services:
        - name: api@internal
          kind: TraefikService
  tls:
    secretName: traefik-dashboard-tls
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-to-dashboard
  namespace: traefik
spec:
  redirectRegex:
    regex: ^https://traefik.home.arpa/$
    replacement: https://traefik.home.arpa/dashboard/
    permanent: true
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
  name: traefik-dashboard-tls
  namespace: traefik
spec:
  secretName: traefik-dashboard-tls
  issuerRef:
    name: internal-ca
    kind: ClusterIssuer
  dnsNames:
    - traefik.home.arpa