apiVersion: apps/v1
kind: Deployment
metadata:
  name: sablier
  labels:
    app.kubernetes.io/name: sablier
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: sablier
  template:
    metadata:
      labels:
        app.kubernetes.io/name: sablier
    spec:
      serviceAccountName: sablier
      serviceAccount: sablier
      containers:
      - name: sablier
        image: sablierapp/sablier:1.8.1
        args:
          - "start"
          - "--provider.name=kubernetes"
          - "--server.port=10000"
          - "--storage.file=/dev/shm/state.json"
        ports:
          - containerPort: 10000
        securityContext:
          allowPrivilegeEscalation: false
          capabilities:
            drop: [ALL]
          readOnlyRootFilesystem: true
          seccompProfile:
            type: RuntimeDefault
      securityContext:
        runAsGroup: 65532
        runAsNonRoot: true
        runAsUser: 65532
# --configFile=path/to/myconfigfile.yml 
---
apiVersion: v1
kind: Service
metadata:
  name: sablier
spec:
  selector:
    app.kubernetes.io/name: sablier
  ports:
    - protocol: TCP
      port: 10000
      targetPort: 10000
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: sablier
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: sablier
#  namespace: {{ traefik_namespace }}
rules:
  - apiGroups:
      - apps
      - ""
    resources:
      - deployments
      - deployments/scale
      - statefulsets
      - statefulsets/scale
    verbs:
      - patch   # Scale up and down
      - get     # Retrieve info about specific dep
      - update  # Scale up and down
      - list    # Events
      - watch   # Events
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: sablier
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: sablier
subjects:
  - kind: ServiceAccount
    name: sablier
    namespace: {{ traefik_namespace }}
---
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
  name: allow-traefik-to-sablier
spec:
  podSelector:
    matchLabels:
      app.kubernetes.io/name: sablier
  ingress:
  - ports:
    - port: 10000
    from:
    - podSelector:
        matchLabels:
          app.kubernetes.io/name: traefik
  policyTypes:
  - Ingress
#---
#apiVersion: traefik.io/v1alpha1
#kind: Middleware
#metadata:
#  name: ondemand
#spec:
#  plugin:
#      names: toto                                              # Comma separated names of containers/services/deployments etc.
#      group: default                                           # Group name to use to filter by label, ignored if names is set
#      dynamic:
#        displayName: My Title                                  # (Optional) Defaults to the middleware name
#        refreshFrequency: 5s                                    # (Optional) The loading page refresh frequency
#        showDetails: "true"                                    # (Optional) Set to true or false to show details specifcally for this middleware, unset to use Sablier server defaults
#        theme: hacker-terminal                                  # (Optional) The theme to use
#      sablierUrl: http://sablier.{{ traefik_namespace }}:10000 # The sablier URL service, must be reachable from the Traefik instance
#      sessionDuration: 1m                                      # The session duration after which containers/services/deployments instances are shutdown