# Caddy Edge Proxy
replicaCount: 2
# Listen on standard HTTP port
listenPort: 80
# Enable HTTPS
https:
    enabled: true
    port: 443
image:
    repository: caddy
    pullPolicy: IfNotPresent
    tagSuffix: ""
    tag: 2.11.2
service:
    type: LoadBalancer
    annotations:
        io.cilium/lb-ipam-ips: 10.1.2.152
    externalTrafficPolicy: Local
# Disable ingress - Caddy IS the edge proxy
ingress:
    enabled: false
resources:
    requests:
        cpu: 100m
        memory: 128Mi
    limits:
        cpu: 500m
        memory: 256Mi
# Caddy needs root to bind to ports 80/443 and write runtime data
# Using restrictive security context causes "operation not permitted"
podSecurityContext: {}
securityContext: {}
health:
    path: /
    port: 9999
# Extra volumes: certificates + external routes ConfigMap
volumes:
    - name: certificates
      secret:
        secretName: ENC[AES256_GCM,data:uaAG/wW6cq2z2tK2gbjXMo/1,iv:hwWluZccIwdbcFg5Xr7uVtX66UJW+POWE97lug+nZiM=,tag:DB57b33GIxm9+FYDTNTA2w==,type:str]
        optional: ENC[AES256_GCM,data:4ZWBnA==,iv:BZtHxs0w9EJhkHSoxBTTaBpF3xnsXE/rKzHk0cSvQMU=,tag:JI1s2dptpfDMWnnYHsJtLw==,type:bool]
    - name: routes
      configMap:
        name: caddy-routes
# Extra volume mounts
volumeMounts:
    - name: certificates
      mountPath: /etc/caddy/certs
      readOnly: true
    - name: routes
      mountPath: /etc/caddy/routes
      readOnly: true
# Caddy configuration
config:
    debug: false
    # Global options (goes inside the global {} block)
    global: |
        auto_https off
    # The main Caddyfile content - imports routes from external ConfigMap
    # This keeps routes in a separate, easily editable file
    caddyFile: |
        import /etc/caddy/routes/Caddyfile
affinity:
    podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                    matchLabels:
                        app.kubernetes.io/name: caddy
                topologyKey: kubernetes.io/hostname
sops:
    lastmodified: "2026-05-08T08:21:38Z"
    mac: ENC[AES256_GCM,data:MiF+wRCRfWNVrzcemHsAgyBHMSiXdxO4+ZXnJZaHdnJ4sCxQnJlWxrybZpJTF6n+QceqtV4WQjtnaZhHw5cSUZR9YVV+fsp8ySZOYD5iJJyNz9R4mjJg/JK2OR64DNRL91yGkucT8qT99eE6lUJTDk6EVVrCjByemRenrEq45b8=,iv:buCFuGLbv8GliY8RJn3Kss+Z+mXiT7JGbkPrL2wbbyQ=,tag:Ze6dcMHeCFRsgWnGUtG98Q==,type:str]
    pgp:
        - created_at: "2026-05-08T08:21:36Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

            hQIMA7uy4qQr71wiARAAodj8t2XLCt+C9ZokE3Ug8auwmMmuTUZnu8zxINfCVM6U
            eA373tI9U7lIXfC6o3AcM6Okk2/mCSJBcX8l4yxZ/CT/GPm2v8/tqdf66o2E4rxU
            r/YUyjnO82/k7c7Z8vndqQQMNJv9OU1yMRKrnhbh42Cd1ptuu8mt4XDRG806YssB
            iznuUupVpYOPyQ9TdwhMxGXvn6QI3EEgvdKnqzPnXyg95hy4Cl+cPsGYEJQgZ4qp
            e7ZJlT61O3TlEXrb9SzMYikR7St53vyNiIs7SnBwWEjum2ociaPaMz2yvRfoqMvY
            0mFfWlWhkTNBFeORoUbdtQCNKgrnh+es7t6frQlHFOV7yqATM4/UAGFaVXMhkFBh
            gGhAWfFTOuJBijEcsD8kBlMSoW+xR0izQs3IIDDPlBb7kepNZlBMV3ty9/Jynb+a
            cCxtRAoK23R7Yjck6RLdXt/XsDQ9UxMqabngr6OxQZyEX1EV0Y1xdSlRfA9tcp1X
            rjCSiFA2DD0xXg8LKIkq+GI+vndWtOq5qpO7KngFR02r5ilq+dT0NkRZmdim4stj
            xQ8OrxCzlY0kJWwL6d6LMpTVNdIhI4cZ9o5c/+X9ENHgeJpRWuu9y3DNn5Wvw2yY
            f0stU9CDCd21uo2XKQM+pEZ+0qfoFVZufDjz6jSiYm4TNfF98CcSvFMfcLqhlAvS
            XAEhHFmJsZJBbSElwRXS0/pf0UNSY90y2vf7JbH/IAbT/OyRIOcBXClPnSENkM0C
            KGV/N2wjfSTixWCQj7YMKuG0pb6w/4QXmmrfxatllXLUiRoUpuKZDd3f/M0C
            =fLGv
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2