apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-internal
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik-internal
rules:
  - apiGroups: [""]
    resources: [services, endpoints, secrets, nodes]
    verbs: [get, list, watch]
  - apiGroups: [discovery.k8s.io]
    resources: [endpointslices]
    verbs: [get, list, watch]
  - apiGroups: [traefik.io]
    resources: [ingressroutes, ingressroutetcps, ingressrouteudps, middlewares, middlewaretcps, tlsoptions, tlsstores, traefikservices, serverstransports, serverstransporttcps]
    verbs: [get, list, watch]
  - apiGroups: [traefik.io]
    resources: [ingressroutes/status, ingressroutetcps/status, ingressrouteudps/status]
    verbs: [update]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik-internal
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik-internal
subjects:
  - kind: ServiceAccount
    name: traefik-internal
    namespace: {{ .Release.Namespace }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-internal
  labels:
    app: traefik-internal
spec:
  replicas: 1
  selector:
    matchLabels:
      app: traefik-internal
  template:
    metadata:
      labels:
        app: traefik-internal
    spec:
      serviceAccountName: traefik-internal
      nodeSelector:
        node-role.kubernetes.io/control-plane: "true"
      tolerations:
        - key: node-role.kubernetes.io/control-plane
          effect: NoSchedule
      containers:
        - name: traefik
          image: {{ .Values.image }}
          args:
            - --entrypoints.web.address=:{{ .Values.port }}
            - --entrypoints.websecure.address=:{{ .Values.httpsPort }}
            - --providers.kubernetescrd
            - --providers.kubernetescrd.ingressClass={{ .Values.ingressClass }}
            - --api.insecure=true
            - --log.level=WARN
          ports:
            - name: web
              containerPort: {{ .Values.port }}
            - name: websecure
              containerPort: {{ .Values.httpsPort }}
            - name: dashboard
              containerPort: 8080
---
apiVersion: v1
kind: Service
metadata:
  name: traefik-internal
  annotations:
    metallb.io/address-pool: internal
spec:
  type: LoadBalancer
  loadBalancerIP: {{ .Values.loadBalancerIP }}
  selector:
    app: traefik-internal
  ports:
    - name: web
      port: {{ .Values.port }}
      targetPort: {{ .Values.port }}
    - name: websecure
      port: {{ .Values.httpsPort }}
      targetPort: {{ .Values.httpsPort }}
    - name: dashboard
      port: 9095
      targetPort: 8080