# Example: Traefik with Let's Encrypt
# Deploy with: helm install rdp-web-gateway ./chart/rdp-web-gateway -f examples/traefik-letsencrypt.yaml

# Disable LoadBalancer, use IngressRoute instead
service:
  type: ClusterIP
  port: 80
  targetPort: 8080

# Enable Traefik IngressRoute
traefik:
  enabled: true
  host: rdp.yourdomain.com
  entryPoints:
    - websecure  # HTTPS entry point
  tls:
    enabled: true
    certResolver: letsencrypt  # Must match your Traefik certResolver name
  # Optional: Add middlewares
  # middlewares:
  #   - name: redirect-to-https
  #   - name: rate-limit

# RDP Broker connection (internal ClusterIP)
config:
  rdpBroker:
    host: "rdpbroker"  # Kubernetes service name
    port: 3389
  server:
    port: 8080

# Recommended: Enable network policies for security
networkPolicy:
  enabled: true
  policyTypes:
    - Ingress
    - Egress
  ingress:
    # Allow traffic from Traefik
    - from:
      - namespaceSelector:
          matchLabels:
            name: traefik  # Adjust to your Traefik namespace
      ports:
      - protocol: TCP
        port: 8080
  egress:
    # Allow traffic to RdpBroker
    - to:
      - podSelector:
          matchLabels:
            app: rdpbroker
      ports:
      - protocol: TCP
        port: 3389
    # Allow DNS resolution
    - to:
      - namespaceSelector:
          matchLabels:
            name: kube-system
      ports:
      - protocol: UDP
        port: 53