assets/jwt-ptf-rotation.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-app
name: test-app
namespace: test-app-namespace
spec:
replicas: 1
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
annotations:
conjur.org/container-mode: sidecar
conjur.org/secrets-destination: file
conjur.org/jwt-token-path: /var/run/secrets/tokens/jwt
conjur.org/conjur-secrets.test-app: |
- admin-username: <path to secret in Conjur Cloud>
- admin-password: <path to secret in Conjur Cloud>
conjur.org/secret-file-path.test-app: "./credentials.yaml"
conjur.org/secret-file-format.test-app: "yaml"
conjur.org/secrets-refresh-interval: 10s
spec:
serviceAccountName: test-app-sa
containers:
- name: test-app
image: nginx
volumeMounts:
- name: conjur-secrets
mountPath: /opt/secrets/conjur
readOnly: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- name: cyberark-secrets-provider-for-k8s
image: 'cyberark/secrets-provider-for-k8s:latest'
imagePullPolicy: Always
volumeMounts:
- name: conjur-status
mountPath: /conjur/status
- name: podinfo
mountPath: /conjur/podinfo
- name: conjur-secrets
mountPath: /conjur/
- name: jwt-token
mountPath: /var/run/secrets/tokens
env:
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: conjur-connect
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
volumes:
- name: conjur-status
emptyDir:
medium: Memory
- name: podinfo
downwardAPI:
items:
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: conjur-secrets
emptyDir:
medium: Memory
- name: jwt-token
projected:
sources:
- serviceAccountToken:
path: jwt
expirationSeconds: 6000
audience: conjur