apiVersion: v1
kind: ServiceAccount
metadata:
  name: headlamp-admin
  namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: headlamp-admin
    namespace: kube-system
---
# Long-lived token used to log in to the Headlamp UI.
# Retrieve with: kubectl -n kube-system get secret headlamp-admin -o jsonpath='{.data.token}' | base64 -d
apiVersion: v1
kind: Secret
metadata:
  name: headlamp-admin
  namespace: kube-system
  annotations:
    kubernetes.io/service-account.name: headlamp-admin
type: kubernetes.io/service-account-token
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: headlamp
  namespace: kube-system
  labels:
    k8s-app: headlamp
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: headlamp
  template:
    metadata:
      labels:
        k8s-app: headlamp
    spec:
      serviceAccountName: headlamp-admin
      containers:
        - name: headlamp
          image: ghcr.io/headlamp-k8s/headlamp:v0.42.0
          args:
            - "-in-cluster"
            - "-plugins-dir=/headlamp/plugins"
          ports:
            - containerPort: 4466
              name: http
          livenessProbe:
            httpGet:
              path: /
              port: 4466
            initialDelaySeconds: 30
            timeoutSeconds: 30
          readinessProbe:
            httpGet:
              path: /
              port: 4466
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            runAsNonRoot: true
            runAsUser: 100
            privileged: false
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: false
            capabilities:
              drop:
                - ALL
            seccompProfile:
              type: RuntimeDefault
---
apiVersion: v1
kind: Service
metadata:
  name: headlamp
  namespace: kube-system
spec:
  selector:
    k8s-app: headlamp
  ports:
    - port: 80
      targetPort: 4466
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
  name: https-redirect
  namespace: kube-system
spec:
  redirectScheme:
    scheme: https
    permanent: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: headlamp
  namespace: kube-system
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt
    # Force HTTP->HTTPS at Traefik (proxy-level, no app redirect loop).
    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
spec:
  ingressClassName: traefik
  tls:
    - hosts:
        - headlamp.roysland.net
      secretName: headlamp-tls
  rules:
    - host: headlamp.roysland.net
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: headlamp
                port:
                  number: 80