fix(element-call): draft with lk-jwt

docs/modules/charts/nav.adoc

@@ -3,6 +3,7 @@
 ** xref:alertmanager-ntfy.adoc[alertmanager-ntfy]
 ** xref:authentik-application.adoc[authentik-application]
 ** xref:conduit.adoc[conduit]
+** xref:element-call.adoc[element-call]
 ** xref:forgejo-runner.adoc[forgejo-runner]
 ** xref:gotosocial.adoc[gotosocial]
 ** xref:grampsweb.adoc[grampsweb]

docs/modules/charts/pages/element-call.adoc

@@ -0,0 +1 @@
+../../../../element-call/README.adoc

element-call/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

element-call/Chart.yaml

@@ -0,0 +1,10 @@
+apiVersion: v2
+name: element-call
+description: Run Element-Call and his dependencies
+type: application
+version: 0.0.1
+# renovate: image=ghcr.io/element-hq/element-call
+appVersion: "0.5.18"
+maintainers:
+  - name: WrenIX
+    url: https://wrenix.eu

element-call/README.adoc

@@ -0,0 +1,357 @@
+
+
+= element-call
+
+image::https://img.shields.io/badge/Version-0.0.1-informational?style=flat-square[Version: 0.0.1]
+image::https://img.shields.io/badge/Version-application-informational?style=flat-square[Type: application]
+image::https://img.shields.io/badge/AppVersion-0.5.18-informational?style=flat-square[AppVersion: 0.5.18]
+== Maintainers
+
+.Maintainers
+|===
+| Name | Email | Url
+
+| WrenIX
+|
+| <https://wrenix.eu>
+|===
+
+== Usage
+
+Helm must be installed and setup to your kubernetes cluster to use the charts.
+Refer to Helm's https://helm.sh/docs[documentation] to get started.
+Once Helm has been set up correctly, fetch the charts as follows:
+
+[source,bash]
+----
+helm pull oci://codeberg.org/wrenix/helm-charts/element-call
+----
+
+You can install a chart release using the following command:
+
+[source,bash]
+----
+helm install element-call-release oci://codeberg.org/wrenix/helm-charts/element-call --values values.yaml
+----
+
+To uninstall a chart release use `helm`'s delete command:
+
+[source,bash]
+----
+helm uninstall element-call-release
+----
+
+== Values
+
+.Values
+|===
+| Key | Type | Default | Description
+
+| autoscaling.enabled
+| bool
+| `false`
+|
+
+| autoscaling.maxReplicas
+| int
+| `100`
+|
+
+| autoscaling.minReplicas
+| int
+| `1`
+|
+
+| autoscaling.targetCPUUtilizationPercentage
+| int
+| `80`
+|
+
+| fullnameOverride
+| string
+| `""`
+|
+
+| global.image.pullPolicy
+| string
+| `nil`
+| if set it will overwrite all pullPolicy
+
+| global.image.registry
+| string
+| `nil`
+| if set it will overwrite all registry entries
+
+| imagePullSecrets
+| list
+| `[]`
+|
+
+| ingress.annotations
+| object
+| `{}`
+|
+
+| ingress.className
+| string
+| `""`
+|
+
+| ingress.enabled
+| bool
+| `false`
+|
+
+| ingress.tls
+| list
+| `[]`
+|
+
+| nameOverride
+| string
+| `""`
+|
+
+| service.call.affinity
+| object
+| `{}`
+|
+
+| service.call.config
+| object
+| `{}`
+|
+
+| service.call.image.pullPolicy
+| string
+| `"IfNotPresent"`
+|
+
+| service.call.image.registry
+| string
+| `"ghcr.io"`
+|
+
+| service.call.image.repository
+| string
+| `"element-hq/element-call:v0.5.18"`
+|
+
+| service.call.image.tag
+| string
+| `nil`
+| Overrides the image tag whose default is the chart appVersion.
+
+| service.call.ingress.host
+| string
+| `nil`
+|
+
+| service.call.livenessProbe.httpGet.path
+| string
+| `"/"`
+|
+
+| service.call.livenessProbe.httpGet.port
+| string
+| `"http"`
+|
+
+| service.call.nodeSelector
+| object
+| `{}`
+|
+
+| service.call.podAnnotations
+| object
+| `{}`
+|
+
+| service.call.podLabels
+| object
+| `{}`
+|
+
+| service.call.podSecurityContext
+| object
+| `{}`
+|
+
+| service.call.readinessProbe.httpGet.path
+| string
+| `"/"`
+|
+
+| service.call.readinessProbe.httpGet.port
+| string
+| `"http"`
+|
+
+| service.call.replicaCount
+| int
+| `1`
+|
+
+| service.call.resources
+| object
+| `{}`
+|
+
+| service.call.securityContext
+| object
+| `{}`
+|
+
+| service.call.serviceAccount.annotations
+| object
+| `{}`
+|
+
+| service.call.serviceAccount.automount
+| bool
+| `true`
+|
+
+| service.call.serviceAccount.create
+| bool
+| `true`
+|
+
+| service.call.serviceAccount.name
+| string
+| `""`
+|
+
+| service.call.tolerations
+| list
+| `[]`
+|
+
+| service.lkJWT.affinity
+| object
+| `{}`
+|
+
+| service.lkJWT.config.key
+| string
+| `"devkey"`
+|
+
+| service.lkJWT.config.secret
+| string
+| `"secret"`
+|
+
+| service.lkJWT.config.url
+| string
+| `""`
+|
+
+| service.lkJWT.image.pullPolicy
+| string
+| `"IfNotPresent"`
+|
+
+| service.lkJWT.image.registry
+| string
+| `"ghcr.io"`
+|
+
+| service.lkJWT.image.repository
+| string
+| `"element-hq/lk-jwt-service"`
+|
+
+| service.lkJWT.image.tag
+| string
+| `"sha-4a29504"`
+|
+
+| service.lkJWT.ingress.host
+| string
+| `nil`
+|
+
+| service.lkJWT.livenessProbe.httpGet.path
+| string
+| `"/healthz"`
+|
+
+| service.lkJWT.livenessProbe.httpGet.port
+| string
+| `"http"`
+|
+
+| service.lkJWT.nodeSelector
+| object
+| `{}`
+|
+
+| service.lkJWT.podAnnotations
+| object
+| `{}`
+|
+
+| service.lkJWT.podLabels
+| object
+| `{}`
+|
+
+| service.lkJWT.podSecurityContext
+| object
+| `{}`
+|
+
+| service.lkJWT.readinessProbe.httpGet.path
+| string
+| `"/healthz"`
+|
+
+| service.lkJWT.readinessProbe.httpGet.port
+| string
+| `"http"`
+|
+
+| service.lkJWT.replicaCount
+| int
+| `1`
+|
+
+| service.lkJWT.resources
+| object
+| `{}`
+|
+
+| service.lkJWT.securityContext
+| object
+| `{}`
+|
+
+| service.lkJWT.serviceAccount.annotations
+| object
+| `{}`
+|
+
+| service.lkJWT.serviceAccount.automount
+| bool
+| `true`
+|
+
+| service.lkJWT.serviceAccount.create
+| bool
+| `true`
+|
+
+| service.lkJWT.serviceAccount.name
+| string
+| `""`
+|
+
+| service.lkJWT.tolerations
+| list
+| `[]`
+|
+|===
+
+Autogenerated from chart metadata using https://github.com/norwoodj/helm-docs[helm-docs]
+

element-call/_docs.gotmpl

@@ -0,0 +1 @@
+

element-call/templates/_helpers.tpl

@@ -0,0 +1,70 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "element-call.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "element-call.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "element-call.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "element-call.labels" -}}
+helm.sh/chart: {{ include "element-call.chart" . }}
+{{ include "element-call.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "element-call.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "element-call.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+{{/*
+Create the name of the service account to use
+*/}}
+{{- define "element-call.serviceAccountName" -}}
+{{- $ := get . "root" }}
+{{- $suffix := get . "suffix" }}
+{{- with get . "ctx" }}
+{{- if .serviceAccount.create }}
+{{- if $suffix }}
+{{- default (printf "%s-%s" (include "element-call.fullname" $) $suffix) .serviceAccount.name }}
+{{- else }}
+{{- default (include "element-call.fullname" $) .serviceAccount.name }}
+{{- end }}
+{{- else }}
+{{- default "default" .serviceAccount.name }}
+{{- end }}
+{{- end }}
+{{- end }}

element-call/templates/configmap.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "element-call.fullname" . }}
+  labels:
+    {{- include "element-call.labels" . | nindent 4 }}
+data:
+  "config.json": |
+    {{- toJson .Values.service.call.config | nindent 4 }} 

element-call/templates/deployment.yaml

@@ -0,0 +1,76 @@
+{{- $fullName := include "element-call.fullname" . -}}
+{{- with .Values.service.call }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+    app.kubernetes.io/component: call
+spec:
+  {{- if not $.Values.autoscaling.enabled }}
+  replicas: {{ .replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "element-call.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: call
+  template:
+    metadata:
+      {{- with .podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "element-call.labels" $ | nindent 8 }}
+        app.kubernetes.io/component: call
+        {{- with .podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with $.Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" .) }}
+      securityContext:
+        {{- toYaml .podSecurityContext | nindent 8 }}
+      containers:
+        - name: call
+          securityContext:
+            {{- toYaml .securityContext | nindent 12 }}
+          {{- with .image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag | default (printf "v%s" $.Chart.AppVersion) }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: /app/config.json
+              name: config
+              subPath: config.json
+      volumes:
+        - name: config
+          configMap:
+            name: {{ $fullName }}
+      {{- with .nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}{{/* end-with .service.call */}}

element-call/templates/hpa.yaml

@@ -0,0 +1,32 @@
+{{- if .Values.autoscaling.enabled }}
+apiVersion: autoscaling/v2
+kind: HorizontalPodAutoscaler
+metadata:
+  name: {{ include "element-call.fullname" . }}
+  labels:
+    {{- include "element-call.labels" . | nindent 4 }}
+spec:
+  scaleTargetRef:
+    apiVersion: apps/v1
+    kind: Deployment
+    name: {{ include "element-call.fullname" . }}
+  minReplicas: {{ .Values.autoscaling.minReplicas }}
+  maxReplicas: {{ .Values.autoscaling.maxReplicas }}
+  metrics:
+    {{- if .Values.autoscaling.targetCPUUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetCPUUtilizationPercentage }}
+    {{- end }}
+    {{- if .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    - type: Resource
+      resource:
+        name: memory
+        target:
+          type: Utilization
+          averageUtilization: {{ .Values.autoscaling.targetMemoryUtilizationPercentage }}
+    {{- end }}
+{{- end }}

element-call/templates/ingress.yaml

@@ -0,0 +1,42 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "element-call.fullname" . -}}
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ $fullName }}
+  labels:
+    {{- include "element-call.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- with .Values.ingress.className }}
+  ingressClassName: {{ . }}
+  {{- end }}
+  {{- with .Values.ingress.tls }}
+  tls:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+  rules:
+    - host: {{ .Values.service.call.ingress.host | quote }}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: {{ $fullName }}
+                port:
+                  name: http
+    - host: {{ .Values.service.lkJWT.ingress.host | quote }}
+      http:
+        paths:
+          - path: /sfu/get
+            pathType: Exactly
+            backend:
+              service:
+                name: {{ $fullName }}-lk-jwt
+                port:
+                  name: http
+{{- end }}

element-call/templates/lk-jwt/deployment.yaml

@@ -0,0 +1,76 @@
+{{- $fullName := include "element-call.fullname" . -}}
+{{- with .Values.service.lkJWT }}
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: {{ $fullName }}-lk-jwt
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+    app.kubernetes.io/component: lk-jwt
+spec:
+  {{- if not $.Values.autoscaling.enabled }}
+  replicas: {{ .replicaCount }}
+  {{- end }}
+  selector:
+    matchLabels:
+      {{- include "element-call.selectorLabels" $ | nindent 6 }}
+      app.kubernetes.io/component: lk-jwt
+  template:
+    metadata:
+      {{- with .podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "element-call.labels" $ | nindent 8 }}
+        app.kubernetes.io/component: lk-jwt
+        {{- with .podLabels }}
+        {{- toYaml . | nindent 8 }}
+        {{- end }}
+    spec:
+      {{- with $.Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      serviceAccountName: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" . "suffix" "lk-jwt") }}
+      securityContext:
+        {{- toYaml .podSecurityContext | nindent 8 }}
+      containers:
+        - name: lk-jwt
+          securityContext:
+            {{- toYaml .securityContext | nindent 12 }}
+          {{- with .image }}
+          image: "{{ coalesce $.Values.global.image.registry .registry }}/{{ .repository }}:{{ .tag }}"
+          imagePullPolicy: {{ coalesce $.Values.global.image.pullPolicy .pullPolicy }}
+          {{- end }}
+          env:
+            - name: "LK_JWT_PORT"
+              value: "8080"
+            - name: "LIVEKIT_URL"
+              value: {{ .config.url }}
+          envFrom:
+            - secretRef:
+                name: {{ $fullName }}-lk-jwt
+          ports:
+            - name: http
+              containerPort: 8080
+              protocol: TCP
+          livenessProbe:
+            {{- toYaml .livenessProbe | nindent 12 }}
+          readinessProbe:
+            {{- toYaml .readinessProbe | nindent 12 }}
+          resources:
+            {{- toYaml .resources | nindent 12 }}
+      {{- with .nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+{{- end }}{{/* end-with .Values.service.lkJWT */}}

element-call/templates/lk-jwt/secret.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ include "element-call.fullname" . }}-lk-jwt
+  labels:
+    {{- include "element-call.labels" . | nindent 4 }}
+data:
+  {{- with .Values.service.lkJWT.config }}
+  LIVEKIT_KEY: {{ .key | b64enc }}
+  LIVEKIT_SECRET: {{ .secret | b64enc }}
+  {{- end }}

element-call/templates/lk-jwt/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "element-call.fullname" . }}-lk-jwt
+  labels:
+    {{- include "element-call.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "element-call.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: lk-jwt

element-call/templates/lk-jwt/serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- with .Values.service.lkJWT }}
+{{- if .serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" . "suffix" "lk-jwt") }}
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+  {{- with .serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .serviceAccount.automount }}
+{{- end }}
+{{- end }}

element-call/templates/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "element-call.fullname" . }}
+  labels:
+    {{- include "element-call.labels" . | nindent 4 }}
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    {{- include "element-call.selectorLabels" . | nindent 4 }}
+    app.kubernetes.io/component: call

element-call/templates/serviceaccount.yaml

@@ -0,0 +1,15 @@
+{{- with .Values.service.call }}
+{{- if .serviceAccount.create -}}
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: {{ include "element-call.serviceAccountName" (dict "root" $ "ctx" . "suffix" "") }}
+  labels:
+    {{- include "element-call.labels" $ | nindent 4 }}
+  {{- with .serviceAccount.annotations }}
+  annotations:
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+automountServiceAccountToken: {{ .serviceAccount.automount }}
+{{- end }}
+{{- end }}

element-call/values.yaml

@@ -0,0 +1,127 @@
+global:
+  image:
+    # -- if set it will overwrite all registry entries
+    registry:
+    # -- if set it will overwrite all pullPolicy
+    pullPolicy:  
+
+imagePullSecrets: []
+nameOverride: ""
+fullnameOverride: ""
+
+
+
+ingress:
+  enabled: false
+  className: ""
+  annotations: {}
+  tls: []
+  #  - secretName: chart-example-tls
+  #    hosts:
+  #      - chart-example.local
+
+autoscaling:
+  enabled: false
+  minReplicas: 1
+  maxReplicas: 100
+  targetCPUUtilizationPercentage: 80
+  # targetMemoryUtilizationPercentage: 80
+
+service:
+  call:
+    replicaCount: 1
+    image:
+      registry: ghcr.io
+      repository: element-hq/element-call
+      pullPolicy: IfNotPresent
+      # -- Overrides the image tag whose default is the chart appVersion.
+      tag:
+    config: {}
+    ingress:
+      host:
+    livenessProbe:
+      httpGet:
+        path: /
+        port: http
+    readinessProbe:
+      httpGet:
+        path: /
+        port: http
+    resources: {}
+    serviceAccount:
+      # Specifies whether a service account should be created
+      create: true
+      # Automatically mount a ServiceAccount's API credentials?
+      automount: true
+      # Annotations to add to the service account
+      annotations: {}
+      # The name of the service account to use.
+      # If not set and create is true, a name is generated using the fullname template
+      name: ""
+
+    podAnnotations: {}
+    podLabels: {}
+
+    podSecurityContext: {}
+      # fsGroup: 2000
+
+    securityContext: {}
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 1000
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}
+
+  lkJWT:
+    replicaCount: 1
+    image:
+      registry: ghcr.io
+      repository: element-hq/lk-jwt-service
+      pullPolicy: IfNotPresent
+      tag: sha-4a29504
+    config:
+      url: ""
+      key: "devkey"
+      secret: "secret"
+    ingress:
+      host:
+    livenessProbe:
+      httpGet:
+        path: /healthz
+        port: http
+    readinessProbe:
+      httpGet:
+        path: /healthz
+        port: http
+    resources: {}
+    serviceAccount:
+      # Specifies whether a service account should be created
+      create: true
+      # Automatically mount a ServiceAccount's API credentials?
+      automount: true
+      # Annotations to add to the service account
+      annotations: {}
+      # The name of the service account to use.
+      # If not set and create is true, a name is generated using the fullname template
+      name: ""
+
+    podAnnotations: {}
+    podLabels: {}
+
+    podSecurityContext: {}
+      # fsGroup: 2000
+
+    securityContext: {}
+      # capabilities:
+      #   drop:
+      #   - ALL
+      # readOnlyRootFilesystem: true
+      # runAsNonRoot: true
+      # runAsUser: 1000
+    nodeSelector: {}
+    tolerations: []
+    affinity: {}