feat(helm): Traefik IngressRoute + cert-manager Certificate

Two IngressRoutes (web → http-to-https redirect, websecure → app)
covering all configured hosts. Certificate covers all hosts as SANs.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

helm/ezscale-website/templates/certificate.yaml

@@ -0,0 +1,16 @@
+{{- if .Values.ingressRoute.enabled }}
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: {{ .Values.ingressRoute.tls.secretName }}
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  secretName: {{ .Values.ingressRoute.tls.secretName }}
+  issuerRef:
+    kind: ClusterIssuer
+    name: {{ .Values.ingressRoute.tls.issuerName }}
+  dnsNames:
+    {{- range .Values.ingressRoute.hosts }}
+    - {{ . | quote }}
+    {{- end }}
+{{- end }}

helm/ezscale-website/templates/ingressroute.yaml

@@ -0,0 +1,50 @@
+{{- if .Values.ingressRoute.enabled }}
+{{- $hostMatch := "" -}}
+{{- range $i, $h := .Values.ingressRoute.hosts -}}
+{{- if eq $i 0 -}}
+{{- $hostMatch = printf "Host(`%s`)" $h -}}
+{{- else -}}
+{{- $hostMatch = printf "%s || Host(`%s`)" $hostMatch $h -}}
+{{- end -}}
+{{- end }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-https
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  entryPoints: [websecure]
+  routes:
+    - kind: Rule
+      match: {{ $hostMatch }}
+      middlewares:
+        {{- if .Values.ingressRoute.middlewares.cloudflarewarp.enabled }}
+        - name: {{ .Values.ingressRoute.middlewares.cloudflarewarp.name }}
+          namespace: {{ .Values.ingressRoute.middlewares.cloudflarewarp.namespace }}
+        {{- end }}
+      services:
+        - name: {{ include "ezscale-website.fullname" . }}
+          port: {{ .Values.service.port }}
+  tls:
+    secretName: {{ .Values.ingressRoute.tls.secretName }}
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ include "ezscale-website.fullname" . }}-http
+  labels: {{- include "ezscale-website.labels" . | nindent 4 }}
+spec:
+  entryPoints: [web]
+  routes:
+    - kind: Rule
+      match: {{ $hostMatch }}
+      middlewares:
+        {{- if .Values.ingressRoute.middlewares.httpToHttps.enabled }}
+        - name: {{ .Values.ingressRoute.middlewares.httpToHttps.name }}
+          namespace: {{ .Values.ingressRoute.middlewares.httpToHttps.namespace }}
+        {{- end }}
+      services:
+        - name: {{ include "ezscale-website.fullname" . }}
+          port: {{ .Values.service.port }}
+{{- end }}