apiVersion: apps/v1
kind: Deployment
metadata:
  name: vault
  namespace: vault
spec:
  replicas: 1
  selector:
    matchLabels:
      app: vault
  template:
    metadata:
      labels:
        app: vault
    spec:
      containers:
      - name: vault
        image: hashicorp/vault:1.16
        command: ["/bin/sh", "-c"]
        args:
          - |
            export VAULT_DISABLE_CHOWN=true;
            vault server -config=/vault/config/vault.hcl
        securityContext:
          runAsUser: 0
          capabilities:
            add: ["IPC_LOCK"]
        volumeMounts:
        - name: config
          mountPath: /vault/config
          readOnly: true
        - name: data
          mountPath: /vault/data
      volumes:
      - name: config
        configMap:
          name: vault-config
      - name: data
        persistentVolumeClaim:
          claimName: vault-data