deployment_template.yaml

apiVersion: v1
kind: ServiceAccount
metadata:
  name: hedgedemo
  # TODO: (optional) Update {project} to your project id.
  annotations:
    iam.gke.io/gcp-service-account: hedgedemo@{project}.iam.gserviceaccount.com

---

apiVersion: apps/v1
kind: Deployment
metadata:
  name: hedgedemo
spec:
  selector:
    matchLabels:
      app: hedgedemo
  replicas: 3
  revisionHistoryLimit: 5
  template:
    metadata:
      labels:
        app: hedgedemo
    spec:
      # This sample uses GKE's Workload Identity to authenticate against GCP services.
      # 'hedgedemo' service account here is mapped to a GCP's IAM service account
      # that has access to Spanner and PubSub.
      # If you're not using Workload Identity, you can also use a service account key
      # and set the GOOGLE_APPLICATION_CREDENTIALS environment variable.
      serviceAccountName: hedgedemo
      initContainers:
      - image: gcr.io/google.com/cloudsdktool/cloud-sdk:363.0.0-alpine
        name: workload-identity-initcontainer
        command:
        - '/bin/bash'
        - '-c'
        - |
          curl -s -H 'Metadata-Flavor: Google' 'http://169.254.169.254/computeMetadata/v1/instance/service-accounts/default/token' --retry 30 --retry-connrefused --retry-max-time 30 > /dev/null || exit 1
      containers:
      - name: hedgedemo
        image: quay.io/flowerinthenight/hedgedemo:v1.10.5
        imagePullPolicy: Always
        # TODO: Update as needed.
        args: ["-db=projects/{project}/instances/{instance}/databases/{database}"]
        env:
        # Downward value to get pod IP. We'll use this as our hedge instance id.
        - name: K8S_POD_IP
          valueFrom:
            fieldRef:
              fieldPath: status.podIP
        - name: GET_HOSTS_FROM
          value: dns
        # - name: GOOGLE_APPLICATION_CREDENTIALS
        #   value: /etc/svcacct.json
        ports:
        - containerPort: 8080
      # Uncomment the section below and the env variable above to use GOOGLE_APPLICATION_CREDENTIALS
      # for authentication. You can upload a service account JSON file thru:
      # kubectl create secret generic hedgedemo-keyfile --from-file svcacct.json
      #
      #   volumeMounts:
      #   - name: keyfile
      #     mountPath: "/etc/hedgedemo"
      #     readOnly: true
      # volumes:
      # - name: keyfile
      #   secret:
      #     secretName: hedgedemo-keyfile