apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-route
  namespace: kube-system
spec:
  entryPoints:
    - websecure
  routes:
    # Dashboard UI - Authelia 인증 필요
    - match: Host(`traefik0213.kro.kr`) && PathPrefix(`/dashboard`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: authelia-auth
          namespace: authelia
    # API - Authelia bypass (dashboard 내부 호출용)
    - match: Host(`traefik0213.kro.kr`) && PathPrefix(`/api`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
    # Root redirect to dashboard
    - match: Host(`traefik0213.kro.kr`) && Path(`/`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: authelia-auth
          namespace: authelia
  tls:
    secretName: traefik-dashboard-tls
---
# HTTP to HTTPS redirect
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: traefik-dashboard-http
  namespace: kube-system
spec:
  entryPoints:
    - web
  routes:
    - match: Host(`traefik0213.kro.kr`)
      kind: Rule
      services:
        - name: api@internal
          kind: TraefikService
      middlewares:
        - name: redirect-to-https
          namespace: kube-system
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-to-https
  namespace: kube-system
spec:
  redirectScheme:
    scheme: https
    permanent: true