apiVersion: v1 kind: Secret metadata: name: pccs-tls namespace: intel-dcap type: Opaque data: private.pem: ${PCCS_PEM} file.crt: ${PCCS_CERT} --- apiVersion: v1 kind: Service metadata: name: pccs-service namespace: intel-dcap spec: selector: trustedservices.intel.com/cache: pccs ports: - name: pccs protocol: TCP port: 8042 targetPort: pccs-port --- apiVersion: apps/v1 kind: Deployment metadata: name: pccs namespace: intel-dcap spec: replicas: 1 selector: matchLabels: app: pccs template: metadata: labels: app: pccs trustedservices.intel.com/cache: pccs spec: tolerations: - effect: NoSchedule key: node-role.kubernetes.io/master operator: Exists nodeSelector: kubernetes.io/hostname: ${PCCS_NODE} initContainers: - name: init-seclabel image: registry.access.redhat.com/ubi9/ubi:9.7-1764578509 command: [ "sh", "-c", "chcon -Rt container_file_t /var/cache/pccs" ] volumeMounts: - name: host-database mountPath: /var/cache/pccs securityContext: runAsUser: 0 runAsGroup: 0 privileged: true # Required for chcon to work on host files containers: - name: pccs image: registry.redhat.io/openshift-sandboxed-containers/osc-pccs@sha256:4ab19480b57d9356d9ca6cc57ae79d0f630820dcf2f7758acf3c110cd7325c58 envFrom: - secretRef: name: pccs-secrets env: - name: "PCCS_LOG_LEVEL" value: "info" - name: "CLUSTER_HTTPS_PROXY" value: "${CLUSTER_HTTPS_PROXY}" - name: "PCCS_FILL_MODE" value: "LAZY" ports: - containerPort: 8042 name: pccs-port volumeMounts: - name: pccs-tls mountPath: /opt/intel/pccs/ssl_key readOnly: true - name: host-database mountPath: /var/cache/pccs/ securityContext: runAsUser: 0 volumes: - name: pccs-tls secret: secretName: pccs-tls - name: host-database hostPath: path: /var/cache/pccs/ type: DirectoryOrCreate