apiVersion: apps/v1 kind: Deployment metadata: annotations: seccomp.security.alpha.kubernetes.io/pod: runtime/default name: {{ .Release.Name }} namespace: {{ .Release.Namespace }} labels: {{ include "gmsa.chartref" . | nindent 4 }} spec: replicas: 1 selector: matchLabels: app: {{ .Release.Name }} template: metadata: labels: app: {{ .Release.Name }} spec: {{- if .Values.podSecurityContext }} securityContext: {{ toYaml .Values.podSecurityContext | nindent 8 }} {{- end }} serviceAccountName: {{ .Release.Name }} affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: kubernetes.io/os operator: In values: - linux {{- with .Values.tolerations }} tolerations: {{- toYaml . | nindent 8 }} {{- end }} containers: - name: {{ .Release.Name }} image: {{ template "system_default_registry" . }}{{ .Values.image.repository }}:{{ .Values.image.tag }} imagePullPolicy: {{ .Values.image.imagePullPolicy }} readinessProbe: httpGet: scheme: HTTPS path: /health port: 443 ports: - containerPort: 443 {{- if .Values.securityContext }} securityContext: {{ toYaml .Values.securityContext | nindent 12 }} {{- end }} volumeMounts: - name: tls mountPath: "/etc/ssl/rancher-windows-gmsa-webhook" readOnly: true env: - name: TLS_KEY value: /etc/ssl/rancher-windows-gmsa-webhook/tls.key - name: TLS_CRT value: /etc/ssl/rancher-windows-gmsa-webhook/tls.crt volumes: - name: tls secret: secretName: {{ .Values.certificates.secretName }} items: - key: tls.key path: tls.key - key: tls.crt path: tls.crt