🚧 Under Construction: Please check back soon for more words and less whitespace in this post!


joshspicer/jarvis:rollout.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: jarvis
spec:
  replicas: 1
  selector:
    matchLabels:
      app: jarvis
  template:
    metadata:
      labels:
        app: jarvis
    spec:
      nodeSelector:
        "kubernetes.io/os": linux
      containers:
      - name: jarvis
        image: jarvisdevacr.azurecr.io/jarvis:1.0.0
        resources:
          requests:
            cpu: 100m
            memory: 128Mi
          limits:
            cpu: 250m
            memory: 256Mi
        ports:
        - containerPort: 80
        volumeMounts:
        - name: secrets-store01-inline
          mountPath: "/mnt/secrets-store"
          readOnly: true
        env:
        - name: PORT
          value: "80"
        - name: TELEGRAM_BOT_TOKEN
          valueFrom:
            secretKeyRef:
              name: env-secrets
              key: TelegramBotToken
        - name: VALID_TELEGRAM_SENDERS
          valueFrom:
            secretKeyRef:
              name: env-secrets
              key: ValidTelegramSenders
        - name: VALID_TELEGRAM_GROUPS
          valueFrom:
            secretKeyRef:
              name: env-secrets
              key: ValidTelegramGroups
      volumes:
        - name: secrets-store01-inline
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: "azure-jarviskv-secrets"
---
apiVersion: v1
kind: Service
metadata:
  name: jarvis
spec:
  type: LoadBalancer
  ports:
  - port: 80
  selector:
    app: jarvis
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
  name: azure-jarviskv-secrets
spec:
  provider: azure
  parameters:
    usePodIdentity: "false"
    useVMManagedIdentity: "true"                                   # Set to true for using managed identity
    userAssignedIdentityID: dc34b44c-5ea3-40d3-8820-69945bc5ccde   # Set the clientID of the user-assigned managed identity to use
    keyvaultName: jarviskv                                         # Set to the name of your key vault
    objects:  |
      array:
        - |
          objectName: TelegramBotToken
          objectType: secret
        - |
          objectName: ValidTelegramSenders
          objectType: secret
        - |
          objectName: ValidTelegramGroups
          objectType: secret
    tenantId: 0ad1a6ca-bf0b-4eea-b39d-a0a369403977   # The tenant ID of the key vault
  secretObjects:
  - data:
    - key: TelegramBotToken                           # data field to populate
      objectName: TelegramBotToken                    # name of the mounted content to sync; this could be the object name or the object alias
    - key: ValidTelegramSenders
      objectName: ValidTelegramSenders
    - key: ValidTelegramGroups
      objectName: ValidTelegramGroups
    secretName: env-secrets
    type: Opaque

Resources