ContainerImage.Pinniped/deploy/local-user-authenticator/deployment.yaml

#! Copyright 2020-2023 the Pinniped contributors. All Rights Reserved.
#! SPDX-License-Identifier: Apache-2.0

#@ load("@ytt:data", "data")

---
apiVersion: v1
kind: Namespace
metadata:
  name: local-user-authenticator
  labels:
    name: local-user-authenticator
---
apiVersion: v1
kind: ServiceAccount
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
---
#@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
apiVersion: v1
kind: Secret
metadata:
  name: image-pull-secret
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
type: kubernetes.io/dockerconfigjson
data:
  .dockerconfigjson: #@ data.values.image_pull_dockerconfigjson
#@ end
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
spec:
  replicas: 1
  selector:
    matchLabels:
      app: local-user-authenticator
  template:
    metadata:
      labels:
        app: local-user-authenticator
    spec:
      securityContext:
        runAsUser: #@ data.values.run_as_user
        runAsGroup: #@ data.values.run_as_group
      serviceAccountName: local-user-authenticator
      #@ if data.values.image_pull_dockerconfigjson and data.values.image_pull_dockerconfigjson != "":
      imagePullSecrets:
        - name: image-pull-secret
      #@ end
      containers:
        - name: local-user-authenticator
          #@ if data.values.image_digest:
          image:  #@ data.values.image_repo + "@" + data.values.image_digest
          #@ else:
          image: #@ data.values.image_repo + ":" + data.values.image_tag
          #@ end
          imagePullPolicy: IfNotPresent
          command:
            - local-user-authenticator
          securityContext:
            readOnlyRootFilesystem: true
            runAsNonRoot: true
            allowPrivilegeEscalation: false
            capabilities:
              drop: [ "ALL" ]
            #! seccompProfile was introduced in Kube v1.19. Using it on an older Kube version will result in a
            #! kubectl validation error when installing via `kubectl apply`, which can be ignored using kubectl's
            #! `--validate=false` flag. Note that installing via `kapp` does not complain about this validation error.
            seccompProfile:
              type: "RuntimeDefault"
      tolerations:
        - key: kubernetes.io/arch
          effect: NoSchedule
          operator: Equal
          value: amd64 #! Allow running on amd64 nodes.
        - key: kubernetes.io/arch
          effect: NoSchedule
          operator: Equal
          value: arm64 #! Also allow running on arm64 nodes.
---
apiVersion: v1
kind: Service
metadata:
  name: local-user-authenticator
  namespace: local-user-authenticator
  labels:
    app: local-user-authenticator
  #! prevent kapp from altering the selector of our services to match kubectl behavior
  annotations:
    kapp.k14s.io/disable-default-label-scoping-rules: ""
spec:
  type: ClusterIP
  selector:
    app: local-user-authenticator
  ports:
    - protocol: TCP
      port: 443
      targetPort: 8443