apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault-agent-example
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vault-agent-example
  template:
    metadata:
      name: vault-agent-example
      labels:
        app: vault-agent-example
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: "runtime/default"
        eks.amazonaws.com/skip-containers: "myapp,vault-agent"
        vault.hashicorp.com/agent-inject: "true"
        vault.hashicorp.com/agent-inject-containers: myapp
        vault.hashicorp.com/agent-image: "${REPO_URI_VAULT}@sha256:${VAULT_IMAGE_TAG}"
        vault.hashicorp.com/agent-pre-populate: "false"
        vault.hashicorp.com/agent-copy-volume-mounts: vault-template-bootstrap
        vault.hashicorp.com/agent-configmap: "vault-agent-config"
        vault.hashicorp.com/agent-extra-secret: "vault-agent-approle-secret-${TENANT}"
    spec:
      automountServiceAccountToken: true
      securityContext:
        runAsNonRoot: true
      serviceAccountName: ${TENANT}-sa
      initContainers:
      - name: vault-template-bootstrap
        image: ${REPO_URI_AWSCLI}@sha256:${AWSCLI_IMAGE_TAG}
        securityContext:
          runAsUser: 10001
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
              - NET_RAW
              - ALL
        resources:
          limits:
            cpu: "1"
            memory: "256Mi"
          requests:
            cpu: "0.5"
            memory: "128Mi"
        volumeMounts:
        - name: vault-agent-template-volume
          mountPath: /vault/template
        - name: bootstrap-volume
          mountPath: /.aws
        command: ["/bin/sh"]
        args: ["-c", 'aws s3 cp s3://${DOLLAR}{VAULT_AGENT_TEMPLATE_S3_BUCKET}/${DOLLAR}{VAULT_AGENT_TEMPLATE_S3_OBJ_PATH}/ ${DOLLAR}{VAULT_AGENT_TEMPLATE_DEST_PATH} --recursive --exclude "*" --include "*.ctmpl"']
        env:
        - name: VAULT_AGENT_TEMPLATE_S3_BUCKET
          value: ${VAULT_AGENT_TEMPLATES_BUCKET}
        - name: VAULT_AGENT_TEMPLATE_S3_OBJ_PATH
          value: ${TENANT}
        - name: VAULT_AGENT_TEMPLATE_DEST_PATH
          value: /vault/template
      containers:
      - name: myapp
        image: ${REPO_URI_AWSCLI}@sha256:${AWSCLI_IMAGE_TAG}
        securityContext:
          runAsUser: 10010
          allowPrivilegeEscalation: false
          readOnlyRootFilesystem: true
          capabilities:
            drop:
              - NET_RAW
              - ALL
        resources:
          limits:
            cpu: "1"
            memory: "256Mi"
          requests:
            cpu: "0.5"
            memory: "128Mi"
        command: ["/bin/sh"]
        args: ["-c", "while true; do sleep infinity; done"]
        env:
        - name: AWS_SHARED_CREDENTIALS_FILE
          value: "/vault/secrets/credentials"
      volumes:
      - name: vault-agent-template-volume
        emptyDir: {}
      - name: bootstrap-volume
        emptyDir: {}