homeprod/kubernetes/system/caddy/values.yaml

# Caddy Edge Proxy
replicaCount: 2
# Listen on standard HTTP port
listenPort: 80
# Enable HTTPS
https:
    enabled: true
    port: 443
image:
    repository: caddy
    pullPolicy: IfNotPresent
    tagSuffix: ""
    tag: 2.11.2
service:
    type: LoadBalancer
    externalTrafficPolicy: Local
# Disable ingress - Caddy IS the edge proxy
ingress:
    enabled: false
resources:
    requests:
        cpu: 100m
        memory: 128Mi
    limits:
        cpu: 500m
        memory: 256Mi
# Caddy needs root to bind to ports 80/443 and write runtime data
# Using restrictive security context causes "operation not permitted"
podSecurityContext: {}
securityContext: {}
health:
    path: /
    port: 9999
# Extra volumes: certificates + external routes ConfigMap
volumes:
    - name: certificates
      secret:
        secretName: ENC[AES256_GCM,data:1HAy4ntUhnklTlxZgF92RLdT,iv:Vz/nfWy8yie5qre7+yzVzDpO1IW3x4SUJBQIzggGMJY=,tag:+HXDFjKHCJLjE5uW3HsEGQ==,type:str]
        optional: ENC[AES256_GCM,data:6WPvqQ==,iv:CAxOsnyPZhLLQ4/xfDNFu8mgKVz5keDG0gfopL69v70=,tag:Nta3ov4Zmgu1uwI/1JRsWg==,type:bool]
    - name: routes
      configMap:
        name: caddy-routes
# Extra volume mounts
volumeMounts:
    - name: certificates
      mountPath: /etc/caddy/certs
      readOnly: true
    - name: routes
      mountPath: /etc/caddy/routes
      readOnly: true
# Caddy configuration
config:
    debug: false
    # Global options (goes inside the global {} block)
    global: |
        auto_https off
    # The main Caddyfile content - imports routes from external ConfigMap
    # This keeps routes in a separate, easily editable file
    caddyFile: |
        import /etc/caddy/routes/Caddyfile
affinity:
    podAntiAffinity:
        preferredDuringSchedulingIgnoredDuringExecution:
            - weight: 100
              podAffinityTerm:
                labelSelector:
                    matchLabels:
                        app.kubernetes.io/name: caddy
                topologyKey: kubernetes.io/hostname
sops:
    lastmodified: "2026-05-08T08:49:14Z"
    mac: ENC[AES256_GCM,data:pcStIiaO4zwMLYlpA3FZlwtesiXmhOcclk6GdQ5QRziGv/Te2bUuWGVA6EaeGJML6Mo0JG3jfyua6qQbPdVp6MBt34clcqoU51BG1Nxa6li0K2oqnJlo4evuhJqW1QDzPZZWs8XZaga6rEKNtLwp1R2CIKJU4V5wZAInnqGrnh8=,iv:bhGiargUSIvJ7vePYLBiyG/ZmXDjWyG0x55NG7kxSH8=,tag:H2dIz/JrPGg53BLOvz6ikg==,type:str]
    pgp:
        - created_at: "2026-05-08T08:49:14Z"
          enc: |-
            -----BEGIN PGP MESSAGE-----

            hQIMA7uy4qQr71wiAQ//VaH0Exxuw7YlBSLJc2UuNPVzDxkd6udLgpfLerMePX1s
            9HeJslI2vcUG2lN8Pg9ZxTwqOJHsJDhetKNYIhTJ8ig899FWAz0DMG49Pv6QSQiM
            eS8Mji6FavAhT9AkIgK635HbNqPQewBsYEyMTL3rScz5a2XEsgsNx+rta4HsFp0F
            yqlXv/AIbxkr22edHbbfnTU+fcdEcprtaaqIg0hi1gUVqOLp+lZgakr+nfbY9KkB
            5Y6KZFv2fYJ7xLgugT97sTXbk9YkQ+qjUvFVICkRDneTGmLfNocr+9KWe48KMXAN
            QJ7Kb5rFkZLUko92i6KOnJlk4rbtmD2/pECmDeR1PX1ACZDRmcJMCSO0tdbuLS3C
            8zEBsyebl5je4b91bncWNMjkXklhaF4FC8U5m2FP0BwQoGYq+9R3rGTv4Nx5ycPk
            D4KfKY8p8kn7/AnhpBrFRg1E7YGERipMX6BvcXvgBHHUntp3VXdRG5HzHW3Fs1wq
            w1HRQcm5VZpKfgJ4WoQ/aQB4clXrHBA+JNrrOhJ2LgRAIvayl0IKA/3ZZMahacbc
            R1B96qr+2v160vDFp1ocZcDo72cWdCZ03t1eNPaaM7NKVsszD5WjYOomRh7ndLh1
            l+MK3pvuqF6bekfFNmDVDgt9cpSl0UJ7wo2ZreSn5XhOXY88b7neu2BzUQOlU3LS
            XAGnHhe99cHTE9NnH7egRZUMDhKI5gn1OkCgKCqBIcYp1gDKiPYdAHK7yjv0aJR/
            j/VDwJzcB97ooiHmTRYrg5GpUEELkeZ6TIrjvZqOySXG9wIU74o8JUIyGtvt
            =z8ER
            -----END PGP MESSAGE-----
          fp: DC6910268E657FF70BA7EC289974494E76938DDC
    encrypted_regex: ^(password|value|ssh-key|api-key|user|username|privateKey|clientSecret|clientId|apiKey|extraArgs.*|.*Secret.*|extraEnvVars|.*SECRET.*|.*secret.*|key|.*Password|.*\.ya?ml)$
    version: 3.10.2