# HTTP → HTTPS redirect
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: redirect-https
  namespace: kube-system
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
# Forward X-Forwarded-Proto header for backends behind TLS termination
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: sslheader
  namespace: kube-system
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
---
# Gitea: buffer large requests (git push) + timeout for CI builds
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: gitea-buffer-timeout
  namespace: gitea
spec:
  buffering:
    maxRequestBodyBytes: 0
    maxResponseBodyBytes: 0
    memRequestBodyBytes: 20971520
    memResponseBodyBytes: 20971520
    retryExpression: "IsNetworkError()"
---
# ArgoCD: X-Forwarded-Proto for TLS termination
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: argocd-tls-middleware
  namespace: argocd
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"
---
# Kargo: X-Forwarded-Proto for TLS termination
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: kargo-tls-middleware
  namespace: kargo
spec:
  headers:
    customRequestHeaders:
      X-Forwarded-Proto: "https"