/
Deployment.yaml
71 lines (69 loc) · 2.18 KB
/
Deployment.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
# /*
# | Protect your secrets, protect your sensitive data.
# : Explore VMware Secrets Manager docs at https://vsecm.com/
# </
# <>/ keep your secrets... secret
# >/
# <>/' Copyright 2023-present VMware Secrets Manager contributors.
# >/' SPDX-License-Identifier: BSD-2-Clause
# */
apiVersion: apps/v1
kind: Deployment
metadata:
name: example
namespace: default
labels:
app.kubernetes.io/name: example
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: example
template:
metadata:
labels:
app.kubernetes.io/name: example
spec:
serviceAccountName: example
containers:
- name: main
image: vsecm/example-using-init-container:0.25.4
initContainers:
# See `./register.sh` to register the workload and finalize
# this init container.
- name: init-container
image: vsecm/vsecm-ist-init-container:0.25.4
volumeMounts:
# Volume mount for SPIRE unix domain socket.
- name: spire-agent-socket
mountPath: /spire-agent-socket
readOnly: true
#
# You can configure VSecM Init Container by providing
# environment variables.
#
# See https://vsecm.com/configuration for more information
# about these environment variables.
#
# When you don't explicitly provide env vars here, VMware Secrets Manager
# Init Container will assume the default values outlined in the given
# link above.
#
env:
- name: SPIFFE_ENDPOINT_SOCKET
value: "unix:///spire-agent-socket/agent.sock"
- name: VSECM_LOG_LEVEL
value: "7"
- name: VSECM_WORKLOAD_SPIFFEID_PREFIX
value: "spiffe://vsecm.com/workload/"
- name: VSECM_SAFE_SPIFFEID_PREFIX
value: "spiffe://vsecm.com/workload/vsecm-safe/ns/vsecm-system/sa/vsecm-safe/n/"
- name: VSECM_INIT_CONTAINER_POLL_INTERVAL
value: "5000"
volumes:
# Using SPIFFE CSI Driver to bind to the SPIRE Agent Socket
# ref: https://github.com/spiffe/spiffe-csi
- name: spire-agent-socket
csi:
driver: "csi.spiffe.io"
readOnly: true