apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: step-ca
  namespace: step-ca
  labels:
    app.kubernetes.io/name: step-ca
    app.kubernetes.io/component: step-ca
    app.kubernetes.io/instance: step-ca
    app.kubernetes.io/part-of: step-ca
spec:
  accessModes:
  - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi

---
apiVersion: v1
kind: Service
metadata:
  name: step-ca
  namespace: step-ca
  labels:
    app.kubernetes.io/name: step-ca
    app.kubernetes.io/component: step-ca
    app.kubernetes.io/instance: step-ca
    app.kubernetes.io/part-of: step-ca
spec:
  ports:
  - port: 32599
    nodePort: 32599
    name: step-ca
  selector:
    app.kubernetes.io/name: step-ca
    app.kubernetes.io/component: step-ca
    app.kubernetes.io/instance: step-ca
  type: NodePort

---
apiVersion: apps/v1
kind: StatefulSet
metadata:
  name: step-ca
  namespace: step-ca
  labels:
    app.kubernetes.io/name: step-ca
    app.kubernetes.io/component: step-ca
    app.kubernetes.io/instance: step-ca
    app.kubernetes.io/part-of: step-ca
spec:
  serviceName: step-ca
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: step-ca
      app.kubernetes.io/component: step-ca
      app.kubernetes.io/instance: step-ca
  template:
    metadata:
      labels:
        app.kubernetes.io/name: step-ca
        app.kubernetes.io/component: step-ca
        app.kubernetes.io/instance: step-ca
    spec:
      enableServiceLinks: false
      containers:
      - name: step-ca
        image: docker.io/smallstep/step-ca:0.25.0
        workingDir: /step
        env:
        - name: CONFIGPATH
          value: /step/config/ca.json
        - name: PWDPATH
          value: /step/secrets/password
        - name: STEPPATH
          value: /step
        ports:
        - containerPort: 32599
          name: step-ca
        readinessProbe: &probe
          httpGet:
            port: 32599
            path: /health
            scheme: HTTPS
          failureThreshold: 3
          periodSeconds: 60
          successThreshold: 1
          timeoutSeconds: 1
        startupProbe:
          <<: *probe
          failureThreshold: 30
          periodSeconds: 3
          successThreshold: 1
          timeoutSeconds: 1
        volumeMounts:
        - mountPath: /step/certs
          name: certs
          readOnly: true
        - mountPath: /step/config
          name: config
          readOnly: true
        - mountPath: /step/db
          name: data
          subPath: db
        - mountPath: /step/secrets
          name: secrets
          readOnly: true
      securityContext:
        runAsNonRoot: true
        runAsUser: 1000
        runAsGroup: 1000
        fsGroup: 1000
      volumes:
      - name: config
        configMap:
          name: step-ca-config
      - name: certs
        configMap:
          name: step-ca-certs
      - name: secrets
        secret:
          secretName: step-ca
      - name: data
        persistentVolumeClaim:
          claimName: step-ca