roles/tas_single_node/templates/manifests/fulcio/fulcio-server.yaml

apiVersion: apps/v1
kind: Deployment
metadata:
  name: fulcio-server
  namespace: fulcio-system
  labels:
    app.kubernetes.io/instance: scaffold
    app.kubernetes.io/name: fulcio
    pod-template-hash: 74d5ff6f7f
spec:
  replicas: 1
  selector:
    matchLabels:
      app: fulcio-server
  template:
    metadata:
      labels:
        app: fulcio-server
        app.kubernetes.io/instance: scaffold
        app.kubernetes.io/name: fulcio
        pod-template-hash: 74d5ff6f7f
    spec:
      automountServiceAccountToken: true
      containers:
        - name: fulcio-server
          args:
            - serve
            - --port=5555
            - --grpc-port=5554
            - --ca=fileca
            - --fileca-key
            - /var/run/fulcio-secrets/key.pem
            - --fileca-cert
            - /var/run/fulcio-secrets/cert.pem
            - --fileca-key-passwd
            - {{ fulcio_ca_passphrase  }}
            - --ct-log-url=http://ctlog-pod:6962/{{ ct_logprefix }}
          env:
            - name: SSL_CERT_DIR
              value: /certs
          image: {{ fulcio_server_image }}
          imagePullPolicy: IfNotPresent
          ports:
            - containerPort: 5555
              hostPort: 5555
              protocol: TCP
            - containerPort: 5554
              hostPort: 5554
              protocol: TCP
            - containerPort: 2113
              hostPort: 2113
              protocol: TCP
          resources: {}
          volumeMounts:
            - mountPath: /etc/fulcio-config
              name: fulcio-config
            - mountPath: /var/run/fulcio-secrets
              name: fulcio-cert
              readOnly: true
            - mountPath: /certs
              name: nginx-certs
              readOnly: true
      restartPolicy: Always
      dnsPolicy: ClusterFirst
      enableServiceLinks: true
      securityContext:
        runAsNonRoot: true
        runAsUser: 65533
      serviceAccountName: fulcio-server
      tolerations:
        - effect: NoExecute
          key: node.kubernetes.io/not-ready
          operator: Exists
          tolerationSeconds: 300
        - effect: NoExecute
          key: node.kubernetes.io/unreachable
          operator: Exists
          tolerationSeconds: 300
      volumes:
        - configMap:
            defaultMode: 420
            name: fulcio-config
          name: fulcio-config
        - name: fulcio-cert
          secret:
            secretName: fulcio-server-secret
        - secret:
            secretName: nginx-certs
          name: nginx-certs