assets/p2f-rotation.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: test-app
name: test-app
namespace: test-app-namespace
spec:
replicas: 1
selector:
matchLabels:
app: test-app
template:
metadata:
labels:
app: test-app
# kics-scan ignore-block - Kics incorrectly identifies the Conjur secret paths as hardcoded values
annotations:
conjur.org/authn-identity: host/conjur/authn-k8s/my-authenticator-id/apps/test-app
conjur.org/container-mode: sidecar
conjur.org/secrets-destination: file
conjur.org/conjur-secrets.test-app: |
- admin-username: username
- admin-password: password
conjur.org/conjur-secrets-policy-path.test-app: test-secrets-provider-p2f-app-db/
conjur.org/secret-file-path.test-app: "./application.yaml"
conjur.org/secret-file-format.test-app: "yaml"
conjur.org/secrets-refresh-enabled: "true"
conjur.org/secrets-refresh-interval: 10m
spec:
serviceAccountName: test-app-sa
containers:
- name: test-app
image: ubuntu:latest
command: [ "sleep" ]
args: [ "infinity" ]
volumeMounts:
- name: conjur-secrets
mountPath: /mounted/secrets
readOnly: true
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
- name: cyberark-secrets-provider-for-k8s
image: 'cyberark/secrets-provider-for-k8s:latest'
imagePullPolicy: Always
env:
- name: MY_POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: MY_POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
envFrom:
- configMapRef:
name: conjur-connect
volumeMounts:
- name: conjur-certs
mountPath: /etc/conjur/ssl
- name: podinfo
mountPath: /conjur/podinfo
- name: conjur-secrets
mountPath: /conjur/secrets
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- all
volumes:
- name: conjur-certs
emptyDir:
medium: Memory
- name: podinfo
downwardAPI:
items:
- path: "annotations"
fieldRef:
fieldPath: metadata.annotations
- name: conjur-secrets
emptyDir:
medium: Memory