---
apiVersion: v1
kind: Namespace
metadata:
  name: traefik
---
apiVersion: v1
kind: ConfigMap
metadata:
  name: traefik
  namespace: traefik
data:
  config.yaml: |
    http:
      middlewares:
        lokistack-stripprefix:
          stripPrefix:
            prefixes:
              - "/lokistack"
        token-refresher-stripprefix:
          stripPrefix:
            prefixes:
              - "/token-refresher"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: acme-storage
  namespace: traefik
spec:
  accessModes:
    - ReadWriteOnce
  # Replace the storageClassName with the storage you use in your Kubernetes cluster.
  storageClassName: standard
  resources:
    requests:
      # Replace by an appropriate size.
      storage: 10Mi
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik
  namespace: traefik
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: traefik
rules:
  - apiGroups:
      - ""
    resources:
      - services
      - endpoints
      - secrets
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
      - networking.k8s.io
    resources:
      - ingresses
      - ingressclasses
    verbs:
      - get
      - list
      - watch
  - apiGroups:
      - extensions
    resources:
      - ingresses/status
    verbs:
      - update
  - apiGroups:
      - traefik.containo.us
    resources:
      - middlewares
      - middlewaretcps
      - ingressroutes
      - traefikservices
      - ingressroutetcps
      - ingressrouteudps
      - tlsoptions
      - tlsstores
      - serverstransports
    verbs:
      - get
      - list
      - watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: traefik

roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: traefik
subjects:
  - kind: ServiceAccount
    name: traefik
    namespace: traefik
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik
  namespace: traefik
spec:
  selector:
    matchLabels:
      app: traefik
  template:
    metadata:
      labels:
        app: traefik
    spec:
      serviceAccountName: traefik
      containers:
        - name: traefik
          image: traefik:v2.7.0
          args:
            - --api.insecure
            - --api.dashboard
            - --log.level=debug
            - --accesslog=true
            - --entryPoints.web.address=:80
            - --entryPoints.websecure.address=:443
            - --providers.kubernetesIngress
            - --providers.file.filename=/config/config.yaml
            - --providers.file.watch=false
          ports:
          - name: http
            containerPort: 80
            hostPort: 80
          - name: https
            containerPort: 443
            hostPort: 443
          - name: admin
            containerPort: 8080
            hostPort: 8080
          securityContext:
            capabilities:
              drop:
              - ALL
              add:
              - NET_BIND_SERVICE
          volumeMounts:
            - mountPath: /letsencrypt
              name: acme-storage
            - mountPath: /config
              name: config
      volumes:
        - name: acme-storage
          persistentVolumeClaim:
            claimName: acme-storage
        - name: config
          configMap:
            name: traefik