--- apiVersion: apps/v1 kind: Deployment metadata: name: external-secrets-cert-controller namespace: external-secrets labels: app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: external-secrets app.kubernetes.io/version: "v2.2.0" app.kubernetes.io/managed-by: kustomize spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: external-secrets template: metadata: labels: app.kubernetes.io/name: external-secrets-cert-controller app.kubernetes.io/instance: external-secrets app.kubernetes.io/version: "v2.2.0" app.kubernetes.io/managed-by: kustomize spec: serviceAccountName: external-secrets-cert-controller automountServiceAccountToken: true hostNetwork: false containers: - name: cert-controller securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: ghcr.io/external-secrets/external-secrets:kustomized imagePullPolicy: IfNotPresent args: - certcontroller - --crd-requeue-interval=5m - --service-name=external-secrets-webhook - --service-namespace=external-secrets - --secret-name=external-secrets-webhook - --secret-namespace=external-secrets - --metrics-addr=:8080 - --healthz-addr=:8081 - --loglevel=info - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics - containerPort: 8081 protocol: TCP name: ready readinessProbe: httpGet: port: ready path: /readyz initialDelaySeconds: 20 periodSeconds: 5 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 25m memory: 32Mi --- apiVersion: apps/v1 kind: Deployment metadata: name: external-secrets namespace: external-secrets labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets app.kubernetes.io/version: "v2.2.0" app.kubernetes.io/managed-by: kustomize spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets template: metadata: labels: app.kubernetes.io/name: external-secrets app.kubernetes.io/instance: external-secrets app.kubernetes.io/version: "v2.2.0" app.kubernetes.io/managed-by: kustomize spec: serviceAccountName: external-secrets automountServiceAccountToken: true hostNetwork: false containers: - name: external-secrets securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: ghcr.io/external-secrets/external-secrets:kustomized imagePullPolicy: IfNotPresent args: - --concurrent=1 - --metrics-addr=:8080 - --loglevel=info - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics resources: limits: cpu: 200m memory: 256Mi requests: cpu: 50m memory: 64Mi dnsPolicy: ClusterFirst --- apiVersion: apps/v1 kind: Deployment metadata: name: external-secrets-webhook namespace: external-secrets labels: app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: external-secrets app.kubernetes.io/version: "v2.2.0" app.kubernetes.io/managed-by: kustomize spec: replicas: 1 revisionHistoryLimit: 10 selector: matchLabels: app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: external-secrets template: metadata: labels: app.kubernetes.io/name: external-secrets-webhook app.kubernetes.io/instance: external-secrets app.kubernetes.io/version: "v2.2.0" app.kubernetes.io/managed-by: kustomize spec: hostNetwork: false serviceAccountName: external-secrets-webhook automountServiceAccountToken: true containers: - name: webhook securityContext: allowPrivilegeEscalation: false capabilities: drop: - ALL readOnlyRootFilesystem: true runAsNonRoot: true runAsUser: 1000 seccompProfile: type: RuntimeDefault image: ghcr.io/external-secrets/external-secrets:kustomized imagePullPolicy: IfNotPresent args: - webhook - --port=10250 - --dns-name=external-secrets-webhook.external-secrets.svc - --cert-dir=/tmp/certs - --check-interval=5m - --metrics-addr=:8080 - --healthz-addr=:8081 - --loglevel=info - --zap-time-encoding=epoch ports: - containerPort: 8080 protocol: TCP name: metrics - containerPort: 10250 protocol: TCP name: webhook - containerPort: 8081 protocol: TCP name: ready readinessProbe: httpGet: port: ready path: /readyz initialDelaySeconds: 20 periodSeconds: 5 resources: limits: cpu: 100m memory: 128Mi requests: cpu: 25m memory: 32Mi volumeMounts: - name: certs mountPath: /tmp/certs readOnly: true volumes: - name: certs secret: secretName: external-secrets-webhook