#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved. #! SPDX-License-Identifier: Apache-2.0 #@ load("@ytt:data", "data") --- apiVersion: v1 kind: Namespace metadata: name: local-user-authenticator labels: name: local-user-authenticator --- apiVersion: v1 kind: ServiceAccount metadata: name: local-user-authenticator namespace: local-user-authenticator --- #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": apiVersion: v1 kind: Secret metadata: name: image-pull-secret namespace: local-user-authenticator labels: app: local-user-authenticator type: kubernetes.io/dockerconfigjson data: .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson #@ end --- apiVersion: apps/v1 kind: Deployment metadata: name: local-user-authenticator namespace: local-user-authenticator labels: app: local-user-authenticator spec: replicas: 1 selector: matchLabels: app: local-user-authenticator template: metadata: labels: app: local-user-authenticator spec: securityContext: runAsUser: #@ data.values.run_as_user runAsGroup: #@ data.values.run_as_group serviceAccountName: local-user-authenticator #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "": imagePullSecrets: - name: image-pull-secret #@ end containers: - name: local-user-authenticator #@ if data.values.image_digest: image: #@ data.values.image_repo + "@" + data.values.image_digest #@ else: image: #@ data.values.image_repo + ":" + data.values.image_tag #@ end imagePullPolicy: IfNotPresent command: - local-user-authenticator securityContext: readOnlyRootFilesystem: true runAsNonRoot: true allowPrivilegeEscalation: false capabilities: drop: [ "ALL" ] #! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a #! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error. seccompProfile: type: "RuntimeDefault" tolerations: - key: kubernetes.io/arch effect: NoSchedule operator: Equal value: amd64 #! Allow running on amd64 nodes. - key: kubernetes.io/arch effect: NoSchedule operator: Equal value: arm64 #! Also allow running on arm64 nodes. --- apiVersion: v1 kind: Service metadata: name: local-user-authenticator namespace: local-user-authenticator labels: app: local-user-authenticator #! prevent kapp from altering the selector of our services to match kubectl behavior annotations: kapp.k14s.io/disable-default-label-scoping-rules: "" spec: type: ClusterIP selector: app: local-user-authenticator ports: - protocol: TCP port: 443 targetPort: 8443