deployment:
  kind: DaemonSet
  dnsPolicy: ClusterFirstWithHostNet

hostNetwork: true

# Bind directly to host ports 80 and 443
ports:
  web:
    port: 80
    hostPort: 80
    expose:
      default: true
    exposedPort: 80
  websecure:
    port: 443
    hostPort: 443
    expose:
      default: true
    exposedPort: 443
  # Avoid port collision with node-exporter on host network (9100)
  metrics:
    port: 9101
    hostPort: 9101
    exposedPort: 9101

# Configure Traefik to watch for standard Kubernetes Ingress resources
providers:
  kubernetesIngress:
    enabled: true
    publishedService:
      enabled: false

# We will define IngressClass resources manually to achieve dual-class mapping
ingressClass:
  enabled: false

# Resource limits to ensure stable execution on a single node
resources:
  requests:
    cpu: 100m
    memory: 128Mi
  limits:
    cpu: 500m
    memory: 512Mi

# Run as root (UID/GID 0) to bind to host network ports 80/443
podSecurityContext:
  runAsGroup: 0
  runAsNonRoot: false
  runAsUser: 0

securityContext:
  allowPrivilegeEscalation: true
  capabilities:
    drop: []
    add:
      - NET_BIND_SERVICE
  readOnlyRootFilesystem: false

# Required for hostNetwork DaemonSets to allow rolling updates
updateStrategy:
  type: RollingUpdate
  rollingUpdate:
    maxUnavailable: 1
    maxSurge: 0