{{/* Print release information */}}
{{- printf "\n\n" -}}
{{ .Release.Name }} with {{ .Values.image.registry }}/{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }} has been deployed successfully on {{ template "traefik.namespace" . }} namespace!
{{- printf "\n" -}}


{{/* Warn about potential permission issue with persistence */}}
{{- if .Values.persistence -}}
  {{- if and .Values.persistence.enabled (empty .Values.deployment.initContainers) -}}
{{- printf "\n" -}}
🚨 When enabling persistence for certificates, permissions on acme.json can be
lost when Traefik restarts. You can ensure correct permissions with an
initContainer. See https://github.com/traefik/traefik-helm-chart/blob/master/EXAMPLES.md#use-traefik-native-lets-encrypt-integration-without-cert-manager
for more info. 🚨
{{- printf "\n" -}}
  {{- end -}}
{{- end -}}


{{/* Warn about non-matching potential labelSelector mismatch for CRD provider */}}
{{- with .Values.providers.kubernetesCRD.labelSelector -}}
  {{- $labelsApplied := include "traefik.labels" $ -}}
  {{- $labelSelectors := regexSplit "," . -1 }}
  {{- range $labelSelectors -}}
    {{- $labelSelectorRaw := regexSplit "=" . -1 -}}
    {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) -}}
    {{- if not (contains $labelSelector $labelsApplied) -}}
{{- printf "\n" -}}
🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesCRD provider. 🚨
{{- printf "\n" -}}
    {{- end -}}
  {{- end -}}
{{- end -}}


{{/* Warn about non-matching potential labelSelector mismatch for Ingress provider */}}
{{- with .Values.providers.kubernetesIngress.labelSelector -}}
  {{- $labelsApplied := include "traefik.labels" $ -}}
  {{- $labelSelectors := regexSplit "," . -1 -}}
  {{- range $labelSelectors -}}
    {{- $labelSelectorRaw := regexSplit "=" . -1 -}}
    {{- $labelSelector := printf "%s: %s" (first $labelSelectorRaw) (last $labelSelectorRaw) -}}
    {{- if not (contains $labelSelector $labelsApplied) -}}
{{- printf "\n" -}}
🚨 Resources populated with this chart don't match with labelSelector `{{.}}` applied on kubernetesIngress provider. 🚨
{{- printf "\n" -}}
    {{- end -}}
  {{- end -}}
{{- end -}}


{{/* Warn about renamed ports */}}
{{- range $name, $config := .Values.ports -}}
  {{- $sanitizedPortName := include "traefik.portname" $name -}}
  {{- if (ne $sanitizedPortName $name) -}}
{{- printf "\n" -}}
🚨 Port name `{{ $name }}` does not comply with Kubernetes standards and will be renamed to `{{ $sanitizedPortName }}` in services. 🚨
ℹ️ See the "traefik.portname" helper in this chart for additional details. ℹ️
{{- printf "\n" -}}
  {{- end -}}
{{- end -}}


{{/* Warn about hub not watching namespaces configured in providers */}}
{{- if and .Values.hub.token (and .Values.rbac.enabled .Values.rbac.namespaced) }}
    {{- if .Values.hub.namespaces -}}
        {{- range (list "kubernetesCRD" "kubernetesGateway" "kubernetesIngress") }}
            {{- $provider := . -}}
            {{- $providerNamespaces := get (get $.Values.providers .) "namespaces" -}}
            {{- $providerEnabled := get (get $.Values.providers .) "enabled" -}}
            {{- if $providerEnabled -}}
                {{- if $providerNamespaces -}}
                    {{- $difference := (include "list.difference" (dict "a" $providerNamespaces "b" $.Values.hub.namespaces)) | fromYamlArray }}
                    {{- if $difference }}
                        {{- printf "WARNING: %s provider is configured to watch namespaces %s but those ones are not watched by Hub provider.\n" $provider $difference -}}
                    {{- end -}}
                {{- else -}}
                    {{- printf "WARNING: %s provider is configured to watch all namespaces but Hub provider only watches %s.\n" $provider $.Values.hub.namespaces -}}
                {{- end -}}
            {{- end -}}
        {{- end -}}
    {{- end -}}
{{- end -}}

{{/* Warn about deprecated localPlugins */}}
  {{- if include "traefik.hasDeprecatedLocalPlugins" . }}
    {{- printf "\n" -}}
⚠️ DEPRECATION WARNING: You are using the deprecated legacy 'hostPath' configuration.
Please migrate to the new structured 'type.hostPathPlugin' configuration within localPlugins.
The legacy root-level hostPath configuration will be removed in the next major version.

Migration example:
  experimental:
    localPlugins:
      your-plugin:
        moduleName: github.com/example/yourplugin
        mountPath: /plugins-local/src/github.com/example/yourplugin
        # Choose one of the following types:
        type: inlinePlugin        # Recommended for small/medium plugins: secure ConfigMap-based
        source:                  # Required for inlinePlugin
          # your plugin files here
        # type: hostPath         # Use with caution for security reasons
        #   hostPath: /path/to/plugin
        # type: localPath       # Advanced: Uses additionalVolumes, can be used with PVC, CSI drivers (s3-csi-driver, FUSE), etc.
        #   volumeName: plugin-storage
    {{- printf "\n" -}}
  {{- end -}}


{{/* Warn about missing secret when enabling managed certificate with Hub admission controller */}}
{{- if and .Values.hub.token .Values.hub.apimanagement.enabled .Values.hub.apimanagement.admission.selfManagedCertificate }}
  {{- $cert := lookup "v1" "Secret" (include "traefik.namespace" .) $.Values.hub.apimanagement.admission.secretName -}}
  {{- if not $cert }}
    {{- printf "\nWARNING: webhook secret %s for Traefik hub is self managed and was not found in %s namespace.\n" $.Values.hub.apimanagement.admission.secretName (include "traefik.namespace" .) -}}
  {{- end -}}        
{{- end -}}
