assets/jwt-k8s.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-app
name: test-app
namespace: test-app-namespace
spec:
selector:
matchLabels:
app: test-app
replicas: 1
template:
metadata:
labels:
app: test-app
spec:
serviceAccountName: test-app-sa
containers:
- name: test-app
image: <APPLICATION_IMAGE>
imagePullPolicy: <PULL_POLICY>
ports:
- containerPort: 8080
env:
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: db-credentials
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: db-credentials
key: password
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
initContainers:
- image: 'cyberark/secrets-provider-for-k8s:latest'
imagePullPolicy: Always
name: cyberark-secrets-provider-for-k8s
volumeMounts:
- name: conjur-status
mountPath: /conjur/status
- name: jwt-token
mountPath: /var/run/secrets/tokens
env:
- name: JWT_TOKEN_PATH
value: /var/run/secrets/tokens/jwt
- name: CONTAINER_MODE
value: init
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: K8S_SECRETS
value: db-credentials
- name: SECRETS_DESTINATION
value: k8s_secrets
envFrom:
- configMapRef:
name: conjur-connect
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
volumes:
- name: conjur-status
emptyDir:
medium: Memory
- name: jwt-token
projected:
sources:
- serviceAccountToken:
path: jwt
expirationSeconds: 6000
audience: conjur