# inspired by https://github.com/ncsa/traefik-certmanager
#
# Used to automatically create cert request for IngressRoute Objects
#
# Added by Aaron
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: traefik-certmanager
  namespace: traefik
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-certmanager
rules:
- apiGroups: ["traefik.io"]
  resources: ["ingressroutes"]
  verbs: ["watch", "patch", "list"]
- apiGroups: ["cert-manager.io"]
  resources: ["certificates"]
  verbs: ["get", "create", "delete"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: traefik-certmanager
subjects:
- kind: ServiceAccount
  name: traefik-certmanager
  namespace: traefik
roleRef:
  kind: ClusterRole
  name: traefik-certmanager
  apiGroup: rbac.authorization.k8s.io
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: traefik-certmanager
  namespace: traefik
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: traefik-certmanager
  template:
    metadata:
      labels:
        app.kubernetes.io/name: traefik-certmanager
    spec:
      serviceAccount: traefik-certmanager
      containers:
      - name: traefik-certmanager
        image: git.ar21.de/yolokube/go-traefik-certmanager:latest
        imagePullPolicy: Always
        env:
        - name: CERT_ISSUER_NAME
          value: letsencrypt-prod
        - name: CERT_ISSUER_KIND
          value: ClusterIssuer
        - name: CERT_CLEANUP
          value: "true"
        - name: PATCH_SECRETNAME
          value: "true"