# ServiceAccount for Headlamp
apiVersion: v1
kind: ServiceAccount
metadata:
  name: headlamp-admin
  namespace: kube-system
---
# ClusterRoleBinding giving cluster-admin permissions
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: headlamp-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
  - kind: ServiceAccount
    name: headlamp-admin
    namespace: kube-system
---
# Headlamp TLS Secret (already created with cert-manager)
# Make sure the Secret 'headlamp-tls' exists in kube-system
# secretName in deployment must match
---
# Service exposing Headlamp
apiVersion: v1
kind: Service
metadata:
  name: headlamp
  namespace: kube-system
spec:
  selector:
    k8s-app: headlamp
  ports:
    - port: 4466        # ClusterIP service accessible inside cluster
      targetPort: 4466
      name: http
---
# Headlamp Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
  name: headlamp
  namespace: kube-system
spec:
  replicas: 1
  selector:
    matchLabels:
      k8s-app: headlamp
  template:
    metadata:
      labels:
        k8s-app: headlamp
    spec:
      serviceAccountName: headlamp-admin
      containers:
        - name: headlamp
          image: ghcr.io/headlamp-k8s/headlamp:v0.40.1
          args:
            - "-in-cluster"
            - "-plugins-dir=/headlamp/plugins"
            - "-tls-cert-path=/headlamp-cert/tls.crt"
            - "-tls-key-path=/headlamp-cert/tls.key"
          env:
            - name: HEADLAMP_CONFIG_LOG_LEVEL
              value: "info"
            - name: HEADLAMP_CONFIG_METRICS_ENABLED
              value: "true"
            - name: HEADLAMP_CONFIG_TRACING_ENABLED
              value: "true"
            - name: HEADLAMP_CONFIG_OTLP_ENDPOINT
              value: "otel-collector:4317"
            - name: HEADLAMP_CONFIG_SERVICE_NAME
              value: "headlamp"
            - name: HEADLAMP_CONFIG_SERVICE_VERSION
              value: "latest"
          ports:
            - containerPort: 4466
              name: http
            - containerPort: 9090
              name: metrics
          readinessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 4466
            initialDelaySeconds: 30
            timeoutSeconds: 10
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 4466
            initialDelaySeconds: 30
            timeoutSeconds: 10
          volumeMounts:
            - name: headlamp-tls
              mountPath: /headlamp-cert
              readOnly: true
      volumes:
        - name: headlamp-tls
          secret:
            secretName: headlamp-tls
      nodeSelector:
        "kubernetes.io/os": linux