From 7238095a77e6be349b84a20677751dbc5fb9e81c34601bc7b7951f688a8b5698 Mon Sep 17 00:00:00 2001
From: Andrew <andrewmurray@ezscale.cloud>
Date: Sun, 26 Apr 2026 22:55:52 -0400
Subject: [PATCH] feat(helm): Traefik IngressRoute + cert-manager Certificate
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Two IngressRoutes (web → http-to-https redirect, websecure → app)
covering all configured hosts. Certificate covers all hosts as SANs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
---
 .../templates/certificate.yaml                | 16 ++++++
 .../templates/ingressroute.yaml               | 50 +++++++++++++++++++
 2 files changed, 66 insertions(+)
 create mode 100644 helm/ezscale-website/templates/certificate.yaml
 create mode 100644 helm/ezscale-website/templates/ingressroute.yaml

diff --git a/helm/ezscale-website/templates/certificate.yaml b/helm/ezscale-website/templates/certificate.yaml
new file mode 100644
index 0000000..7fd03b8
--- /dev/null
+++ b/helm/ezscale-website/templates/certificate.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.ingressRoute.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.ingressRoute.tls.secretName }}
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  secretName: {{ .Values.ingressRoute.tls.secretName }}
+  issuerRef:
+    kind: ClusterIssuer
+    name: {{ .Values.ingressRoute.tls.issuerName }}
+  dnsNames:
+    {{- range .Values.ingressRoute.hosts }}
+    - {{ . | quote }}
+    {{- end }}
+{{- end }}
diff --git a/helm/ezscale-website/templates/ingressroute.yaml b/helm/ezscale-website/templates/ingressroute.yaml
new file mode 100644
index 0000000..932a9e7
--- /dev/null
+++ b/helm/ezscale-website/templates/ingressroute.yaml
@@ -0,0 +1,50 @@
+{{- if .Values.ingressRoute.enabled }}
+{{- $hostMatch := "" -}}
+{{- range $i, $h := .Values.ingressRoute.hosts -}}
+{{- if eq $i 0 -}}
+{{- $hostMatch = printf "Host(`%s`)" $h -}}
+{{- else -}}
+{{- $hostMatch = printf "%s || Host(`%s`)" $hostMatch $h -}}
+{{- end -}}
+{{- end }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-https
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  entryPoints: [websecure]
+  routes:
+    - kind: Rule
+      match: {{ $hostMatch }}
+      middlewares:
+        {{- if .Values.ingressRoute.middlewares.cloudflarewarp.enabled }}
+        - name: {{ .Values.ingressRoute.middlewares.cloudflarewarp.name }}
+          namespace: {{ .Values.ingressRoute.middlewares.cloudflarewarp.namespace }}
+        {{- end }}
+      services:
+        - name: {{ include "ezscale-website.fullname" . }}
+          port: {{ .Values.service.port }}
+  tls:
+    secretName: {{ .Values.ingressRoute.tls.secretName }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-http
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  entryPoints: [web]
+  routes:
+    - kind: Rule
+      match: {{ $hostMatch }}
+      middlewares:
+        {{- if .Values.ingressRoute.middlewares.httpToHttps.enabled }}
+        - name: {{ .Values.ingressRoute.middlewares.httpToHttps.name }}
+          namespace: {{ .Values.ingressRoute.middlewares.httpToHttps.namespace }}
+        {{- end }}
+      services:
+        - name: {{ include "ezscale-website.fullname" . }}
+          port: {{ .Values.service.port }}
+{{- end }}