---
# yaml-language-server: $schema=https://ks.hsn.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
  name: &app cloudflared
spec:
  interval: 30m
  chart:
    spec:
      chart: app-template
      version: 2.5.0
      sourceRef:
        kind: HelmRepository
        name: bjw-s
        namespace: flux-system
  install:
    remediation:
      retries: 3
  upgrade:
    cleanupOnFail: true
    remediation:
      retries: 3
  uninstall:
    keepHistory: false
  dependsOn:
    - name: ingress-nginx
      namespace: network
  values:
    controllers:
      main:
        replicas: 2
        strategy: RollingUpdate
        annotations:
          reloader.stakater.com/auto: "true"
        containers:
          main:
            image:
              repository: docker.io/cloudflare/cloudflared
              tag: 2024.2.0@sha256:4d55d2f8c05a2e372d62dc3e84586e2b87730d6fb372fdb1801dd7dbab70187c
            env:
              NO_AUTOUPDATE: "true"
              TUNNEL_CRED_FILE: /etc/cloudflared/creds/credentials.json
              TUNNEL_METRICS: 0.0.0.0:8080
              TUNNEL_TRANSPORT_PROTOCOL: quic
              TUNNEL_POST_QUANTUM: true
            args:
              - tunnel
              - --config
              - /etc/cloudflared/config/config.yaml
              - run
              - "${SECRET_CLUSTER_CLOUDFLARE_TUNNEL_ID}"
            probes:
              liveness: &probes
                enabled: true
                custom: true
                spec:
                  httpGet:
                    path: /ready
                    port: &port 8080
                  initialDelaySeconds: 0
                  periodSeconds: 10
                  timeoutSeconds: 1
                  failureThreshold: 3
              readiness: *probes
              startup:
                enabled: false
            securityContext:
              allowPrivilegeEscalation: false
              readOnlyRootFilesystem: true
              capabilities: { drop: ["ALL"] }
            resources:
              requests:
                cpu: 10m
              limits:
                memory: 256Mi
        pod:
          securityContext:
            runAsUser: 568
            runAsGroup: 568
            runAsNonRoot: true
          topologySpreadConstraints:
            - maxSkew: 1
              topologyKey: kubernetes.io/hostname
              whenUnsatisfiable: DoNotSchedule
              labelSelector:
                matchLabels:
                  app.kubernetes.io/name: *app
    service:
      main:
        ports:
          http:
            port: *port
    serviceMonitor:
      main:
        enabled: true
    persistence:
      config:
        enabled: true
        type: configMap
        name: cloudflared-configmap
        globalMounts:
          - path: /etc/cloudflared/config/config.yaml
            subPath: config.yaml
            readOnly: true
      creds:
        type: secret
        name: cloudflared-tunnel-secret
        globalMounts:
          - path: /etc/cloudflared/creds/credentials.json
            subPath: credentials.json
            readOnly: true