apiVersion: apps/v1
kind: Deployment
metadata:
  name: imagepullsecrets-webhook
  namespace: imagepullsecrets-system
  labels:
    app: imagepullsecrets-webhook
spec:
  replicas: 2
  selector:
    matchLabels:
      app: imagepullsecrets-webhook
  template:
    metadata:
      labels:
        app: imagepullsecrets-webhook
    spec:
      serviceAccountName: imagepullsecrets-webhook
      containers:
        - name: webhook-server
          image: imagepullsecrets-webhook
          imagePullPolicy: Always
          envFrom:
            - configMapRef:
                name: imagepullsecrets-webhook-config
          env:
            - name: TLS_CERT_FILE
              value: "/etc/webhook/certs/tls.crt"
            - name: TLS_PRIVATE_KEY_FILE
              value: "/etc/webhook/certs/tls.key"
          ports:
            - containerPort: 8443
          volumeMounts:
            - name: webhook-certs
              mountPath: /etc/webhook/certs
              readOnly: true
      volumes:
        - name: webhook-certs
          secret:
            secretName: imagepullsecrets-webhook-certs
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
      imagePullSecrets:
        - name: regcred-harbor