# Gitea HTTPS IngressRoute via Traefik
# Uses default TLS store (wildcard-tls from kube-system via TLSStore)
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: gitea-https
  namespace: gitea
spec:
  entryPoints:
    - websecure
  routes:
    - match: HostRegexp(`gitea.k3s\..+\.local`)
      kind: Rule
      middlewares:
        - name: sslheader
          namespace: kube-system
        - name: gitea-buffer-timeout
          namespace: gitea
      services:
        - name: gitea-http
          port: 3000
  tls: {}
---
# HTTP → HTTPS redirect for Gitea
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
  name: gitea-http-redirect
  namespace: gitea
spec:
  entryPoints:
    - web
  routes:
    - match: HostRegexp(`gitea.k3s\..+\.local`)
      kind: Rule
      middlewares:
        - name: redirect-https
          namespace: kube-system
      services:
        - name: gitea-http
          port: 3000