# Caddy Edge Proxy
replicaCount: 2
# Listen on standard HTTP port
listenPort: 80
# Enable HTTPS
https:
    enabled: true
    port: 443
image:
    repository: caddy
    pullPolicy: IfNotPresent
    tagSuffix: ""
    tag: 2.11.2
service:
    type: LoadBalancer
    externalTrafficPolicy: Local
# Disable ingress - Caddy IS the edge proxy
ingress:
    enabled: false
resources:
    requests:
        cpu: 100m
        memory: 128Mi
    limits:
        cpu: 500m
        memory: 256Mi
# Caddy needs root to bind to ports 80/443 and write runtime data
# Using restrictive security context causes "operation not permitted"
podSecurityContext: {}
securityContext: {}
health:
    path: /
    port: 9999
# Extra volumes: certificates + external routes ConfigMap
volumes:
    - name: certificates
      secret:
        secretName: ENC[AES256_GCM,data:Er1F+5xhWKUT43+7jU/pwxWP,iv:Ohc3jFIQ4Enmbhd0F44SYWJiHlj1oFOrMdtM4oYKQEU=,tag:Kk8Y8aFSKMyGmY/uRVvyLw==,type:str]
        optional: ENC[AES256_GCM,data:JdlpGQ==,iv:xaoqonC9cGHXizHuAFrjhC4ZEtZ2IICeg2hxvGjyFM4=,tag:JYmlIXgIMON7z4++FrBGKQ==,type:bool]
    - name: routes
      configMap:
        name: caddy-routes
# Extra volume mounts
volumeMounts:
    - name: certificates
      mountPath: /etc/caddy/certs
      readOnly: true
    - name: routes
      mountPath: /etc/caddy/routes
      readOnly: true
# Caddy configuration
config:
    debug: false
    # Global options (goes inside the global {} block)
    global: |
        auto_https off
    # The main Caddyfile content - imports routes from external ConfigMap
    # This keeps routes in a separate, easily editable file
    caddyFile: |
        :80 {
            redir https://{host}{uri} permanent
        }

        import /etc/caddy/routes/Caddyfile
affinity:
    podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                    matchLabels:
                        app.kubernetes.io/name: caddy
                topologyKey: kubernetes.io/hostname
sops:
    lastmodified: "2026-05-08T11:43:14Z"
    mac: ENC[AES256_GCM,data:K0HWw8yTPKy6e3aQV4SdiVwrCjiyCFlFbeycAiyJq4IdlKX9v4wFvjVFLR8VziH8oXJXdUUhr+LOiqNI5HwghXkVn2dOP2ij9jvXZtMic4P0AUN16PfWoedu9ozA+xsGHZ1OTUv+sxvKEUo5Z5Wp+u761w/Xqdn5hHmU2Komatk=,iv:ICwn/LvizIjXVfgiMje50dQ11JAH37wSla29bGAnjuA=,tag:mV7rtahUy4ODZaA7baM12w==,type:str]
    pgp:
        - created_at: "2026-05-08T11:43:13Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

            hQIMA7uy4qQr71wiAQ//aGnCSLLWTkhToTh833OJ1GwgN82F8R+RgsfpKIW+XNvI
            YdTCgaFrYdCGXsaLHijb7vVwCU0VRf/ufZfQp2+GupqRHCbMLSmlkoiyr9ImGlYX
            VWQDajv74H/3CcyCQNjqfFRdUHLE+rfNuYaH/p3+/Ee2bgJi52f3uRdJ4lXSCWIf
            KW9lLbwjlfGnOnsnDkaPwcZW9QL353Mi82yXOu7OihobUaVgr83nESXbAS/k4mx1
            whOXAoEDeLQZfZrITEewOQ0PHjWJwKc0x2YCiQ0If33GSfDjzWPoDuXmQo/xhk98
            Nt3aNTMDvjriGNOIcZyUlEjq1HqCmd3pQSD5h8soR9Do/NsTocyK1da49iz91dha
            jwoEga2iFis9Zd9rr7Caf3pWtmKENUGFJl15tpaelvk13jUebSyDubw0OIYbbILr
            dVZAeiOHrRMD5crxG05zvOeLMASuL/IrK97RLBAonZLEkRrfgAwZHK2U0rq2HXpI
            wlp4yDlF/eILvmMgAruP7lW0q/m5+DfxQtcZdamtm3FWj9m0iUAthvw02fplmFci
            xJ82rkfkPAZSm7/yPJ9yiea+tKgX8yk1uArRtf8rsG6SED2lCRKmux8ElcZc5DYV
            hyLivTN7X5Nr05mvaPIptCVm1iYoWaiQNZcPDax/LBZJhNaJgPUz1ue1Ppf422PS
            XgE4dh3x1ulcUhXm4nK/0FzKmJUOjcygPeGWmia0ZOEHub/ju+z8LgRAkBasqRXP
            4aepPm5xVY0g/Z0xksxIWpYUnLRzs0uUKd+zz1MvmWlZckxUO5wWJUWRcwCBDz4=
            =Ql2K
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2